Sie sind auf Seite 1von 22

Active Directory BACKUP RESTORE and Maintaince Q n As

What Is NTDS.DIT file ?


Ntds.dit This file is the primary Active Directory database file (sometimes referred to as the data store) that resides on each domain controller (DC). It stores all of the objects, attributes, and properties for the local domain, as well as the configuration and schema portions of the database. By default, this file is installed into the %SYSTEMROOT%\NTDS folder. Although not required, it is recommended that you store this file on an NTFS partition for security purposes.

What do I need to do to prepare my Windows 2000 forest for the installation of the first Windows Server 2003 DC? Before you can introduce Windows Server 2003 domain controllers, you must prepare the forest and domains with the ADPrep utility. ADPrep /forestprep on the schema master in your Windows 2000 forest. ADPrep /domainprep on the Infrastructure Master in each AD domain. ADPrep is located in the i386 directory of the Windows Server 2003 install media. For More Info : http://www.petri.co.il/windows_2003_adprep.htm Which is Active Directory Transactin Log File.
Edb*.log This file format identifies transaction logs.Transaction log names can take one of several forms, including edb.log, edb00001.log, edb00002.log, and so forth. Each log file is a fixed 10MB in size, regardless of the amount of actual data stored in it.The current log file that is receiving updates to Active Directory is named edb.log.When this file is full, it is renamed to edb00001.log (or whatever the next number is in the sequence, if 00001 is taken), and a new empty edb.log is created. However, these logs dont keep piling up forever; they are regularly purged through a process called garbage collection, What is Reserved Log Files(Res1.Log and Res2.Log) Res1.log and Res2.log These files are known as the reserved (Res) log files. Their primary purpose is to ensure that Active Directory does not run out of disk space to use when logging transactions. If there is not enough free space to create a new transaction log, the reserved log is used. Because of this role, these log files

are often referred to as placeholders. Like the edb.log files mentioned previously , these files are 10MB each.

What is EDB.Chk File ?


Edb.chk The checkpoint file is used to track the updates that have been written to the Active Directory database. You can think of this file as a list that is checked off as updates are flushed to disk from the Active Directory log files. If you shut down the system before all transactions have been written to the database, the checkpoint file will be consulted when you reboot the system so that any remaining transactions can be written to Active Directory.

Explain the process of Active Directory Database Modification ?


The Extensible Storage Engine (ESE) lies at the heart of the Active Directory database system. Changes to the Active Directory database on a DC occur through two primary means: An administrator creates, deletes, or updates objects in the database. Replication information, which contains new objects, deletion requests, or changes to existing objects is received from other DCs. When changes to the database occur, the ESE captures each change as a single unit known as a transaction.A transaction contains the changed data and a set of metadata.This metadata can include the Globally Unique Identifier (GUID) assigned to the object, a timestamp, version, and other information. Its important to note that this update procedure applies to all changes in Active Directory, including objects, properties, and attributes. A write request occurs when a change is made to the Active Directory.This initiates a transaction that consists of the changes, as well as the metadata described previously. ESE writes the transaction to the transaction buffer in memory, and then writes the transaction to the Edb.log file. After it has been successfully written in the log file, it is written to the Active Directory database file. If a failure occurs, when Active Directory recovers, it examines the Edb.chk file to determine which transactions have not been written to the database.Transactions are not marked as written in this file until they have been fully committed to the database.This ensures that a

failure that occurs partially through the process of writing data will not be marked as completed and leave inconsistent data in the Active Directory database.When a transaction has been committed,Active Directory compares the information written to the database with the information contained in the log file(s).When the two have been verified as identical, the Edb.chk file is updated and the transaction is marked as committed to the database. Windows Server 2003 uses circular transaction logging.This means that, with the exception of the Edb.log, Res1.log, and Res2.log files, the log files are deleted after all of the transactions they contain have been committed to the database. Another important note about logging is that when you back up Active Directory by backing up the system state data (a process we discuss in the next section of this chapter), all events currently waiting to be written in your transaction logs are committed.The logs are fully committed when you shut down or reboot your server

What are the two primary ways through AD Database Changes Occures ?

Changes to the Active Directory database on a DC occur through two primary means: An administrator creates, deletes, or updates objects in the database. Replication information, which contains new objects, deletion requests, or changes to existing objects is received from other DCs. What is ESE(Extensible Storage Engine)? ESE is a heart of Active Directory and Coordinates Transactions between the log files, Checkpoint files and the Database.

What Is Circular Logging in Windows 2003 ?


Windows Server 2003 uses circular transaction logging.This means that, with the exception of the Edb.log, Res1.log, and Res2.log files, the log files are deleted after all of the transactions they contain have been committed to the database. Another important note about logging is that when you back up Active Directory by backing up the system state data (a process we discuss in the next section of this chapter), all events currently waiting to be written in your transaction logs are committed.The logs are fully committed when you shut down or reboot your server. Below Image Shows the process.

What is Tombstone Process in Active Directory ?


The tombstone process exists to support the multimaster replication strategy of Windows Server 2003s Active Directory service.To understand this better, lets suppose that instead of using tombstoning, the object is immediately purged from Active Directory on the original DC when you delete it. At the same time, the DCs replication partners are notified to delete the object. Most receive the replication request, but one does not. In later replication, this DC might reintroduce the object into the databases of the other DCs. Because the other DCs have fully deleted the object, it might appear as a new object to them. The tombstone process prevents this from occurring. Each DC holds the object in its deleted items container for the length of the tombstone interval.The default of 60 days allows for plenty of time to pass and ensures that all DCs on the network have sufficient time to receive the delete request.When this interval is reached, the object is marked as expired. You should ensure that backups are performed during the tombstone interval. Restores of directory service data older than the tombstone interval should not be performed to prevent

the reintroduction of objects that were deleted during this period but have since been purged from the database.

What is Garbage collection Process ?

The garbage collection process works in conjunction with the tombstone process. It runs every 12 hours on DCs by default, and one of its primary functions is to purge expired objects from the database. After the expired objects are purged, any remaining unnecessary log files are deleted and an online defragmentation of the database occurs.This consolidates the free space that was generated by the deletions and increases the performance of the database.

What is the Interval Difference between Tombstone and Garbage Collection Process
The tombstone interval is configured in days(By Default 60 Days), whereas the garbage collection interval is configured in hours(By Default runs after every 12 Hours) Both can be changed in Active Directory using ADSI Edit, LDP, or an ADSI script. However, Microsoft recommends that it is generally best not to change the intervals. The tombstone interval should always be at least as long as the longest replication interval in the forest.

What AD Database Defragmentation Methods are available? There are two methods to defragment the Active Directory database in Windows 2000 and in Windows Server 2003. One method is an online defragmentation operation that runs as part of the garbage collection process. The advantage of this method is that the server does not have to be taken offline for the operation to run. However, this method does not reduce the size of the Active Directory database file (Ntds.dit). The other method takes the server offline and defragments the database by using the Ntdsutil.exe utility. This approach requires that the database to start in repair mode. The advantage of this method is that the database is resized and unused space is removed. Therefore, and the size of the Ntds.dit file is reduced. To use this method, the domain controller must be taken offline. How to Perform Offline Defrag of AD Database(I.E NTDS.DIT) ?
1. Back up the system state data for fault tolerance purposes. See the Backing Up Active Directory section later in this chapter for more information. 2. Boot or reboot the computer. 3. When prompted, press F8 during Windows Server 2003 startup. And go to Directory Services Restore Mode (Windows DCs only) on the Windows Advanced Options menu that appears, and press the Enter key. 4. Log on by providing the password for the local administrator account and clicking the OK button. 5. Click the OK button in the dialog box that notifies you that Windows is running in safe mode.

6. Open a command prompt. Type ntdsutil to enter the Ntdsutil utility. Note that this is a commandline utility, so the command prompt will change to ntdsutil:. 7. Type files. The command prompt should change to display file maintenance. 8. Type compact to <drive>:\<directory> to create a defragmented and compacted copy of the Active Directory database in the specified new location. For example, compact to C:\ADTemp creates a defragmented, re-indexed, and re-sized database file in the C:\ADTemp directory, as shown in Figure 11.5. The location specified can be on a local disk or on a mapped network drive. If there are spaces in the path where the file needs to be placed, it must be surrounded in quotes; for example, compact to c:\ad\july defrag.

9. Type quit to return to the ntdsutil: prompt. 10. Type quit again to exit the utility. 11. Open Windows Explorer and rename the previously used ntds.dit file to ntds.old.dit. Step 11 is not specified in Microsofts instructions, but we recommend it for fault tolerance purposes. As mentioned, an offline defragmentation is very invasive. It is possible that the compacted file will be corrupt and that Active Directory will not start after the procedure. If you dont take this step, you will be forced to do a system state restore to recover the previous database file. By simply renaming the file, you can boot back into Directory Services Restore Mode, delete the corrupt file, and rename ntds.old.dit back to ntds.dit to recover the system.

12. In Windows Explorer, copy the new ntds.dit file from the location you specified, using the compact to command to specify the location of the primary ntds.dit file location. 13. In Windows Explorer, delete all files that end with the .LOG extension in your Active Directory log files folder. 14. Close the command prompt window and reboot the server normally.

How to Move AD Database File to another Location?


1. Reboot your server and go to Directory Services Restore Mode by pressing F8 2. Open a command prompt. 3. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility so the command prompt will change to ntdsutil:. 4. Type files.The command prompt should change to display file maintenance:. Use one of the following commands to move the Active Directory database or log files, or update their paths. _ Type move DB to <drive>:\<directory> to move the ntds.dit database file to the new location specified. For example, move DB to C:\AD moves the database file to the C:\AD directory and updates the Registry to point to this new location, as shown

How to Move Transaction Log files to another Location ?


1. Reboot your server 2. Go to Directory Services Restore Mode 3. And to command prompt. Type NTDSutil and then will go to ntdsutil promot 4. Then type files and go to file promot then do below task. 5. Type move logs to <drive>:\<directory> to move the Active Directory log files to the new location specified. For example, move logs to C:\AD moves the log files to the C:\AD directory and updates the Registry to point to this new location

How will you point your OS to AD Database Restored from Backup at another place
Its important to properly move the Active Directory database and log files using the Ntdsutil command-line utility. This updates the Registry entries that point to the correct locations in the file system, thus allowing the system to find and initialize them when booting. If you are forced to restore these files to another location, or simply copy them to a new location using Windows Explorer, Active Directory will not initialize when the system is rebooted. Fortunately, Microsoft provides a way to

fix this, using the Ntdsutil utility. To do so, follow these steps: 1. Boot or reboot the computer.Go to Directory services restore mode by pressing F8 2. Log on by providing the password for the local administrator account and clicking the OK button. 3. Click the OK button in the dialog box that notifies you that Windows is running in safe mode. 4. Open a command prompt.Type ntdsutil to enter the Ntdsutil utility. This is a command-line utility,so the command prompt will change to ntdsutil:. 5. Type files. The command prompt should change to display file maintenance:. 6. Use one of the following commands to move the Active Directory database or log files, or to update their paths. 7. Type set path DB <drive>:\<directory> to update the Registry to point to the new location of the ntds.dit file. 8. Type set path logs <drive>:\<directory> to update the Registry to point to the new location of the Active Directory log files. 9. Type quit to return to the ntdsutil: prompt. 10. Type quit again to exit the utility. 11. Close the command prompt window and reboot the server normally.

What is System State ? What Data System State Includes ?

System state data is a term Microsoft uses to refer to a set of core configuration information in Windows 2000, XP, and 2003.The actual information included in the system state depends on the underlying configuration of the operating system, and which components are installed. System state data always includes the following: The Windows Registry The COM+ Class Registration database Boot and system files needed to start the operating system, including Ntldr and Ntdetect.com Several additional components are included, depending on the configuration of the operating system: The Active Directory database and supporting files, if the computer is a DC The SYSVOL directory, if the computer is a DC The Certificate Services database, if the computer is functioning as a certificate Authority (CA) The Internet Information Server (IIS) metabase, if IIS is installed on the computer Core cluster service configuration information, if the computer is part of a cluster

What is Volume Shadow Copy Services? The Volume Shadow Copy Service provides the backup infrastructure for the Microsoft Windows XP and Microsoft Windows Server 2003 operating systems, as well as a mechanism for creating consistent point-in-time copies of data known as shadow copies. Previous to the Volume Shadow Copy Service and its standard set of extensible application programming interfaces (APIs), there was no standard way to produce clean (uncorrupted) snapshots of a volume. Snapshots often contained corruptions due to torn writes that required the use of utilities such as Chkdsk.exe to repair. Torn writes occur when an unplanned event (such as a power failure) prevents the system from completely writing a block of data to disk. The Volume Shadow Copy Service APIs prevent torn writes by enabling applications to flush partially committed data from memory. The Volume Shadow Copy Service has native support for creating consistent shadow copies across multiple volumes, regardless of the snapshot technology or application. The Volume Shadow Copy Service can produce consistent shadow copies by coordinating with business applications, file-system services, backup applications, fast recovery solutions, and storage hardware. Several features in the Windows Server 2003 operating

systems use the Volume Shadow Copy Service, including Shadow Copies for Shared Folders and Backup. What are the Different Methods of Backing Up Active Directory ?
As part of a full system backup As part of a partial system backup Back up the system state data only

What Is Directory Services Restore Mode ?


Special feature of this mode is that it allows a DC to boot without initializing its copy of the Active Directory database. Because you must always log on to a Windows Server 2003 computer before you can use the operating system, a small version of a local directory service database (called a SAM database) remains on the computer after it has been promoted to a DC.This database has a single account, the local administrator account. When you have booted to the Directory Services Restore Mode using the directions given earlier in the chapter, you must log on with this account. After you are authenticated, you can perform certain limited maintenance functions, such as running the Ntdsutil utility mentioned earlier.You can also run the Backup utility to perform restores of the Active Directory database. It is necessary to perform all restores while running in this mode, because the Active Directory database must be offline to be restored. In this mode, you are logged on to a local account and the Active Directory database is not in use.

What are Different Restore modes for Active directory ? 1. Normal Restore 2. Authoritative Restore 3. Primary Restore Normal Restore
This method can be used in the following circumstances: When a domain only has one DC, and the DC needs to be restored.You can also opt to use the primary restore method (covered later) for this scenario.

If there are multiple DCs on the network for the domain, and at least one remains functional, a normal restore can be used to bring the downed DCs back to life. Like all Active Directory restores, a normal restore is performed by running the Backup utility while logged on to Directory Services Restore Mode.When the restore has completed, the DC is rebooted.When it comes back up, it begins normal replication with its replication partners. Because it was restored from a backup, some of its objects will have older version numbers than ones currently on the network.This will cause updates and deletions to be replicated to the DC and will bring its Active Directory database up to date. How to Perform Normal Restore To perform a normal restore, follow these steps: 1. Boot or reboot the computer. 2. When prompted, press F8 during Windows Server 2003 startup. 3. Select Directory Services Restore Mode (Windows DCs only) in the Windows Advanced Options menu that appears, and press the Enter key. 4. Select your operating system (for example,Windows Server 2003, Enterprise), and press the Enter key. 5. You will see a number of checks performed while the system is booting, and eventually you will receive the Safe Mode logon prompt. 6. Log on by providing the password for the local administrator account and clicking the OK button. 7. Click the OK button in the dialog box that notifies you that Windows is running in safe mode. 8. Open the Windows Server 2003 Backup utility from Start | All Programs | Accessories | System Tools | Backup. 9. On the initial page of the wizard, click the Next button. 10. Select the option button next to Restore files and settings, as shown in Figure 11.30, and click the Next button. 11. The What to Restore page, shown in Figure 11.31, contains an Explorer style interface similar to the one you encountered while configuring your backup job. Click the plus sign next to File in the left pane.This should reveal the file to which you backed up the system state data earlier. If it doesnt, you can click the

Browse button and select the file from the Open Backup File dialog box. Click the plus sign next to the file to which you backed up and select the check box next to the backup you want to restore that appears beneath it. Click the Next button after making your selection. 12. At this point in the wizard, you can click the Finish button and allow the restore to proceed with the default advanced settings. However, we want you to see more of the settings that are available within the wizard, so click the Advanced button. 13. The Where to Restore page, shown in Figure 11.32, appears with three options that can be selected from the Restore files to: drop-down box. XOriginal location This option restores all files to their original locations and is the default.When you select this option and click the Next button, a dialog box appears, informing you that restoring system state will always overwrite the current system state information unless you restore to an alternate location. Click the OK button to proceed to the next screen. Now go to Advance Tab and Select Original Location Click Next and Select Replace Exisiting Files. Click Next and Click Finish.

Authoritative Restore
There are times when a normal restore of Active Directory isnt sufficient; for example, when you accidentally delete an OU.Within a few minutes, the deletion will have replicated to the other DCs in the domain. If you perform a normal restore in an effort to repopulate the OU back into Active Directory, it will not work.When the DC reboots after the restore and replicates with its replication partners, they will have a higher version number for the deleted OU, and the restored DC will be told to delete the object all over again.To restore the object, you must use an authoritative restore.

How To Perform Authoritative Restore


An authoritative restore is exactly like a normal restore, up to a point. Once the system state data has been restored, rather than rebooting the server, the Ntdsutil command-line utility is used to mark one or more objects as authoritative.This gives them a very high version number so that when the server is rebooted and the replication process takes place, the other servers in the domain will see the high version number and replicate the object to

their own Active Directory databases.To restore a database authoritatively, follow the steps from the preceding section up to number 18, and then proceed to these steps: 1. Click the No button in the Backup Utility dialog box when asked to restart. 2. Close the Backup utility, if it does not close by itself. 3. Open a command prompt (click Start | Run and type cmd). 4. Type ntdsutil to enter the Ntdsutil utility. Note that this is a command-line utility so the command prompt will change to ntdsutil:. 5. Type authoritative restore.The command prompt should change to display authoritative restore:. 6. Use one of the following commands to mark Active Directory or a portion of it as authoritative. Type restore database to mark the domain and configuration containers of the database as authoritative.The schema container cannot be marked as authoritative; consequently, an authoritative restore can not be performed for the schema. Because you cannot delete objects from the schema, this is not an issue. Type restore subtree followed by the distinguished name of the object in Active Directory that you want to restore; for example, restore subtree OU=student,DC=syngress,DC=com to restore the OU named student in the syngress.com domain. The verinc option can be used with either the restore database or restore subtree command. Remember, when an object or the database is restored authoritatively, a large version number is applied to it.The verinc option is designed to be used when you need to perform another authoritative restore, on top of an existing authoritative restore. It allows you to choose your own version number, thus ensuring that it will be higher than the one used previously by the utility.The proper syntax is restore database verinc %d or restore subtree <distinguished name of object to mark authoritative> verinc %d, with %d being the desired increment for the version number. 7. Click Yes in the Authoritative Restore Confirmation dialog box, 8. Type quit to return to the ntdsutil: prompt.. Type quit again to exit the utility.

9. Close the command prompt and reboot the server normally.

Primary Restore:

The primary restore method is new in Windows Server 2003, and is designed for situations where all DCs for a given domain have gone down and you need to rebuild the domain from backup.The first server that is restored in this situation should be restored using this method. Additional DCs should be restored using the normal restore method. A primary restore is also the new preferred method to use when restoring what Microsoft refers to as a standalone DC, which means the DC in a domain with only one DC. If you have a domain with only one DC and that server goes down, use this method to restore it.

How to perform Primary Restore


Performing a primary restore is similar to performing a normal restore.The only difference is that you select the check box next to When restoring replicated data sets, mark the restored data as the primary data for all replicas in the Advanced portion of the Restore wizard, as shown in Figure 11.35. Refer to step 14 in the Normal Restore section of this chapter, or complete Exercise 11.04, which walks you through the entire process of performing a primary restore.

1. Reboot or boot your DC. 2. When prompted, press F8 during Windows Server 2003 startup. 3. On the Advanced Startup Options menu that appears, select Directory Services Restore Mode. 4. Log on by providing the password for the local administrator account and clicking the OK button. 5. Open the Windows Server 2003 Backup utility from Start | All Programs | Accessories | System Tools | Backup. 6. On the initial page of the wizard, click the Next button. 7. Select the option button next to Restore files and settings, and click the Next button. 8. Click the plus sign next to File in the left pane. If your backup file does not appear, click the Browse button and select the file from the Open Backup File dialog box. 9. Click the plus sign next to the file to which you backed up the system state data and select the check mark next to the backup you want to

restore that appears beneath it. 10. Click the Next button after making your selection. 11. Click the Advanced button. 12. Accept the default restore location, Original location, and click the Next button. 13. Select the Replace existing files option and click the Next button to proceed. 14. On the Advanced Restore Options page, select the check box next to When restoring replicated data sets, mark the restored data as the primary data for all replicas and accept all other defaults. 15. Click the Next button. 16. Click the Finish button to begin the restore. 17. The restore will take at least a few minutes. When it is finished, click the Report button to view the restore log associated with the job. Review it for any error messages, such as those pertaining to files that had to be skipped. After reviewing the log, close the Notepad application. 18. Close the Backup utility and reboot the server normally.

Active Directory Maintaince Commands


NTDSUTIL INTEGRITY The integrity command is used to detect low-level corruption of the database. It performs its work at the binary level, which means that it reads every byte of the ESE database structure looking for corruption. Note that although the ESE structure forms the basis of Active Directory, this command might not parse all Active Directory database information. Some critical Active Directory information is additional to and outside the knowledge of the esentutl command that this option uses. Because of the detailed checking it performs, this tool often takes a while to complete its operations. In addition to the byte-level corruption check mentioned previously, the Ntdsutil integrity command also performs a full check on the integrity of the directory service files. After successfully running the command, Microsoft suggests that you perform a semantic database analysis The Ntdsutil integrity command must be performed when the database is offline, so you have to run it from Directory Services Restore Mode.To use the command, follow these steps:

How to Use .Reboot your server and go to Directory Services Restore Mode by pressing F8. Log in using Directory services Restore Mode username and password.
.Open a command prompt. . Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility so the command prompt will change to ntdsutil:. . Type files.The command prompt should change to display file maintenance:. . Type integrity. . View and evaluate the information displayed on the screen as the process runs. . Type quit to return to the ntdsutil: prompt. . Type quit again to exit the utility. . Close the command prompt window and reboot the server normally.

NTDSUTIL Recover Command Remember that transactions are written to log files before being committed to the Active

Directory database file. In the event of power failure or other system problems, not all transactions will be written to the database.When the system is booted, ESE should use the checkpoint, log, and database files to determine what was committed properly to the database and what still needs to be written. Although this process works in most cases, occasionally inconsistencies result and it is necessary to run the process again manually.The recover command performs a soft recovery of the database log files, which means that it writes transactions from the log files to the directory service database.This process is sometimes also referred to as re-running the log files manually.

How to Use Reboot your server and go to Directory Services Restore Mode by pressing F8. Log in using Directory services Restore Mode username and password.

.Open a command prompt. . Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility so the command prompt will change to ntdsutil:. Type files.The command prompt should change to display file maintenance:. . Type recover. . View and evaluate the information displayed on the screen as the process runs. .Type quit to return to the ntdsutil: prompt. . Type quit again to exit the utility. . Close the command prompt window.

Semantic Database Analysis Command

The semantic database analysis command is the primary command that is used to verify the full integrity of the Active Directory database.You might be wondering what the difference is between this command and the integrity command from the files: prompt. Recall that the integrity command works by calling the Esentutl utility, which has full knowledge of the ESE database system but not necessarily all portions of the Active Directory database.The semantic database analysis command is specific to Active Directory and does not use the Esentutl command.As its name implies, it analyzes the Active Directory database, based on

Active Directory semantics (whereas the integrity command bases its check on ESENT database semantics). Running semantic database analysis includes checks for the following: XReference counts XCounts references from the data table and the link table to ensure that they match the listed counts for the record. XEnsures that each object has a full distinguished name, GUID, and nonzero reference count. XFor each deleted object, the utility verifies that it does not have a distinguished name or GUID and makes sure that it has a deleted time and date. XDeleted objects XVerifies that the object has a deleted time and date. XEnsures that the object has a special relative distinguished name. XAncestor checks Determines if the Distinguished Name Tag is equal to: XThe ancestor list of the parent XThe current Distinguished Name Tag XSecurity descriptor checks XVerifies a valid descriptor. XEnsures that it has a control field. XVerifies that the discretionary access control list is not empty. XA warning is generated if deleted objects without a discretionary control access list are located. XReplication checks. XChecks the up-to-dateness vector in the directory partition head to ensure that the correct number of cursors exist. XChecks to ensure that every object has a property metadata vector. Errors generated by the semantic database analysis command are written to dsdit.dmp.xx log files, which are located in the profile directory of the user running the utility (for example, C:\Documents and Settings\Administrator). As with most low-level database tools, this command must be run when the database is not initialized (in other words, in Directory Services Restore Mode). Microsoft recommends that you perform a full backup of the system state data prior to running this command. Follow these steps to perform a semantic database check:

How to Use Reboot your server and go to Directory Services Restore Mode by pressing F8. Log in using Directory services Restore Mode username and password.
.Open a command prompt. . Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility so the command prompt will change to ntdsutil Type Semantic database analysis, and press the Enter key.

At the semantic checker: prompt, type Verbose on, and press Enter.This option displays the Semantic Checker. 12. Choose one of the following options: XTo start the Semantic Checker and not have it repair any of the errors it encounters, type Go, and press the Enter key. XTo start the Semantic Checker and have it repair the errors it encounters, type Go Fixup, and press the Enter key. 13. View and evaluate the information displayed on the screen as the process runs. There is very little difference visually between the two modes.

Using the esentutl Command

ESENT (Extensible Storage Engine for NT) is one of the acronyms used to refer to the ESE database system that Active Directory uses.The Esentutl command is the maintenance command that is associated with this database system. Because Microsoft prefers that you use the Ntdsutil command for all low-level database maintenance operations, they built calls to most of the major Esentutl operations into it. However, you do not have to use Ntdsutil to perform these operations The following are two of the commands from earlier in the chapter with their associated Esentutl command-line arguments: XIntegrity %SYSTEMROOT% \System32\esentutl.exe /g C:\Windows\NTDS\ntds.dit /o XRecover %SYSTEMROOT%\System32\esentutl.exe /redb /lC:\Windows\NTDS /s C:\WINNT\NTDS /8 /o The esentutl.exe command used in conjunction with the /p switch, shown in Figure 11.48, is considered the most dangerous of all the low-level database commands. In Windows 2000, this command was available as the repair option in Ntdsutil, and has been removed in the version of Ntdsutil that ships with Windows Server 2003.This option performs a very low-level and highly invasive binary database repair operation. It is very likely that you will lose some data when using this option, and it is highly possible that it will be data essential to your Active Directory database. You should use this command with the /p switch only when you have been advised to

do so by Microsoft support personnel, or when you feel that you have tried everything else to get Active Directory to initialize. Always make a backup of your database file before you run this utility. In most cases, you will be resorting to this option when Active Directory can no longer initialize, and you will be booted to Directory Services Restore Mode.The simplest way to back up the database and related components in this scenario is to copy them to a second location in the file system, using Windows Explorer. If Active Directory can initialize and you still feel you should (or Microsoft tech support asks you to) run this command, you must boot into Directory Services Restore Mode first. The database must be offline for low-level operations such as this. Microsoft recommends running a semantic database analysis after this command has completed successfully.To use the repair command, enter the following at a command prompt: %SYSTEMROOT %\ system32\esentutl.exe /p C:\Windows\NTDS\ntds.dit /!10240 /8 /o

How to Change Directory Services Restore Mode Password


1. Open a command prompt.(At Normal Mode)

2. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility, so the command prompt will change to ntdsutil:. 3. Type Set DSRM Password. 4. At the Reset DSRM Administrator Password: prompt, type Reset Password on server <SERVER NAME>. 5. At the Please type password for DS Restore Mode Administrator Account: prompt, type the new password that you want to use. 6. At the Please confirm new password: prompt, re-type the new password that you want to use. 7. Review the feedback on the screen to ensure that the operation was successful. Figure 11.49 shows the full procedure. 8. Type quit or q to return to the ntdsutil: prompt. 9. Type quit or q again to exit the utility. 10. Close the command prompt window