New features for managing Active Directory
Much has been written about the new directory services features in Windows Server 2008, including the read-only domain controller (RODC), fine-grained password policies (FGPPs), enhanced auditing, and more. In my experience, the biggest improvements in your operations with a new OS sometimes come from what initially might seem like very small improvements. Although every Active Directory (AD) installation shares common needs (e.g., security, administration, backups), these needs have been addressed in practice in almost as many ways as there are AD installations.
The Server 2008 improvements to Ntdsutil, the command-line utility administrators use to perform critical AD maintenance, haven’t received as much press as other Server 2008 features. However, these features might be as valuable to you as better-advertised features. Server 2008 has six new Ntdsutil features, of varying significance: Snapshot, Activate Instance, DS Behavior, Local Roles, Partition Management, and Install from Media (IFM). Read on for more information about each feature and to learn whether they will benefit your organization.
The Snapshot feature (aka Active Directory Database Mounting Tool) is an Ntdsutil command that takes a snapshot in time of your AD database, including all objects and attributes. You can use snapshots in conjunction with tombstone reanimation to very quickly perform a complete restore of deleted AD objects and their attributes. Historically, if an important AD object such as an organizational unit (OU) were accidentally deleted, the AD administrator would have to go through an authoritative restore. The authoritative restore process involves taking a production domain controller (DC) offline, mounting a tape or disk-based backup, performing a nonauthoritative restore from backup, using Ntdsutil’s authoritative restore command to select the object(s) being restored, and rebooting the DC. You might also need to take extra steps to restore group memberships. The whole process can be very time consuming, especially with upset managers breathing down your neck!
Tombstone reanimation, first introduced in Windows Server 2003 (and discussed in “AD Tombstone Objects”), provides a way to return a deleted object from the DeletedObjects container to its original location. Most attribute values are stripped from the deleted object (or “tombstone”), however, so the restore isn’t really useful until these attributes are repopulated. For example, if a user is deleted and subsequently reanimated, the MemberOf and password attributes will be empty.
Systems administrators and various vendors have come up with several methods for retaining this data and mapping it to the deleted object to speed up the restore process. If the object in question is a user object, the password is also stripped on deletion, which can be an operational headache if you need to restore many user objects and generate all their new passwords. You can use bit 3 (0x00000008) of the attributeSchema object’s SearchFlags attribute to modify which attributes remain stored in the tombstone object, including the password. (For more information about reanimating tombstone objects, see the TechNet article “Reanimating Active Directory Tombstone Objects.”) Because a snapshot contains all objects and attributes of the directory at the time the snapshot was taken, if you have a snapshot of the directory before the object was deleted you can review and extract all its attributes, then apply them to the reanimated object. Taking a snapshot requires you to be a member of the Enterprise Admins or Domain Admins group.
Suppose an administrator accidentally deletes the CEO’s user object. Because you modified SearchFlags beforehand to retain a deleted object’s password, you can use a free tombstone reanimation program such as SDM Software’s AD Tombstone Reanimation Cmdlets to return the deleted object to its original location. Then you need to mount the appropriate snapshot by following the directions in the TechNet article “Active Directory Domain Services Database Mounting Tool (Snapshot Viewer or Snapshot Browser) Step-by-Step Guide,” extract the object’s important attributes with a utility such as Joeware’s AdFind, apply them to the restored object with Joeware’s AdMod, and voilà! You’ve just restored an accidentally deleted object without resorting to an authoritative restore. This process can be automated, of course. For a PowerShell script that performs this task, see Darren Mar-Elia’s blog “PowerShell Script to leverage AD Tombstone cmdlets,” which contains a link to Guido Grillenmeier’s script.
Taking a snapshot is a simple procedure. Open a command prompt with administrative rights on a DC, then start Ntdsutil. Enter
activate instance ntds<br>
to select the directory instance you want to take the snapshot of. Enter
to take a snapshot, as Figure 1 shows.
DS Behavior lets you control an extra layer of security in Server 2008. By default, Server 2008 Active Directory Domain Services (AD DS) doesn’t allow password operations over an unsecured connection. With DS Behavior, you can use the following command:
allow passwd op on unsecured connection
to circumvent this limitation. Note that even though this option is available, you’d typically want to retain the secure default.
The Local Roles feature is used to define group membership locally on RODCs. RODCs can provide true administrative role separation by giving users some degree of elevated rights (e.g., Administrators, Server Operators) on an RODC but not anywhere else in the domain. For example, to add JaneBranchOfficeAdmin to an RODC’s local Administrators group, launch Ntdsutil from a command prompt on the RODC. Enter
From the local roles menu, enter
add JaneBranchOfficeAdmin Administrators
to add Jane to the local Administrators role.
Partition Management lets you create, list, remove, and set replication notification delay for application partitions in an AD domain or forest. (Application partitions are also referred to as NDNCs, or non-domain naming contexts.) You can also list the DCs that are replicas supporting an application partition. Finally, you can use Partition Management to manage partitions in AD LDS.
Install from Media
IFM is an advanced option of the DCPROMO DC creation wizard. (Although interestingly enough, the terms IFM and Install From Media don’t actually appear anywhere in the wizard.) IFM lets administrators promote a new DC into a domain by using a system state backup to load the necessary directory partitions into the DC’s database rather than over the network. If you have a large database, this approach can provide a substantial time savings compared with a traditional over-the-wire promotion. (For more information about using IFM to promote DCs, see the Microsoft article “How to use the Install from Media feature to promote Windows 2003-based domain controllers.”)
The IFM feature has been around since Windows 2003, but it wasn’t part of Ntdsutil until Server 2008. Microsoft added IFM to Ntdsutil to provide the Windows Server Backup feature. Windows Server Backup replaces the venerable NTBackup utility that’s been part of the product since Windows NT 3.5. However, Windows Server Backup has a different functionality set than NTBackup; if you performed disk-based system state backups of your DCs with NTBackup, you’ll find that Windows Server Backup takes much longer and uses up far more space. (Server 2008 system state backup also backs up system files that are under Windows File Protection—WFP—in addition to backing up the AD database and SYSVOL.)
The change in functionality to Windows Server Backup and the additional needs of the RODC prompted the Directory Services team to add the ability to back up just enough of a DC (the database itself and two registry hives) to promote a new Server 2008 DC from media rather than over the network. IFM does just that. In addition, IFM is simpler and faster than the Windows 2003 method because you don’t need to perform a backup and then restore from that backup to obtain the necessary files. I’ve personally witnessed an incredible reduction in DCPROMO time from 19 hours (replication over the network) to 10 minutes (IFM).
IFM has four options: create full backup name, create SYSVOL full backup name, create RODC backup name, and create SYSVOL RODC backup name. Logically split into two pairs, these commands perform two functions. The “full” options create installable media to promote a full DC, and the “RODC” options create media for RODCs. The difference is that for security reasons the RODC options mark the AD database as read-only, and they clear the password attributes. Letting an IFM media set fall into the wrong hands is as much of a security risk as letting an entire DC do so. The RODC option makes the IFM media set as safe as an RODC itself. If you include the SYSVOL option, the contents of the SYSVOL shared folder are also added to the set. This method creates a larger set of files to be moved to the DC-to-be, but SYSVOL won’t need to replicate over the network.
IFM is easily scripted; you can stack up Ntdsutil commands on a command line or in a script. The following example creates a full IFM backup, without SYSVOL, into a folder named backup:
ntdsutil “active instance ntds” ifm “create full backup” quit quit
Figure 2 shows this command’s output. Substituting a date variable for “test” is a simple scripting task.
Using IFM to create new DCs is handy, but its real usefulness is in quickly restoring DCs after an operational failure. By far the most common operational failure mode is OS-related, not AD-related. In such a case, both the OS and the AD database must be recovered. Server 2008 provides three methods for recovering the OS and AD database. The traditional method is to restore the system from tape. Although Server 2008 doesn’t support this method natively, you can use a number of third-party products. You can also use Windows Server Backup to perform a recovery through Windows Complete PC Backup. (Note that because the OS has failed, a system state restore won’t do the job.) Finally, you can skip the recovery process and just rebuild and repromote the DC.
The most important task to accomplish in case of a failed DC is to get the DC back up as soon as possible. (A secondary goal is to determine the root cause of the failure.) When restoration time is crucial, the restore from tape backup method takes too long: You must reinstall the OS, install the backup software, restore the system, and reboot. Restoring from Windows Complete PC Backup is much faster: You simply boot from the Server 2008 installation CD-ROM, select Repair my computer, and recover every volume with critical system data on it. This process can also be time consuming, however, if your AD database and log files are spread across several partitions. In addition, the backup set must be available either on a local partition or a USB hard drive. If the set is on a local partition, the partition must be dedicated to Windows Server Backup because it will reformat and use the partition entirely. Although some planning and repartitioning is necessary as you upgrade your DCs to Server 2008, the process should be easy because hard disk sizes have grown far beyond any DC’s possible disk requirements.
I recommend a third approach: Skip the restore process entirely. Instead, simply wipe and reinstall the OS on the server, then repromote it to DC status using the IFM method. This method is by far the fastest way to get a seriously broken DC back into service. The process involves the following steps:
- Perform regular IFM backups of your DC’s local database and direct them toward a partition that doesn’t contain critical system data.
- Have an unattended build CD-ROM available at the DC’s data center. (For information about unattended setup on Windows 2003, see the TechNet article “How Unattended Installation Works”; for information about Server 2008 and Server 2008 R2, see the TechNet article “Lite-Touch, High Volume Deployment.”)
- The DC should be dedicated in its role (with the exception of AD-integrated DNS).
- If your DC’s OS fails or has any problem that takes more than 15 minutes to fix:
a. Have operations insert the CD-ROM and perform an unattended (re)installation of the OS. This step should take anywhere from 15 to 30 minutes.
b. While the reinstall is underway, the DC administrator on call should perform a metadata cleanup of the DC in AD. The metadata cleanup process removes AD data about the failed DC that’s used in replication. When a DC is demoted normally, this information is removed as part of the demotion process. A failed DC, however, doesn’t go through the normal demotion process, so this information must be removed manually. In Windows 2003, you use Ntdsutil to perform the metadata cleanup, as discussed in the TechNet article “Clean up server metadata.” The procedure is simplified in Server 2008 and Server 2008 R2; the TechNet article “Clean Up Server Data (Windows Server 2008)” explains the process using Active Directory Users and Computers and Active Directory Sites and Services.
c. When the reinstall and reconfiguration is complete, perform an IFM promotion of the DC, pointing to the IFM backups on the backup partition. The entire operation should take no more than 15 minutes.
As a fellow Directory Services MVP once remarked, “Domain controllers are like little tin soldiers; if one falls down, you can stand up another one just like it.”
New Recovery Capabilities
Ntdsutil has several interesting new features in Server 2008. Pay careful attention to them, and consider not only what functions they perform but also the new recovery capabilities they provide the groundwork for. Even small improvements in a foundational distributed system such as AD can provide large benefits.