How to Backup and Restore Active Directory on Server 2008

Have you ever accidentally deleted a user account or an OU in Active Directory and wished you could restore it?
 Their Active Directory database had become corrupted from the updates. So what do you do? How can you restore AD?
Let’s talk about how to backup AD in Windows Server 2008 and how to restore it. Today I’ll show you:

• what you need to do to get your Server 2008 ready for backup
• how to backup Active Directory on Server 2008
• how to perform an Authoritative Restore of Active Directory
• how to perform Active Directory Snapshots

Prerequisites: Getting Server 2008 Ready for Backup

Before you can backup Server 2008 you need to install the backup features from the Server Manager.

1. To install the backup features click Start → Server Manager.

 

2. Next click Features → Add Features

 

3. Scroll to the bottom and select both the Windows Server Backup and the Command Line Tools
 

4. Click Next, then click Install

Backing up Server 2008 Active Directory

Now that we have the backup features installed we need to backup Active Directory. You could do a complete server backup, but what if you need to do an authoritative restore of Active Directory?
As you’ll notice in Server 2008, there isn’t an option to backup the System State data through the normal backup utility..



So what do we do? We need to go “command line” to backup Active Directory.
1. Open up your command prompt by clicking Start and type “cmd” and hit enter.
2. In your command prompt type “wbadmin start systemstatebackup -backuptarget:e:” and press enter.
Note: You can use a different backup target of your choosing
3. Type “y” and press enter to start the backup process.


When the backup is finished running you should get a message that the backup completed successfully. If it did not complete properly you will need to troubleshoot.

 Now you have a system state backup of your 2008 Server!

Authoritative Restore of Active Directory

So now what if you accidentally delete an OU, group, or a user account and it’s already replicated to your other servers? We will need to perform an authoritative restore of the Active Directory object you accidentally deleted.
1. To do this you will need to boot into DSRM (Directory Services Restore Mode) by restarting your server and pressing F8 during the restart.
2.Choose Directory Services Restore Mode from the Advanced Boot menu.

3. Login to your server with your DSRM password you created during Active Directory installation.
4. Once you’re logged into your server and in DSRM safe mode, open a command prompt by clicking Start, type “cmd“, and press enter.
5. To make sure you restore the correct backup it’s a good idea to use the “wbadmin get versions” command and write down the version you need to use.

6. Now we need to perform a non-authoritative restore of Active Directory by typing “wbadmin start systemstaterecovery -version:04/14/2009-02:39“.
Note: The version of backup will vary depending on your situation. Type “y” and press enter to start the non authoritative restore.
7. Go grab some coffee and take a break while the restore completes.

8. You can mark the sysvol as authoritative by adding the –authsysvol switch to the end of the wbadmin command.

9. But if you want to restore a specific Active Directory object then you can use the ever familiar ntdsutil.
For this example we are going to restore a user account with a distinguished name of CN=Test User,CN=Users,DC=home,DC=local. So the commands would be:


ntdsutil
activate instance ntds
authoritative restore
restore object “cn=Test User,cn=Users,dc=home,dc=local”

10. Reboot your server into normal mode and you’re finished. The object will be marked as authoritative and replicate to the rest of your domain.

Using Active Directory Snapshots

There is a really cool new feature in Windows Server 2008 called Active Directory Snapshots. Volume Shadow Copy Service now allows us to take a snapshot of Active Directory as a type of backup. They are very quick to create and serve as another line of defense for your backup strategy.
With your server booted into normal mode open a command prompt by clicking Start, type “cmd“, and press enter.
We are going to use the ntdsutil again for creating the Active Directory snapshots. The commands are:

ntdsutil
snapshot
activate instance ntds
create
quit
quit


So now that you have a snapshot of AD, how do you access the data? First we need to mount the snapshot using ntdsutil. The commands are:

ntdsutl
snapshot
list all
mount 1 — (Note: You should mount the correct snapshot you need; for this example there is only 1.)
quit
quit

Your snapshot is mounted, but how do you access the data? We need to use the dsamain command to accomplish this. Then we need to select an LDAP port to use. The command is as follows:

dsamain –dbpath c:\$SNAP_200905141444_VOLUMEC$\WINDOWS\NTDS\ntds.dit –ldapport 10001

The result should look like this:
 
Now we need to go to Start, Administrative Tools, then Active Directory Users and Computers.

Right click Active Directory Users and Computers and select Change Domain Controller.
 

In the area that says < Type a Directory Server name [:port] here > enter the name of your server and the LDAP port you used when running the dsamain command.
For my example it would be: WIN-V22UWGW0LU8.HOME.LOCAL:10001
 

Now you can browse the snapshot of Active Directory without affecting anything else negatively.

Your AD Backup Strategy

It’s always good to have a solid backup plan for your Active Directory. You can use a combination of backup strategies or just one of these methods for backing up your Active Directory. Make sure you tailor your Active Directory backup strategy to meet your company’s needs and make it easy to recover if disaster does strike.

You can use a batch .bat job as a schedule task to do the backup as you wish:

W2K8 -This will backup system state daily and keep the last  backups..You will need to install the W2K8 backup feature

if not exist f:\Backups\Logs md f:\Backups\Logs
wbadmin start systemstatebackup -backuptarget:f: -quiet >f:\Backups\Logs\SSBackup.log
wbadmin delete systemstatebackup -keepversions:1 -quiet >>f:\Backups\Logs\SSBackup.log

ரஞ்சித்துளசி

 

Using the Delegation of Control Wizard to Assign Permissions in Server 2008

Delegate Control of an Organizational Unit

Another great feature of Server 2008, is how the Delegation of Control Wizard simplifies adding rights for common tasks to groups or administrators.
We’re going to say that we’ve just started building our network, and we’d like to give our Helpdesk admins the ability to reset passwords for people. Since we don’t want the Helpdesk modifying other parts of our domain, we want to restrict their access rights to only that task, for the time being. The simplest way is to use the Delegation of Control Wizard, so we’ll start by going to our Administrative Tools and opening the Active Directory Users and Computers snap-in. Once we expand our domain, we’ll go down to the OU that holds our Helpdesk group, right-click on it, and choose Delegate 
 Control.

* To open Active Directory Users and Computers, click Start , click Control Panel ,  double-click Administrative Tools , and then double-click Active Directory Users and Computers .

*To open Active Directory Users and Computers in Windows Server® 2008, click Start , type      dsa.msc .

*In the console tree, right-click the organizational unit (OU) for which you want to delegate control.

1. Where?
   
   • Active Directory Users and Computers\ domain node \ organizational unit
2. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard.
   

 
The wonderful welcome screen of the Delegation Wizard pops up, and we click Next.

 
The wonderful welcome screen of the Delegation Wizard pops up, and we click Next.

 

We need to add our Helpdesk, so we click Add.

 
We type in the name of our group, helpdesk, and then click the Check Names button. Once it finds them in AD, the name will display fully, and we can click the OK button.

 

Once it shows up in our list of selected users and groups, we’ll move forwards by clicking the Next button again.

 

Now we get to the real power of the Delegation of Control Wizard. The wizard lists out the most commonly used tasks to delegate control for, but also allows you to add some of the more obscure rights as well through the Create a custom task to delegate option. Since we just want to give our helpdesk admins the right to reset passwords, we’ll choose that one from the list and click Next.

 
Next we’ll get a summary of all the controls we are about to delegate. It’s always a good idea to browse over this, just to make sure you didn’t accidentally check one of the wrong boxes by accident. Once we’re certain that everything looks good, we click the Finish button.

 

 

Installing Admin Tools (AD Users & Computers Etc) in Windows 7

As some of us admins completely ignored the existence of Windows Vista, you may have also missed the replacement for the adminpak.msi. As this is no longer used a version has been released for Vista & Windows 7. I'm going to walk you through getting this on W7. This will allow you to access AD Users & Computers and all the other tools you so dearly love as admins.

- Download and install the RSAT (Remote Server Administration Tools) found on the Microsoft website. There is also a x64 version if you require that.
You can find this tool here; http://www.microsoft.com/downloads/details.aspx?Fa... :- Once installed you will notice in the start menu you’ll have extra admin entries, but no User & Computers tools. To enable all the extra features go to

Control Panel > Programs & Features > Turn Windows Features On & Off

 

Select “Remote Server Admin Tools” & Check everything you want. You will have to do everything one at a time as it’s pedantic about you selecting all in one swoop.

Now all should be done. Check your start menu. If you notice things are still missing you’ll have to right click the start menu and select "Properties".

From there Start menu > Customise.
Scroll near the bottom and within “System Administrative Tools” select “Display on the All Programs Menu & The Start Menu”
 Now checking your start menu should show you the pleothora of tools now back at your disposal.

How to Upgrade to Windows Server 2008 from Windows Server 2003 with ADS

If you haven’t upgraded from Server 2003 to Server 2008 — here’s the how-to you’ve been waiting for. Today I’m going to show you how to prepare for a server upgrade and how to perform it. I’ll also tell you why you need to upgrade your server to 2008; let’s start with that.

Why Upgrade to Windows Server 2008

One of the main reasons why you would want to upgrade all of your Servers on your network from Server 2003 to Server 2008 is the 2008 Functional Level. Well, that’s great but what does that really mean? Once you upgrade all your Servers and get the 2008 Functional Level you will get few nifty bonuses:

1. The first bonus for upgrading to Server 2008 is Distributed File System Replication. What it means in English is that exchange of information between your Domain Controllers is a lot smoother.
2. Second bonus is Advanced Encryption Standard support for the Kerberos protocol – logins are a lot more secure.
3. The third bonus is Last Interactive Logon Information. This is a Group Policy Object that will display information about previous logons while you are trying to login yourself. So basically, you are going to be able to see who has logged on to the machine before you.
4. And finally, the Fine-Grained Password Policies, where you can specify different password and account lockout policies for different sets of users. I believe this little bonus is quite big for most of the administrators.

The Server 2008 Upgrade Process

The upgrade process is not difficult at all and it doesn’t take a very long time. There are a couple of steps that you need to do before running the CD to update your server — here they are:

1. Before you start upgrading, make sure that your server’s hardware is up to specifications for Server 2008 (these are the recommendations, for minimum requirements):

• At least 512MB of RAM – preferably a lot more
• At least a 2GHz processor
• At least 40GB of Available Hard Disk space
• DVD-ROM Drive
• At least Super VGA (800×600) monitor
• Keyboard, mouse, NIC Card, etc.

2. If you are upgrading a 2003 Domain Controller, you will need to copy a couple of scripts from Server 2008 disc to your Server’s hard disk and then run adprep/FORESTPREP and adprep/DOMAINPREP.
3. Now we are ready to upgrade so we can put the CD in the CD/DVD-ROM and install as normal.

A note to those who may have Server 2000 and want to upgrade to Server 2008:
You cannot, I repeat, cannot upgrade from Server 2000 directly to Server 2008. You need to upgrade it first to Server 2003 and then go through these steps and upgrade to Server 2008. Also, make sure your Domain Functional Level is Windows Server 2003. This is really important as you won’t be able to run the upgrade if Domain Functional Level isn’t at Least Server 2003.

Warning: What You Need to Know Before Upgrading to Server 2008

There are a few things you should be aware of before starting the upgrade process:

1. 2003 Servers should be patched to at least SP1
2. Small Business Server 2003 and 2003 R2 upgrades are not supported
3. You can’t upgrade to Server Core
4. Exchange Server 2007 will not take an in-place upgrade. This is very important, because if you try it will break things. What you need to do is a Mailbox Migration to do this kind of upgrade with Exchange 2007

Preparing Your Server for Upgrade

1. Login to your Domain Controller on the server you are upgrading. First we are going to prepare the Domain Controller Database for upgrade.
2. Go ahead and insert the Server 2008 CD in your CD/DVD-ROM drive.
3. Open My Computer and right-click on CD/DVD-ROM. Then select Explore.




 4. Double-click on Sources.



 5. Right-click on the adprep folder and select Copy.



6. Now go over to your server’s hard drive and paste the folder on your C:\ drive. In this example, we are going to paste it in the root of C.



7. Next, select Command Prompt on your start menu.
If you do not see Command Prompt, select Run, type in cmd and hit the Enter key.



 8. When in Command Prompt, type in cd\ and hit Enter



9. To verify that the adprep folder is on your hard drive, type in dir and hit Enter

 

10. Next, type in cd adprep and hit Enter. This will put you in the adprep folder.

 

11. Once you are in that folder we are ready to run the two commands. The first command you should type is adprep /forestprep, then hit Enter.

 

12. Make sure you do not have any Windows Server 2000 machines on your network.
If you do not, type in C and hit Enter.



13. Once the process is done you are going to receive a quick confirmation as shown below.



14. Next we are going to type in the second command which is adprep /domainprep and hit Enter.



15. Domainprep will now run and once it is done you will receive a confirmation.



16. You can now close the Command Prompt.

Now we are finally ready for the upgrade.

Quick note for administrators with multiple Domain Controllers that need to upgrade to Server 2008:
The steps above need to be performed only once on your network. Once you run forestprep and domainprep on your network, all your Domain Controllers are now ready for the upgrade. All you need to do is wait for the Active Directory database to replicate to all your DCs and you are ready to go.

Upgrading from Server 2003 to Server 2008

1. Make sure your Server 2008 CD is in the CD/DVD-ROM drive. On your machine, go to Windows Explorer and select CD/DVD-ROM. In this example it is the D:\ drive.



2. Double-click on the setup.exe file from inside your Server 2003 machine.



3. When the Install Window opens click the Install Now button.



4. In this window you will have an option to check for the latest updates from Microsoft. If you choose so, please select the first option.
In this example we are going to skip them for now, so we will select the second option.



5. It’s now time to select the Server 2008 version that you want to install.

in this example we are installing the Enterprise (Full Installation) version. Once you make your selection, click Next.



6. Go ahead and check the box to accept the license terms agreement and when ready click next.



7. The upgrade option should now be available for you. When ready select Upgrade Option to continue.



8. You will receive one last warning letting you know to make sure all your applications and 3rd party software can run on windows 2008 as well as of potential issues that you might have.

Make sure to read it and pay close attention to any issues that are listed on the bottom. Once you are ready, click Next.



9. Your Server is now being upgraded.



One last thing to keep in mind is that the upgrade process may take a lot longer than the installation as it has to upgrade the Active Directory and other services that are already on your Server.

Now, wasn’t this easy?