Non-authoritative restore is restore the domain controller to its state at the time of backup, and allows normal replication to overwrite restored domain controller with any changes that have occurred after the backup.
After system state restore, domain controller queries its replication partners and get the changes after backup date, to ensure that the domain controller has an accurate and updated copy of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, just a restore of system state is non-authoritative restore and mostly we use this for Active Directory data loss or corruption.
The OU group policy objects are set from the largest to the smallest organizational unit, i.e., first the parent OU and then the child OU.
By default, a policy applied later overwrites a policy that was applied earlier. Hence, the settings in a child OU can override the settings in the parent OU
Group policy settings are cumulative if they are compatible with each other. In case they conflict with each other, the GPO processed later takes precedence.
Scavenging must be enabled on DNS server and on the zone you want to scavenging.
DNS records must be dynamically added to zones or you can manually modified the timestamp configuration.
You can authoritatively restore only objects from configuration and domain partition. Authoritative restores of schema-naming contexts are not supported.
Group policy object (GPO) is a collection of group policy settings. It can be created using a Windows utility known as the Group Policy snap-in. GPO affects the user and computer accounts located in sites, domains, and organizational units (OUs). The Windows 2000/2003 operating systems support two types of GPOs, local and non-local (Active Directory-based) GPOs.
The following are the exceptions with regard to the above-mentioned settings:
Any GPO can be set to No Override. If the No Override configuration is set to a GPO, no policy configured in the GPO can be overridden. If more than one GPO has been set to No Override, then the one that is the highest in the Active Directory hierarchy takes precedence
Block Policy Inheritance:
The Block Policy Inheritance option can be applied to the site, domain, or OU. It deflects all group policy settings that reach the site, domain, or OU from the object higher in the hierarchy. However, the GPOs configured with the No Override option are always applied.
Netlogon folder contain logon/logoff/startup/shutdown scripts which is inside the Sysvol folder.
System state backup will backup the Active Directory, NTbackup can be used to backup active directory.
An authoritative restore is next step of the non-authoritative restore process. We have do non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the attributes of all objects or an individual object in an entire directory, this will make it authoritative restore an object in the directory. This can be used to restore a single deleted user/group and event an entire OU.
In a non-authoritative restore, after a domain controller is back online, it will contact its replication partners to determine any changes since the time of the last backup. However the version number of the object attributes that you want to be authoritative will be higher than the existing version numbers of the attribute, the object on the restored domain controller will appear to be more recent and therefore, restored object will be replicated to other domain controllers in the Domain.
Every DNS record time stamp been updated While the time of computer restart
A periodic refresh is sent by the computer every 24 hours.
Network services make refresh attempts, like DHCP servers, which renew client address, cluster servers, which register and update records for a cluster, and the Net Logon service, which can register and update resource records that are used by AD domain controllers So that the record not taken as a stale DNS record.
D2 is the default method for restoring SYSVOL and occurs automatically when you do a non-authoritative restore of the Active Directory
When you non-authoritatively restore the SYSVOL, the local copy of SYSVOL on the restored domain controller is compared with that of its replication partners. After the domain controller restarts, it replicates the any necessary changes, bringing it up-to-date with the other domain controllers within the domain.
Active directory schema is the set of definitions that define the kinds of object and the type of information about those objects that can be stored in Active Directory
Active directory schema is Collection of object class and there attributes
Object Class = User
Attributes = first name, last name, email, and others
Schema Partition – It store details about objects and attributes. Replicates to all domain controllers in the Forest
DN location is CN=Schema,CN=Configuration,DC=Domainname, DC=com
Configuration Partition – It store details about the AD configuration information like, Site, site-link, subnet and other replication topology information. Replicates to all domain controllers in the Forest
DN Location is CN=Configuration,DC=Domainname,DC=com
Domain Partitions – object information for a domain like user, computer, group, printer and other Domain specific information. Replicates to all domain controllers within a domain
DN Location is DC=Domainname,DC=com
Application Partition – information about applications in Active Directory. Like AD integrated DNS is used there are two application partitions for DNS zones – ForestDNSZones and DomainDNSZones, see more
Active Directory (AD) is a directory service developed by Microsoft and used to store objects like User, Computer, printer, Network information, It facilitate to manage your network effectively with multiple Domain Controllers in different location with AD database, able to manage/change AD from any Domain Controllers and this will be replicated to all other DC’s, centralized Administration with multiple geographical location and authenticates users and computers in a Windows domain.
Simple way is restart the system which trigger the DNS Dynamic Update, we can user the below command to force DNS Dynamic Update
You can also restart the netlogon service on service.msc
The record created dynamically by client/server on DNS zone, automatically added to zones when computers start on the network.
All AD changes didn’t write directly to NTDS.DIT database file, first write to EDB.Log and from log file to database, EDB.Che used to track the database update from log file, to know what changes are copied to database file.
NTDS.DIT: NTDS.DIT is the AD database and store all AD objects, Default location is the %system root%nrdsnrds.dit, Active Directory database engine is the extensible storage engine which us based on the Jet database
EDB.Log: EDB.Log is the transaction log file when EDB.Log is full, it is renamed to EDB Num.log where num is the increasing number starting from 1, like EDB1.Log
EDB.Che: EDB.Che is the checkpoint file used to trace the data not yet written to database file this indicate the starting point from which data is to be recovered from the log file in case if failure
Res1.log and Res2.log: Res is reserved transaction log file which provide the transaction log file enough time to shutdown if the disk didn’t have enough space.
Active Directory Domain Services is Microsoft’s Directory Server. It provides authentication and authorization mechanisms as well as a framework within which other related services can be deployed.
Default value for Scavenging is seven days (the minimum allowed value for this is one hour)
scavenging time on DNS zone is the server to determine when a zone becomes available for scavenging
So 7 + 7, every 14 days
IN D4 restore a copy of SYSVOL that is restored from backup is authoritative for the domain. After the necessary configurations have been made, Active Directory marks the local SYSVOL as authoritative and it is replicated to the other domain controllers within the domain.
Group Policy Inheritance:
The group policies are inherited from parent to child within a domain. They are not inherited from parent domain to child domain.
Just start the domain controller in Directory Services Restore Mode and perform system state restore from backup
Minimum requirement is to back up two domain controllers in each domain, one should be an operations master role holder DC, no need to backup RID Master (relative ID) because RID master should not be restored.
Not all DNS servers are Scavenging servers, you can configure/promote DNS server to Scavenging servers.
Zone parameter on advanced settings that enables you to specify a restricted list of IP addresses for DNS servers that are enabled to perform scavenging.
Active Directory partition is how and where the AD information logically stored.
Tree is a hierarchical arrangement of windows Domain that share a contiguous name space.
Forest consists of multiple Domains trees. The Domain trees in a forest do not form a contiguous name space however share a common schema and global catalog (GC)
Group policies specify how programs, network resources, and the operating system work for users and computers in an organization. They are collections of user and computer configuration settings that are applied on the users and computers (not on groups). For better administration of group policies in the Windows environment, the group policy objects (GPOs) are used.
Local GPOs are used to control policies on a local server running Windows 2000/2003 Server. On each Windows 2000/2003 server, a local GPO is stored. The local GPO affects only the computer on which it is stored.
By default, only Security Settings nodes are configured. The rest of the settings are either disabled or not enabled. The local GPO is stored in the %systemroot%SYSTEM32GROUPPOLICY folder.
Non-local GPOs are used to control policies on an Active Directory-based network. A Windows 2000/2003 server needs to be configured as a domain controller on the network to use a non-local GPO. The non-local GPOs must be linked to a site, domain, or organizational unit (OU) to apply group policies to the user or computer objects.
The non-local GPOs are stored in %systemroot%SYSVOLPOLICIESADM, where is the GPO’s globally unique identifier. Two non-local GPOs are created by default when the Active Directory is installed:
@Default Domain Policy: This GPO is linked to the domain and it affects all users and computers in the domain.
@Default Domain Controllers Policy: This GPO is linked to the Domain Controllers OU and it affects all domain controllers placed in this OU. Multiple GPOs.
Netdom query FSMO.
Backup of one domain controller can’t be restoring to other domain controller, should be restored to same domain controller.
DNS Scavenging is to cleanup and removal of stale DNS records, like housekeeping activity to delete unwanted or unused DNS entries in DNS server/zone, it only cleanup the dynamic DNS record not the record created manually.
Although GPOs are linked to the site, domain, or OUs, and they cannot be linked to the security groups directly, applying permissions to the GPO can filter its scope. The policies in a non-local GPO apply only to users who have the Read and Apply Group Policy permissions set to Allow By specifying appropriate permissions to the security groups, the administrators can filter a GPO’s scope for the computers and users.
Enable BurFlags registry to D2 or D4
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
Domain Controller is the server which holds the AD database, All AD changes get replicated to other DC and vise vase.
You can only configure the Application partition manually to use with AD integrated applications.