You restore Active  Directory data by performing (default) or an authoritative restore.

nonauthoritative restore

In nonauthoritative restore, the distributed services on a domain controller are restored from backup media and the restored data is then updated through normal replication. Each restored directory partition is updated with that of its replication partners.

An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup.

Before you can restore Active Directory, you must ensure that you can access all locations that require the restoration of files, the appropriate device for the storage medium containing the data to be restored is attached to a computer on the network and is turned on, and the medium containing the data to be restored is loaded in the device.

To restore the system state data on a domain controller, you must start your computer in directory services restore mode. To perform a nonauthoritative restore, use the Backup Or Restore Wizard. To perform an authoritative restore, use the Backup Or Restore Wizard and the Ntdsutil command.

To add a snap-in to an existing MMC, complete the following steps:

1.      Click Start, point to All Programs, point to Administrative Tools, and then click the

name of the custom MMC.

2.      On the File menu, click Add/Remove Snap-In.

3.      In the Standalone tab in the Add/Remove Snap-In dialog box, click Add.

4.      In the Add Standalone Snap-In dialog box, select the snap-in you want to add to

the existing MMC and click Add.

5.      Enter additional details for the snap-in as described in the previous procedure.

6.      When you are finished adding snap-ins, click Close in the Add Standalone Snap-

In dialog box. The snap-ins you have added appear in the list in the Add/Remove

Snap-In dialog box.

7.      In the Acid/Remove Snap-In dialog box, click OK. MMC displays the snap-ins you

have added in the console tree below Console Root.

Some of the common problems you might encounter when installing and removing Active Directory include the following:

     You cannot reach the server from which you are installing, perhaps because the

DNS name is not registered yet.

     The name of the domain you are authenticating against is incorrect or not avail¬

able yet.

     The user name and password you supplied are incorrect.

      The DNS server settings are not configured correctly.

     You are unable to remove data in Active Directory after an unsuccessful removal

of Active Directory.

Windows Server 2003 provides the following tools to diagnose and resolve problems encountered during Active Directory installation and removal:

     Directory Service log

      Netdiag.exe: Network Connectivity Tester

    Dcdiag.exe: Domain Controller diagnostic tool

     Dcpromoui.log, Dcpromos.log, and Dcpromo.log files

     Ntdsutil.exe: Active Directory diagnostic tool

 Run Netdiag whenever a computer is having network problems. The utility tries to diagnose the problem and can even flag problem areas for closer inspection. It can fix simple DNS problems with the optional /fix switch.

To use Windows Support Tools, including Netdiag, you must first install them on your computer. To install the Windows Support Tools, complete the following steps-.

1.      Start Windows Server 2003. You must log on as a member of the Administrators

group to install the support tools.

2.      Insert the Windows Server 2003 CD into your CD-ROM drive.

3.      Click Start, then select Run.

4.      In the Run dialog box, type £:\Support\Tools\suptools.msi, where E: is the

drive letter of your CD-ROM drive. Click OK.

5.      Follow the instructions that appear on your screen.

 The Setup program requires a maximum of 22 megabytes (MB) of free space to install all Windows Support Tools files onto your hard disk. Setup creates a Support Tools folder within the Program Files folder on the system drive. Support Tools are available from the Start Menu by selecting All Programs followed by the Windows Support Tools option. For detailed information about individual tools, click the Support Tools Help menu item. Graphical user interface (GUI) tools can be invoked from the Tools menu. Command-line tools must be invoked at the command prompt.

 You can find more information about Windows Support Tools in Chapter 3, "Administering Active Directory."

 To use Netdiag to check domain controller connectivity, complete the following steps:

1.      Click Start, and then click Command Prompt.

2.      At the command prompt, type netdiag /debug and press Enter. The test runs and

displays the results in the command-prompt window.

For more information about Netdiag, see Windows Support Tools Help.

Using backup media to create an additional domain controller in your domain reduces the amount of replication required to copy the directory database across your LAN or WAN and will create an additional domain controller faster. This is because Active Directory only needs to replicate the changes that occurred after that backup was taken. The amount of replication that transpires depends on the age of the backup. The backup cannot be older than the tombstone lifetime of the domain, which is set to a default value of 60 days. Therefore, it is always recommended to use the most recent backup available.

If the domain controller that was backed up contained an application directory parti¬tion, it will not be restored on the new domain controller. For information about cre¬ating an application directory partition on a new domain controller, refer to Chapter 5, "Configuring Sites and Managing Replication."

Although network bandwidth requirements will be greatly reduced by using this mech¬anism, network connectivity is still necessary so that

All critical objects are replicated to the new domain controller

Non-critical objects created after the backup was taken and other changes can be

replicated to the new domain controller

Data stored in the Sysvol folder is replicated to the new domain controller

To install Active Directory using the network or backup media, complete the following steps:

1.      Click Start, click Run, and then type dcpromo /adv in the Open box and click OK.

2.      On the Operating System Compatibility page, click Next.

3.      On the Domain Controller Type page, select Additional Domain Controller For An

Existing Domain, and then click Next.

4.      On the Copying Domain Information page, select one of the following         options:

a   Over The Network to copy domain information to this server over the network.

Q   From These Restored Backup Files and type the path to the backup files in the box to copy domain information to this server from backup files.

Note    To copy domain information to the server from backup files, you must first back up the system state of a domain controller belonging to the domain in which this server will become an additional domain controller. Second, the system state backup must be restored locally on the server you are promoting. To do this using Windows Server 2003 backup, choose the option Restore Files To: Alternate Location.

If the domain controller you restored the system state from was also a global catalog, the Active Directory Installation Wizard will ask if you would like this domain controller to become a global catalog as well.

5.      On the Network Credentials page, specify your user name and password in the User Name and Password boxes, respectively. In the Domain box, type in the domain name and then click Next.

6.      On the Database and Log Folders page, ensure that the correct locations for the database folder and the log folder appear in the Database Folder box and the Log Folder box, respectively. Click Next.

7.      On the Shared System Volume page, ensure that the correct location for the shared system volume folder appears in the Folder Location box. Click Next.

8.      On the Directory Services Restore Mode Administrator Password page, type the password you want to assign to this server's Administrator account in the event the computer is started in directory services restore mode in the Restore Mode Pass¬

word box. Confirm the password in the Confirm Password box. Click Next.

9.      On the Summary page, review your selections. Click Next to proceed with the installation. Restart the computer when prompted.

As an administrator, you must create a site structure to reflect your company's organization. See Lesson 3, "Planning the Active Directory Infrastructure Design," to learn the basics of site design. See Chapter 5, "Configuring Sites and Managing Replication," for details about configuring sites.

Domain Controllers A domain controller is a computer running Windows Server 2003 that stores a replica of the domain directory (local domain database). Because a domain can contain one or more domain controllers, each domain controller in a domain has a complete replica of the domain's portion of the directory. A domain controller can service only one domain. A domain controller also authenticates user logon attempts and maintains the security policy for a domain.

The following list describes the functions of domain controllers:

•       Each domain controller stores a complete copy of all Active Directory information

for that domain, manages changes to that information, and replicates those

changes to other domain controllers in the same domain.

•       Domain controllers in a domain automatically replicate directory information for

all objects in the domain to each other. When you perform an action that causes

an update to Active Directory, you are actually making the change at one of the

domain controllers. That domain controller then replicates the change to all other

domain controllers within the domain. You can control replication of traffic

between domain controllers in the network by specifying how often replication

occurs and the amount of data that each domain controller replicates at one time.

Domain controllers immediately replicate certain important updates, such as the

disabling of a user account.

Active Directory uses multimaster replication, in which no one domain controller

is the master domain controller. Instead, all domain controllers within a domain

are peers, and each domain controller contains a copy of the directory database

that can be written to. Domain controllers can hold different information for short

periods of time until all domain controllers have synchronized changes to Active

Directory.

Although Active Directory supports multimaster replication, some changes are

impractical to perform in multimaster fashion. One or more domain controllers

can be assigned to perform single-master replication (operations not permitted to

occur at different places in a network at the same time). Operations master roles

are special roles assigned to one or more domain controllers in a domain to per¬

form single-master replication.

Domain controllers detect collisions, which can occur when an attribute is modi¬

fied on a domain controller before a change to the same attribute on another

domain controller is completely propagated. Collisions are detected by comparing

each attribute's property version number, a number specific to an attribute that is

initialized upon creation of the attribute. Active Directory resolves the collision by

replicating the changed attribute with the higher property version number.

Having more than one domain controller in a domain provides fault tolerance. If

one domain controller is offline, another domain controller can provide all

required functions, such as recording changes to Active Directory.

Domain controllers manage all aspects of users' domain interaction, such as locat¬

ing Active Directory objects and validating user logon attempts.

As an administrator, you must place domain controllers in sites to reflect your organization's physical structure and optimize replication and authentication. See Lesson 3, "Planning the Active Directory Infrastructure Design," to learn the basics of domain controller placement. See Chapter 2, "Installing and Configuring Active Directory," for details about creating domain controllers.

If the subadministrator is later required to create user accounts in the US, Orders, and Disp OUs, you could grant the administrator the appropriate permissions separately within each OU. However, because the Orders and Disp OUs are nested in the US OU, a more efficient method is to assign permissions once in the US OU, and allow them to be inherited by the Orders and Disp OUs. By default, all child objects (the Orders and Disp OUs) within Active Directory inherit permissions from their parents (the US OU). Granting permissions at a higher level and using inheritance capabilities can reduce administrative tasks.

Trees A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003 domains that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure. Namespaces are covered in detail in the next lesson. Following DNS standards, the domain name of a child domain is the relative name of that child domain appended with the name of the parent domain. In Figure 1-6, microsoft.com is the parent domain and us.microsqft.com and uk.microsqft.com are its child domains. The child domain of uk.microsqft.com is sls.uk.microsqft.com. By creating a hierarchy of domains in a tree, you can retain security and allow for administration within an OU or within a single domain of a tree. The tree structure easily accommodates organizational changes.

Complete mediation.    Complete mediation means that:

All access avenues should be checked. Program input should be checked by the program; administrators should protect shares with proper permissons; users should not be allowed to install un-approved software; and auditors should be reviewing whether all of these things, and any other access controls, are being implemented properly. Each entry point requries checking by those responsible for them, as well as by those responsible for reviewing what others are doing.

You should review firewall controls, DNS security, network authentication, modem and other out-of-band communications access, PDA devices, wireless devices, remote computer connections, file and folder permissions, physical security, and so on.

Psychological acceptability. Recognize that the human element is the most important security asset. Make security unobtrusive, hide its complexity, use acceptable processes, and obtain user buy-in. For example, if you choose to use biometrics, which might include fingerprinting and retinal scans, consider user acceptance. Your users might find the processes to be an invasion of personal privacy. Voice recognition and hand geometry might be more readily accepted by users.

Trust but audit. Users and administrators must have the privileges they need to do their job, but no one is completely and permanently above suspicion. Remember that people change, temptation can be great, and anger can make some people overstep their usual reluctance to break the rules. Provision for auditing should be part of any security design. Reviewing audit logs can provide valuable information. The following examples show how audit data can be used:

Match computer restarts with approved maintenance requests. Investigate the discrepancies. Who rebooted? Why? Many attacks require the reboot of systems. This is an activity that is particularly wise to track.

Monitor the use of administrative functions such as group and user management. Understanding what normal activity is and ensuring that only approved changes are made can go a long way to detecting abuses of privilege.

Keeping up to date. Systems change, and new bugs and insecure practices are discovered all the time. Systems must be patched, and administrators need to be knowledgeable about the latest defense mechanisms. For example, applying security patches is sound preventative advice—many of the major Internet-based attacks of the past years did not impact companies where patching processes were in place.

The Microsoft MCSE 70-620 Windows Vista exam is a universally-recognized certification exam that tests you in your knowledge of installing, configuring, and administering Windows Vista. According to Microsoft, typical candidates for this certification have already had some experience with Windows clients, such as 2000 and XP, and have worked in a mid-to-large size computing environment before. In practice, many candidates for this exam have neither worked in a large computing environment or have had extensive practice with Windows Vista before. The exam does not test you on your ability to use Vista, per se, but rather on your ability to install, configure, and administer the software.

It is important for you to understand that this exam does not cover the actual use of Windows Vista, but rather, the configuration of Vista for business and enterprise purposes. That being said, a power user would have only a slight advantage over a typical user of Vista as the exam does not cover the gimmicks and special features of Vista.

MCSE 70-620 Exam Specifics

70-620 Exam Costs: $125 each attempt. You can buy exam vouchers of VUE or Prometric to get a discount. Many online vendors also offer discounts for specific exams; read more in the “vouchers” section to learn more about exam discounts through vouchers.

70-620 Exam Location: You can register for the exam at any Pearson VUE and Thompson Prometric center. (Pearson VUE will discontinue selling Microsoft professional certification exams after August 31, 2007. To accommodate those who purchase Microsoft professional certification exams through August 31, 2007, Pearson VUE will continue to administer the exams through December 31, 2007.)

Time Allocated: 90 minutes per exam

Total marks: Graded from 100-1000 marks

Minimum Pass Marks: 700

Number Of Questions: 50-60 questions per exam

Exam Code: 70-620

Pre-requisites: None.

70-620 Exam format: Linear format; computer-based test (CBT) Validation Period: Certification expires after around four to five years (when new and more relevant Microsoft products are released)

Score Report: Delivered immediate on test completion.

70-620 Exam Pattern

The question types found on the Microsoft Windows Vista exam are:

*Multiple Choice with Single answer: Student is required to select a single answer from a range of options (generally 4-5) by clicking on a radio button.

*Multiple Choice with Multiple answers: Student is required to select more than one answer from a range of options by clicking on a checkbox; when more than one answer is required, the number of answers is specified as part of the question.

*Exhibit Based: Some questions from the above types will have special exhibits or evidence that you must use to answer the questions.

*You may also be required to click one of 4-5 areas on an exhibit to select a correct answer.

MCSE 70-620 Exam Objectives:
*Installing and Upgrading Windows Vista

*Configuration and Post-Installation Settings

*Windows Security

*Maintaining and Optimizing Windows Vista Systems
Configuring and Troubleshooting Mobile Computing