http://www.windows-active-directory.com/active-directory-videos.html
For ADAudit Plus to collect audit data from Domain Controllers provide either of the following user privileges under the Domain Settings Tab of ADAudit Plus.
For 2003 Domain Controllers
For 2008 Domain Controllers
(or)
Providing A User with Event Log Read Permission
Providing A User with Event Log Read Permission
Providing DCOM and WMI permissions:
These permissions are specific to Windows 2008 Domain Controllers.
Providing DCOM Permissions
Why Metadata Cleanup ?
When a domain controller crashes or removed from network. Active Directory assumes that the Domain Controller is alive and you will see replication problems. This affects Microsoft Exchange Server and other mission critical applications which are dependent on AD.
DcDiag and NetDiag will help us understand if there is any replication problems.
Permission Requisites
The account should be a member of Domain Admins and Enterprise Admins Group.
Lets Explore
Scenario
Two Domain Controller – DC-13 and DC1
Figure 1.1 : Netdom query DC
In figure 1.1 what we see is both the DC is available, however the fact is DC1 is crashed. Lets say they are crashed for following reason
In our scenario DC1 is crashed.
Before we move ahead lets check where does FSMO roles exists.
Figure 1.2 : Netdom Query FSMO
Since FSMO roles are available in DC-13 we will start Metadata cleanup.
Go to command prompt and type the below command.
Figure 1.3 : Ntdsutil
Ntdsutil is the utility which can be used for various active directory tasks.
Figure 1.4 : Metadata Cleanup
Type Metadata cleanup as shown in figure 1.4.
Figure 1.5 : Connections
Type connections as shown in figure 1.5.
Figure 1.6 : Connect to server
Connect to server. In our scenario we will connect to DC1 which is crashed.
Figure 1.7 : Quit
Type quit as shown in figure 1.7.
Metadata cleanup appears
Figure 1.8 : Select Operation Target
Figure 1.9 : List Domain
Figure 1.10 : Select Domain 0
In figure 1.10 it says no site found. To list the site we have to run the below command.
Figure 1.11 : List Site
Now in figure 1.11 it list the site which is “Default-First-Site-Name”
Figure 1.12 : Select Site 0
In figure 1.12 again it says No Current Server. To list the server in the site type the below command.
Figure 1.13 : List servers in site
In figure 1.13 it has listed two servers in the site.
Figure 1.14 : Select Server 1
Figure 1.15 : Type Quit
Figure 1.16 : Remove Selected Server
Figure 1.17 : Select Yes
Now the process will perform Metadata cleanup for the failed DC.
Post performing the above task we have to ensure that DNS information is also removed. Please remove them using DNS management console.
===========================
The server object has to be removed manually from Active Directory Sites and Services.
===========================
When you use DFS Replication in Windows Server 2008 and in later versions, the current version of Ntdsutil.exe does not clean up the DFS Replication object. In this case, you can use Adsiedit.msc to correct the DFS Replication objects for Active Directory Domain Services (AD DS) manually. To do this, follow these steps:
CN=Topology,CN=Domain System Volume,CN=DFSR-Globalsettings,CN=System,DC=Your Domain,DC=Domain Suffix
Tested On
Windows Server 2003
Windows Server 2008
Before we begin
The account with which we are going to perform this action should be a member of Domain Admins group.
Best Practices
It is always recommended to have a proper system state backup. To know how to perform system state backup in 2008 machines please click here. Recycle bin is just an option in Windows Server 2008 R2. Once enabling this feature it cannot be reversed under any circumstances. So plan accordingly.
Scenario
We will be deleting the same account named as “Sunder” for testing purpose.
Open command prompt in elevated mode as follows.
Go to Start > Right click Command Prompt > Select Run as Administrator as shown below.
Figure 1.1 : Open Command Prompt in elevated mode.
Figure 1.2 : Type ldp.exe and then press enter
Figure 2.1 : Click on connect
Figure 2.2 : Type the server name with which you want to connect. In our scenario its DC1.
Click on OK.
Figure 3.1 : Click on Bind
Figure 3.2 : Bind as currently logged on user (Default). Click ok.
Figure 4.1 : Select Options in the menu bar and then select Controls.
Figure 4.2 : Option to select.
In figure 4.2 please select “Return deleted objects” in the drop down menu as shown above.
Figure 5.1 : Select Tree
Go to view and Select “Tree” and select the option as listed below.
Figure 5.2 : In BaseDN Select Domain Partition.
Figure 6.1 : Click Modify
In Figure 6.1 navigate to Deleted Objects container and locate the Deleted Objects which was deleted. Right click and then select Modify.
Figure 6.2 : Modify the selected object.
In figure 6.2 type “isDeleted” and under Operation select Delete and then press Enter as shown above.
Figure 6.3 : Changing the DN.
In figure 6.3 type distinguishedName and in the Values type the original DN of the object. In our case it is “CN=Sunder,OU=All Company Users,DC=MSEXCHANGETEAM,DC=IN”. Select the check box Extended without fail.
Under Operation select Replace and again press Enter. And finally click Run.
Object restored successfully.
Figure 7.1 : Object restored Successfully.
It is always important to make a note of the object from where it was deleted. This will help in fetching the DN of the object.
Conclusion : Using Powershell it is pretty straight forward. However we have two easy option to recover deleted objects which was deleted accidentally. Choice is yours.
Before we begin
The account with which we are going to perform this steps must be a member of Domain Admins and Enterprise Admins Group.
The Forest Functional level should be Windows Server 2008 R2.
Best Practices
It is always recommended to have a proper system state backup. To know how to perform system state backup in 2008 machines please click here. Recycle bin is just an option in Windows Server 2008 R2. Once enabling this feature it cannot be reversed under any circumstances. So plan accordingly.
Scenario
One Domain Controller by the name as follows.
DC name : DC1.MSEXCHANGETEAM.IN
Forest Functional Level : Windows Server 2008 R2.
By Default Recycle bin is not enabled. We have to enable them manually.
Below is the step by step scenario on how to restore single AdOject which was deleted.
Figure 1.1 : Object which will be deleted.
Before deleting the object we have to enable Recycle Bin.
Figure 2.1 : Importing Active Directory Module.
In figure 2.1 we import Active Directory Module to install Ad Optional Features.
Figure 2.2 : Enable AdOptionalFeature.
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=MSEXCHANGETEAM,DC=IN’ –Scope ForestOrConfigurationSet –Target ‘MSEXCHANGETEAM.IN’
Figure 2.3 : Command for reference.
Figure 3.1 : Object marked for deletion.
Get-AdObject -Filter {displayname -eq “Sunder”} -IncludeDeletedObjects | Restore-ADObject
Figure 4.1 : Command to restore AdObject
Figure 5.1 : Object Restored Successfully.
Thanks to Microsoft for bringing such a wonderful feature for which Windows Administrators waited for almost a decade.
In the next part series we will walk you through the steps using LDP.exe tool.
Courtesy Microsoft.
Disclaimer : The above scenario is thoroughly tested on lab. Please ensure that MSEXCHANGETEAM.IN would not be held responsible for any data loss or outage by following the above steps. Please read the documents carefully before proceeding further.
Happy Learning
As with Windows Server 2003, you can use restored backup media to minimize replication traffic during AD DS installation on a server that is running Windows Server 2008. You can use this installation method to install a new (additional) domain controller in an existing domain.
Of course the amount of data to be replicated, depends on the up-to-dateness of your backup. Objects that were modified, added or deleted since the backup was taken, must be replicated after the AD DS installation process.
If the backup was recent, the amount of replication data required will be considerably smaller than the amount of replication data required for a normal AD DS installation.
The Install From Media (IFM) option only appears when the check box for “Use advanced mode installation” is selected on the Welcome page of the wizard. This “advanced mode” is an alternative to running dcpromo /adv.
IMPORTANT: The installation media that you use must be prepared from the same type of domain controller that you are installing. The following aspects of the domain controller source and target must be identical:
NOTE: A Server Core installation can be the source for installing a new domain controller on a Full installation of Windows Server 2008.
Installation Media
Windows Server 2008 includes an improved version of Ntdsutil.exe that you can use to create the installation media for both writable (RWDC) and read-only DCs (RODC). Ntdsutil.exe can create four types of installation media:
Ntdsutil allows to create four types of installation media.
If the installation media does not include SYSVOL – by default – the entire SYSVOL data must be replicated from another domain controller. If the installation media includes SYSVOL, then the new domain controller will need to replicate only changes that have been made to SYSVOL since the installation media was created.
So, you can run the ntdsutil ifm command on a writable domain controller to create an installation media for an RWDC and/or an RODC. You can only create an installation media for a RODC from another RODC. In case of an RODC installation media only, ntdsutil removes any cached secrets, such as passwords.
As you can see below, ntdsutil uses VSS (Volume Shadow Copy Service) to create a snapshot of AD from the running DC, replays its logs and defragments the AD database.
Ntdsutil ifm allows to create IFM media for RWDC and RODC.
After also running a “Create Sysvol full” IFM creation, this is what the filesystem looks like. Notice the StartGPOs folder…
You can also create installation media by using the Windows Server Backup tool – feature not installed by default – in Windows Server 2008. In this case, you need to use the wbadmin (WindowsBackupAdmin) command-line tool option to restore system state data to an alternate location.
However, you should use Ntdsutil.exe because Windows Server Backup can back up only the set of critical volumes, which occupies much more space than is required for AD DS installation data.
More information: Installing AD DS from (Installation) Media