Securing Windows 2000 Active Directory

(Part 3) - Backup and Restoration

In this article I will focus on the active directory process. As part of
securing your active directory you need to ensure that as a contingency
plan you are able to restore your active directory in event of disaster.
• Published: Jan 06, 2003
• Updated: Jul 23, 2004
• Section: Articles :: Windows OS Security
• Author: Ricky M. Magalhaes
• Rating: 3.2/5 - 144 Votes

In this article I will focus on the active directory process. As part of securing your active directory you
need to ensure that as a contingency plan you are able to restore your active directory in event of disaster.
(For those that missed the first two articles in this series may click here to be taken to Part 1 and here to be
taken to Part 2).

When backing up active directory Microsoft only supports one type of backup, you can only perform a full
backup on active directory. Incremental and differential backups tend not to work correctly on active
directory it is recommended that these options are not used. AD uses an advanced Jet database that exports
a backup interface similar to Exchange 5.5. The reason for dropping support for incremental and
differential backups is that most backup applications bind to the local client-side DLL that have entry
points defined in ntdsbcli.h.

What will you be backing up?

When backing up active directory you need to note that active directory will be treated part of the system
state data.

The contents of the system state are as follows.

1. Boot files, including the system files, and all files protected by Windows File Protection (WFP).
2. Active Directory (on a domain controller only).
3. Sysvol (on a domain controller only).
4. Certificate Services (on certification authority only).
5. Cluster database (on a cluster node only).
6. The registry.
7. Performance counters configuration information.
8. Component Services Class registration database.

System state backups facts

1. Login in as Administrator or Backup Operator.

2. Only domain controllers contain AD in the system state.
3. System state backups can be incorporated into typical backup jobs.
4. System state backups are online.
 5. Third party tools should be used when remotely backing up and restoring system state. Windows
backup will only work on the local machine!

Limitations of system state backup.

1. The backup and restore of the system store can not be set to backup or restore individual
components due to dependencies among the system state components.
2. System state data restores can be redirected alternate locations in which only the registry files,
Sysvol directory files, and system boot files are restored (the remote redirection is not complete
restore).
3. The Active Directory database, Certificate Services database, and Component Services Class
Registration database are not restored to the alternate location. This means that if you need to test
restore you will run into issues when restoring in a lab environment.

Where is the Active Directory?

Active directory does not reside on any one domain controller, but rather collectively across the domain
controllers. It is a good idea to backup the system state of the entire team of domain controllers concerned
when backing up active directory, but excludes the relative ID (RID) master domain controller. Missing
one of the domain controllers can result in you being unable to restore the active directory. It is vital that
no one else is able to add domain controllers to your domain controller work team.
The diagram above represents a computer that has been selected to be backed up using a popular backup
package. Note the system state is available for backing up.

Backing up the Active Directory

It is important that you backup the whole of active directory as well the underlying services and
dependencies. Active directory relies heavily on DNS. If you are using active directory- integrated DNS
then you will not need to explicitly backup the zone files.

It is recommended that you backup the system disk as well as the system state as backing up the system
disk will incorporate the DNS zone data. Backing up active directory will prove to be very spread spectrum
as good practice dictated that database files and log files be placed on separate disks. Note: you will not
have to specify where these files are even if they are on separate disks as backing up the system state
automatically consolidates the files into one location for backup purposes.

Warning!
If the last backup you have is older than the tombstone lifetime set in Active Directory, your backup is
considered to be ineffective. It is recommended that you perform at least two backups within the tombstone
lifetime; this means that every 29 days a backup should be made as the tombstone life time is 60 days. If
this method is not followed you will find inconsistency within your active directory I strongly recommend
that a weekly backup should be the absolute minimum backup horizon considered.

Below are the files that complete the Active Directory.

1. ntds.dit (The database file.)

2. edb.chk (Checkpoint file.)
3. edb*.log (Transaction log files.)
4. res1.log and res2.log (Reserved transaction log files.)

to start the backup of your active directory…

1. click on start then click on run then type in ntbackup and click ok.
 2. You should be presented with the ntbackup utility; click on tools, then click on backup wizard, then
click next.
3. Select only back up the system state.
 4. Select the location of where you would like to backup your system state to. If you backup to a hard
disk ensure that the disk is formatted with NTFS.

5. Check you settings and then click Finish. If you would like to configure scheduling, hardware
compression, media labels, data verification, or append it to a different job you can do this by clicking on
the advanced button on this screen. Data verification can be viewed in the event viewer.

Directory service

The directory service is the mechanism that AD uses to trace and classify users and resources existing in a
distributed system. The directory service should be considered within your overall AD backup and restore
strategy. Directory service information can be replicated to other domain controllers in the same domain
environment. It is vital that a recovery plan is in place before attempting a restore. All changes encountered
during backup are stored in a temporary log and appended to the end of the backup set when the backup is
complete.

Summary
Windows 2000 stores all its security information is stored in the Active Directory. This article has
described the process that needs to take place in order to backup the active directory, ensuring that it
remains secure.