Microsoft Azure AZ-801 — Section 20: Troubleshoot Active Directory

119. Restore objects from AD recycle bin

Let’s talk now about a very helpful feature that we have in our Active Directory with AD DS called the Active Directory recycle bin.

Now, this feature is a great feature, but I will warn you that it’s actually not turned on by default. The recycling bin assists you where if a user account or something gets deleted, you can simply just go in the recycling bin and delete that user account. But it does have to be enabled for you to use this.

Let’s take a look at that. First off, you go into Server Manager. And then once you get into Server Manager, you go Tools and you’re going to open up Active Directory Administrative Center. You can’t do this through Active Directory Users and Computers. So, it needs to be the Active Directory Administrative center. So, here I am in Active Directory Administrative Center, and I’m going to click on my domain name here, exam lab practice.com. And then you’re going to notice right here you have enable recycling bin. Now, this is important because what happens is there is a container that you’ll have here for deleted objects. That container is not available until you turn this on.

We’re going to go ahead and enable that. It says that it’s now going to be turned on. It does warn you that it would replicate this feature around all the domains in the force. You would want to give it time to replicate to all your domain controllers in the force before you really start using this a whole lot. But in our case, we only have one domain controller, so we’re pretty much ready to use it and then tells you that you can refresh. And when you refresh, you’ll see the deleted objects container is there. Let’s go in and we’re just going to delete a user real quick. We’ll go over here to users and let’s delete this JK user account. So, I’m going to click Delete, click Yes. That object is now deleted.

If we go back to our deleted objects container, you can see that GS account is available. All right. And I can very easily just say I could restore it to somewhere different, or I could just restore it back to where it came from. And just like that, it’s now going to be restored right back to where it came from, which should be in the Users folder. And as you can see, the user is now back. All right.

So, very easy to use. I will tell you that once it’s turned on, you can’t turn it off. Not that I could imagine you would ever want to turn it off, but once you turn it on, it is on for good. All right. But definitely helpful tool and to make sure you enable it. I would definitely highly recommend doing that in your own environment.

120. Recover Active Directory database using Directory Services Restore Mode

I’d like to now go over the concept with you of backing up and restoring Active Directory.

So, first off, where is Active Directory stored on a domain controller? It’s actually stored in a folder on your C drive here called NTDS. So, if we go to SQL and Windows NTDS, you have a file called NTDS. But there’s more to backing up Active Directory than just the database itself. There’s a registry settings and all that needs to be backed up metadata. And so you need a real backup tool to do that. Windows Server does come with a backup tool. If you go to Server Manager and you go Tools, you’ll see you have Windows Server backup. Now, there’s a catch though. When you get into the backup tool, it tells you that the service is not installed. So, we have to install the service. We go over here to manage add roles and features. We’ll click Next, next, and we’ll go next. Scroll down. And there it is right there, Windows Server backups. We’re going to enable that. Click Install. And then we just have to wait on that to get installed.

Now, that is has been installed, I can hit Close and then I can open back up that Windows Server backup tool. And this time I won’t get that same message. So, as you can see, it is showing up here. And not throwing up that same message that it did before. So, it’s reading the data, reading the drive right now. And then once that’s done, I can now come over here and I could schedule a backup if I wanted. I could back up once.

Keep in mind, one thing to remember here is that you must be either an admin or a backup operator. So, there’s a group called Backup Operators. If you’re in that group, your user account is in that group, you can back up and restore data. You are not a member of that group. You must be a member of an add of the administrators group in order to do that. But I’m going to go here and click a backup once. And we’re going to do custom. Back up. We’re going to click Add items. And here it is right here. This is what you want to remember. The system state is how you back up Active Directory.

Whatever backup software you use is fine, but you’ve got to make sure it supports backing up the system state, which of course the built in back up to one server does. It’s not it’s not the most powerful tool in the world, but it will get the job done. So, then I can click Next. This is all right where you want to back this up too. Or if I say try to back it up to a local drive, local disk destination and then I’ll say backup. At that point it is using the volume shadow copy servers, which does allow server to backup data while it’s being used. So, we let that run here. All right. That finally did complete and I did want to tell you that while I was doing it, I noticed I got an error. And the reason I got an error is because I was trying to use a local path and I’d forgotten that I needed to use a network path to my C drive.

What I ended up doing is I just create a folder on my C drive called backup. And then I went through here to back up. Once I went through the whole process again custom, except this time I chose System State and I put didn’t put local drive. It really doesn’t like you saving to the C drive. They want you to either use a remote path to the C drive or have a separate hard drive.

So, I just put in right here //nyc-dc1cc$/backup. And then I ran through and it went through successfully. So, even though I didn’t show that was the process I went through and it did go through successfully here. I now have my system state backup Now in order to do a restoration of your system state, you have to reboot the server into directory services restore mode.

That is done by if I come over here to search and I type msconfig. All right. Brings up system configuration. We’ll come over here to the boot menu, and we’re going to click Safe mode. We’re going to click Active Directory repair.

Now, what I’m going to do is I’m going to restart the server. So, the machine has rebooted and I want to show you something. You’re going to notice that if I try to log on to my domain, it’s not going to let me. Right. Because the domain is down.

Now, there was an account that was created called the Directory Services Restore Mode Administrator account. When I set up Active Directory and I gave it a password. And basically I just use the same password as I do for my domain account. But what I’m going to do is just put.\. That means log on locally and we’re going to put in the password and there we go. And we’re now logging on to the directory services restore mode administrator account. All right. You’ll notice in Server Manager here; you’ll see that services are turned off. ADT is all off, right.

So, we’ll go here tools. We’ll go to the backup tool, Windows Server Backup. Open that up. Go to local back up. And let it load, of course. Then of course, once it’s done, loading will have the ability to actually perform a restoration. This type of restoration is called a non-authoritative restore, which basically means… Active Directory might have got corrupted on a machine. And so we’re just restoring it and restoring a solid copy of it. And if there were other domain controllers, this would just restore Active Directory. Let’s say you back to back directory three days ago. You’re restoring a backup that’s three days old. As long as you’ve got a stable copy of Active Directory on there, your other domain controllers will update this domain controller. So, if this day draws three days out of date, the other domain features would update it.

So, then I’ll come over here to recover. And then so I want to back up stored on another location. I’m going to click Next remote share and we’ll say //nyc-dc1cdrive/backup. Okay. And says, All right, what’s the date? There’s the date files.

So, I want to do System State. All right. Says, where do you want to recover the system? State of activate your backup. This option restores the system State. You must restart your computer at the end of the recovery option Perform an authoritative restore of ACT Director.

What’s the difference? A Non restore means I’ve got a corrupted version of Active Directory just on this server. The other domain contours. In my environment, if I had other dimensions in my environment, I’m basically saying that this domain controller I just want to restore this one domain controller and I’m just trying to get it stable because, maybe, it was corrupted. And so it might be let’s say the backup was three days old, then you would be restoring a three to old backup. But that’s okay because once this gets booted back up and it’s got a stable copy of Active Directory, your other domain controllers in your environment would update this domain getter with all the changes that have occurred in the last three days.

Let’s say a problem has occurred and Active Directory is corrupted on your other domain controllers as well. And you need to restore Active Directory to get it back into a stable state. That is when you would do an authoritative restore. So, that’s going to be the difference with this. All right.

So, we’re just going to click Next. You’ll notice the recovery option will cause all replicated content in local server re synchronize after the replication. That’s fine If you perform a system state recovery from a backup on a remote shared folder. If there are network connection issues during the operation, the computer that you are recovering may be unstable or unusable. That’s fine because we’re actually restoring it from this computer.

So, then we’ll click recover system. State recovery cannot be paused or canceled once it has halt started. Click Yes. And there you go. It is now officially performing a restoration of the system state. All right. Once the restoration is done, it says I got to restart the server, so I’m going to go ahead and restart it. All right.

Now, that it’s done rebooting, I’m going to log back on to my Directory Services Restore Mode account. Okay, We’ll let that get logged on now. Now, that is logged on, you’ll notice I get this message here, letting me know that the recovery option is completed. All right, I can hit Enter on that. Now, I also notice I’m in safe mode, which, of course, is really directory services restore mode in this case. Right. Um.

So, it’s been a little bit sluggish here, trying to catch up with me. But I should be able now to. And we can we can basically get back into. We can get back into our regular state. All right. I’m just waiting on this to load up here. Like I said, it’s going a little bit slow. All right. And we’ll go back over here to boot. And we’re going to turn off safe mode now. We’re going to click Okay and we’re going to now tell it to restart into normal mode.

After the reboot, I should be able to log back on to Active Directory as normal. And if I can, that’s just an indicator that, of course everything did get restored back to normal. And we are we are good to go.

So, you can see that it did accept my credentials and it’s now logging me on. And that’s going to conclude our restoration example here.

121. Recover SYSVOL

Let’s talk about recovering the size file folder in our Windows environment.

Now, civil is a folder that runs on domain controllers and it contains group policies and it also contains log on scripts. So, your GPO related content goes there as well as what are called log on scripts. When I say log on scripts, I’m mostly talking about the log on scripts that you’ll find in Active Directory Users and Computers. If you edit a user, you edit a particular user and you look at the account Tab, you’ll see that there is or I’m sorry, profile Tab. You will see that there is an area for utilizing a log on script, right? So I’ll just double click on administrator here. And we’ll go over here to profile. And you can see log on script. So, log on. You could you could have a script run every time a user logs on and go in the SSIS file folder. And basically that sys log on folder system folder replicates to all your domain controllers as a share called net log on. This folder is located on your C drive windows and here it is system. You double click on it. You can go into the domain. For example, you’ll even see this is where your GPOs are.

So, you can use the Windows Server backup tool to back that up by itself. Or if you back up the system state, which is how you back up Active Directory to begin with, that’s going to back up the size fall folder for you. Something else you can consider with this is if you go into Group Policy Management, it is possible to back up your group policy objects just individually.

If you’re not worried about backing everything else up involving Sis Val, maybe, it’s just the GPOs that you’re concerned about. You can back up just your GPOs as well, and that’s how you go about doing that. All right.

So, not really too much there to worry about as far as dealing with this vol, but those are the fundamental principles that I would remember.

122. Troubleshoot Active Directory replication

Now I’d like to talk about troubleshooting Active Directory application. There really isn’t very much here that you need to be aware of. Just a couple of things. First off, there’s always event viewer.

So, if for some reason a domain controller is not replicating, let’s say you’re creating a user or something and it’s not showing up on another to make sure you can right click start here. You can go into the event viewer and you’ll be able to check your system log. All right.

So, you can go right here, Windows Logs, system log, and you can look for Active Directory related events showing up here. You can look for errors, warnings, things like that. You can also, of course, tell it to sort by errors and warnings, which you should already know how to do. You can also create like a custom view of errors and warnings as well, which you also should already know how to do. Of course we do that right through right up here.

As you can see here, I’ve got some errors here, but it’s not really related to Active Directory replication. But if we come over here under applications and services, you’ve also got a directory services log right here. Don’t be fooled. It’s not DFES replication, distributed file system replication that has to do with distributed file system. Now, you are going to be replicating your system folder through that. So, relating to this fall, that’s one thing you check, but ultimately your replication error message is the warnings which show up here. All right. So, you would look for any errors and all of that errors and warnings.

The most important thing to remember when it comes to troubleshooting Active Directory application is there is a command that can give you a ton of information if there’s a problem. And so I’m going to open up my command prompt here. So, we’ll just go into command prompt as an administrator on this domain controller and the command is called dcdiag. All right, so dcdiag you’re going to hit Enter and at that point it’s going to let you know if there’s any kind of problems, It’s going to run a test. And as you can see, the test here has passed.

So, there’s not any issues. Of course, I’m not really I don’t have a full blown multiple domain controllers or any of that set up. But if there was any kind of error, it would tell us.

The other thing that’s great about dcdiag is there is a slash fix command. You can run with it. So, I just did a dc/? and we’re just going to scroll up here. And you can actually do a/fix and it will try to do some repairs if there are problems, especially if it’s like a DNS related problem or something like that. All right.

So, that is going to be the most important thing. Like I said, for troubleshooting an Active Directory replication problem is to remember that now there’s also another command that can be used for messing around troubleshooting your actor or your problems. It’s called rep Admin. Rep admin can be used for triggering replication and showing replication partners and all that. You can also have the knowledge consistency checker checked out by running the /ccswitch and all that. You can force a replication trigger replication to occur, so that’s a helpful one as well. You can see replication partners and things like that by using the show Ripple Switch. All right. And so that’s the other one to remember. But again, most important one to remember the thing I definitely need you to remember if you’re dealing with troubleshooting replication is the dcdiag command.

Related posts:

  1. 5 Certification Vendors to Help You Make a Dramatic Entrance in the IT Field
  2. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 14
  3. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 25
  4. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 46
  5. Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 57
  6. Microsoft Azure AZ-800 — Section 15: Manage IP addressing in on-premises and hybrid scenarios Part 4
  7. Microsoft Azure AZ-800 — Section 5: Create and manage AD DS security principals Part 4
  8. Microsoft Azure AZ-800 — Section 8: Manage Windows Server by using domain-based Group Policies Part 2
  9. Microsoft Azure AZ-801 — Section 9: Manage failover clustering
  10. Most Wanted Certifications in 2020 and Related IT Courses & IT Trainings