Personal collection of useful articles found on the web, NOT for public use, just for MY quick reference. Just in case you created one.
Specializing in Office Communications Server, Exchange, Active Directory ,TMG 2010, ISA 2006,System Center Operations Manager and Powershell
My private collection of articles found on the net, i dont own them but they helped me.
Control as Virus Outbreak
Export-Mailbox is a task developed by the migration team to allow Administrators to export content from active mailboxes to a folder inside other active mailboxes. The initial idea for this task was to be a complete replacement for ExMerge. The implementation of some of this functionality was problematic and it required more time than initially planned. In this post I will describe what we are missing, which workarounds are available, and some of our future plans.
The need for an ExMerge replacement
ExMerge is a tool created by Microsoft Support in the Exchange 5.5 timeframe, used to allow Administrators to export and import mailbox content to/from PST files. Over the years this tool became popular since, because of its flexibility, it could be used in a number of scenarios where specific tools did not exist. As a result of this popularity, the Exchange team took on development ownership of ExMerge for Exchange 2003 and released it as a tool over the web.
Even though ExMerge proved to be a helpful tool for Exchange Administrators, there were several problems that needed to be addressed in :
- Separate Code Base: One of the goals for is to reduce the number of separate tools and code bases supported for migration operations. ExMerge has always been completely separate from all shared Exchange migration code. This has caused several technical problems like the need to support an independent PST provider (that is why the current version is not able to support mailboxes larger than 2 GB and Unicode) and so on. These issues have caused delays in updates, limited functionality and extra support costs for customers and Microsoft as well.
- Independent Tool: Besides the technical implications of having a separate code base, the fact that ExMerge is an independent tool has caused a lot of unintended consequences regarding the scenarios where it is used.. Every time a tool is used for something it was not designed for the risk of unintended consequences and bugs increase. Also, over use of the Exmerge tool works as an incentive to under use our other migration tools where they are better suited. This adds extra cost to the management of Exchange.
Export-Mailbox
Export-Mailbox was built to address scenarios where mailbox content needs to be copied from one active mailbox to another without actually migrating the whole mailbox object. Source and target servers used by export-mailbox need to be part of a Single Forest or Resource Forests. That is, mailbox content can only be exported to mailboxes within the same forest.
The following versions are supported by export-mailbox:
- Source Server:
- Exchange 2000 SP3 (or later)
- Exchange 2003 SP2 (or later)
- Target Server:
Exchange Permission requirements:
- Logon account for the user who is running Export-Mailbox needs to be a member of "Exchange Servers Administrators" for source and target Server. Permissions for previous Exchange Servers remain the same as they were for Exchange 2003 Move Mailbox Task (Exchange Administrator).
Current functionality available for Export-Mailbox
Pre-Validation and New and Improved Logging
Export-Mailbox benefits from a pre-validation functionality similar to the one present in move-mailbox. This feature saves time by identifying most errors right away before the export begins, instead of waiting until they happen during an actual export.
Also available for Export-Mailbox is the comprehensive log feature: Event logs, a XML Report and a troubleshooting log. All logs are enabled by default and are located at Export-mailbox available options Features postponed The following options were not included for : - Exporting content directly to a PST file: Part of the challenge here was to adapt our code to the Outlook PST provider, which provides the most up to date PST functionality. Currently Administrators can export content to folders inside one or more mailboxes and then manually export this content to PST files using Outlook. Also, will not actively block access from ExMerge clients supported by Exchange 2003. This is not a scenario officially tested but customers have reported that running ExMerge from an Exchange 2003 server and accessing databases indeed works. Native support for this PST is being planned to be part of Service Pack 1. - UI interface: Since most of the common scenarios for ExMerge were related to bulk operations we have decided to focus on delivering the needed functionality first and a GUI later. There is no defined date for the creating of such interface for the export-mailbox task at this point. Customer scenarios and examples These are the supported customer scenarios for Export-Mailbox: During a litigation process, Administrators may need to regularly export mailbox content from selected users. These searches will be based on criteria defined by lawyers. This content will be exported from one or more source mailboxes into a temporary mailbox that the lawyers can access. The lawyers would then process the data and send the data to opposing counsel. When accounts are about to be removed from a server (as in college students graduating or users leaving a hosting account)administrators might want to send mailbox content to the former users that for some reason could not manually copy the email content themselves. Admin would use the Export-Mailbox option to export the data to some intermediary mailbox and then manually export data to end users via PST files. In the course of daily operations of an IT Emergency Response organization, administrators need the ability to scan a large number of messages based on specified criteria, and perform mass deletion of any suspect email found. By using Export-Mailbox and the â€"DeleteContent parameter along with specific filter options, they are able to search and delete such messages. Export-Mailbox examples: Exporting mailbox content based on Organizational information: Export all content from all mailboxes where user Title starts with VP to a folder called VPData in the Administrator mailbox: Get-user | where { $_.Title -ilike "VP*" } | export-mailbox -TargetFolder "VPData" -TargetMailbox Administrator Export all content from all mailboxes from the Accounting department to a folder called AccountingData in the Administrator mailbox: Get-user | where { $_.Department -Eq "Accounting" } | export-mailbox -TargetFolder " AccountingData" -TargetMailbox Administrator Using filtering when Exporting mailbox content: Export all content from UserMailbox1's mailbox received between 02/02/05 and 02/05/05 to a folder called User1Data in the UserMailbox2's mailbox: Export-mailbox -id UserMailbox1 â€"StartDate "02/02/05" â€"EndDate "02/05/05" -TargetFolder 'User1Data' -TargetMailbox UserMailbox2 Export all content from the Sent Items folder of UserMailbox1's mailbox to a folder called User1SentItems in the UserMailbox2's mailbox: Export-mailbox -id UserMailbox1 -IncludeFolders "\Sent Items" -TargetFolder ' User1SentItems' -TargetMailbox UserMailbox2 Filters out content from the Deleted Items folder and only exports messages that are in Japanese to a folder called User1JapaneseItems in the UserMailbox2's mailbox: Export-mailbox -id UserMailbox1 -ExcludeFolders "\Deleted Items" -Locale ja-jp -TargetFolder 'User1JapaneseItems' -TargetMailbox UserMailbox2 Using filtering to Export and delete mailbox content: Export and delete all messages that contain "Confidential" in their subject from all mailboxes from the DB1 database to a folder called ConfidentialData in the Administrator mailbox: Get-mailbox -database 'DB1' | export-mailbox â€"SubjectKeywords "Confidential" -TargetFolder "ConfidentialData" -TargetMailbox Administrator â€"DeleteContent Export and deletes all messages that have an attachment that contains the word "movie" in its name from all mailboxes from the DB1 database to a folder called MovieAttachmentMessages in the Administrator mailbox: Get-mailbox -database 'DB1' | export-mailbox â€"AttachmentFilenames "movie" -TargetFolder "MovieAttachmentData" -TargetMailbox Administrator â€"DeleteContent Export and deletes all messages that contains the word "virus" in its body or in its attachment body from all mailboxes from the DB1 to a folder called VirusMessages in the Administrator mailbox: Get-mailbox -database 'DB1' | export-mailbox -ContentKeywords "virus" -TargetFolder "VirusMessages" -TargetMailbox Administrator â€"DeleteContent
Powershell Setting Active Sync Based on group membership
#Start-Transcript c:\activesyncerror.txt
# Set Report File
echo MM > "c:\active.csv"
$outfile = "c:\active.csv"
#Users to query
$user = Get-CASMailbox -resultsize unlimited
foreach ($userfound in $user)
{
$userdn = $userfound.distinguishedName
$usersm = $userfound.SamAccountName
$ADuser=[ADSI]"LDAP://$userdn"
$res = $aduser.memberOf
#$res
#Group to query membership off
$group = get-group "pda users"
$groupdn = $group.distinguishedName
$ADGroup=[ADSI]"LDAP://$Groupdn"
#Check if user is a member of the group
#if not then Active Sync is disabled for the account
if ($res -contains $ADGroup.distinguishedName)
{Write-output "$usersm Is a member of $group , Enabled" >> $outfile
#Set-CASMailbox $users.SamAccountName -ActiveSyncEnabled $true
Write-Host $usersm "Enabled"
}
if ($res -notcontains $ADGroup.distinguishedName)
{Write-output "$usersm Is not a member of $group , Disabled" >> $outfile
Set-CASMailbox $usersm â€"ActiveSyncEnabled $false -whatif
Write-host $usersm "Disabled"
}
}
#Stop-Transcript
$users.count
notepad $outfile
# Set Report File
echo MM > "c:\active.csv"
$outfile = "c:\active.csv"
#Users to query
$user = Get-CASMailbox -resultsize unlimited
foreach ($userfound in $user)
{
$userdn = $userfound.distinguishedName
$usersm = $userfound.SamAccountName
$ADuser=[ADSI]"LDAP://$userdn"
$res = $aduser.memberOf
#$res
#Group to query membership off
$group = get-group "pda users"
$groupdn = $group.distinguishedName
$ADGroup=[ADSI]"LDAP://$Groupdn"
#Check if user is a member of the group
#if not then Active Sync is disabled for the account
if ($res -contains $ADGroup.distinguishedName)
{Write-output "$usersm Is a member of $group , Enabled" >> $outfile
#Set-CASMailbox $users.SamAccountName -ActiveSyncEnabled $true
Write-Host $usersm "Enabled"
}
if ($res -notcontains $ADGroup.distinguishedName)
{Write-output "$usersm Is not a member of $group , Disabled" >> $outfile
Set-CASMailbox $usersm â€"ActiveSyncEnabled $false -whatif
Write-host $usersm "Disabled"
}
}
#Stop-Transcript
$users.count
notepad $outfile
Powershell Users Group Membership
Script to list a users group membership.
#Users to query
$users = Get-casMailbox Username
$userdn = $users.distinguishedName
$ADuser=[ADSI]"LDAP://$userdn"
$res = $aduser.memberOf
$res
$users = Get-casMailbox Username
$userdn = $users.distinguishedName
$ADuser=[ADSI]"LDAP://$userdn"
$res = $aduser.memberOf
$res
PDA Statistics
Script to list Active Sync Device Statistics.
$mbx = get-casmailbox -Filter {HasActivesyncDevicePartnership -eq $true -and -not DisplayName -like "CAS_{*"}
[string]::join(',',("Name","Display Name","","Model","Phone No","Device ID","DeviceIMEI","First Sync","Last Sync","Device OS","Device Friend Name","Device Type"))> "C:\ocs scripts\pda.csv"
foreach ($user in $mbx) {
$dev = get-activesyncdevicestatistics -mailbox $user.Name
foreach ($phone in $dev)
{
[string]::join(',',($user.name, $user.DisplayName, $phone.devicemodel, $phone.devicephonenumber, $phone.deviceid, $phone.DeviceIMEI, $phone.FirstSyncTime, $phone.LastSuccessSync ,$phone.DeviceOS, $phone.DeviceFriendlyName, $phone.DeviceType)) >> "C:\ocs scripts\pda.csv"
}
}
#$phone.
#notepad "C:\pda.csv"
________________________________________________________________________
Setting GC Global Catalog through powershell
Script to set Global Catalog role when not GC's are available
# ---------------------------------------------------------------------------------------------------
function set-GCrole
# ---------------------------------------------------------------------------------------------------
{
Param (
$serverName,
$IsGC = "enable"
)
$dse = [adsi]("LDAP://"+$Servername+"/RootDSE")
$ntds = [adsi]("LDAP://"+$dse.dsServiceName)
# 1 = enable, 0 or nothing = disable
If ($IsGC -eq "disable")
{
$ntds.options = 0
}
else
{
$ntds.options = 1
}
$ntds.SetInfo()
}
# ---------------------------------------------------------------------------------------------------
If ($Args.count -ne 2)
{
write-host "You need to provide the Name of the DC,"
write-host "and the ""enable"" or ""disable"" keyword."
write-host "example: Set-GCrole.ps1 ""server1"" ""enable"""
write-host
exit
}
Set-GCrole $Args[0] $args[1]
Full Server Recovery of a Domain Controller
Full Server Recovery of a Domain Controller (a nonauthoritative restore)
02 February 2011
07:45
Scenario 1
Loss of a DC, Not a FSMO Role Holder
Requirements: Full Bare Metal & System State of Single DC
To recover: Windows, Disks and Applications
Performing Nonauthoritative Restore of Active Directory Domain Services
Updated: January 9, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller.
You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS.
| Note |
| If your objective is to recover objects that were deleted since the last backup, first perform a nonauthoritative restore from backup to reinstate the deleted objects and then perform an authoritative restore to mark the deleted objects as authoritative so that they are not overwritten during replication. When you are performing both a nonauthoritative restore and an authoritative restore, do not allow the domain controller to restart after the nonauthoritative restore. For information about performing authoritative restore, see Performing Authoritative Restore of Active Directory Objects. |
Nonauthoritative Restore Requirements
You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a stand-alone server, member server, or domain controller.
On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system. If you need to reinstall the operating system and then restore AD DS, see Restoring a Domain Controller Through Reinstallation or Restoring a Domain Controller Through Reinstallation.
To perform a nonauthoritative restore, you need one of the following types of backup for your backup source:
- System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command.
- Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command.
- Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS.. For information about performing a full server backup for disaster recovery, see Performing a Full Server Recovery of a Domain Controller on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=116206).
Performing a full server recovery of a domain controller by using the GUI
You can use this procedure to perform full server recovery of a domain controller with Windows Complete PC Restore.
There are no administrative credential requirements. No authentication is performed when you start in Windows RE.
To perform full server recovery of a domain controller (a nonauthoritative restore) by using the GUI
- Insert the Windows Server 2008 installation DVD into the disk drive, and then restart the domain controller.
- When you are prompted, press a key to start from the DVD.
- At the initial Windows screen, accept or select language options, the time and currency format, and a keyboard layout, and then click Next.
- At the Install now screen, click Repair your computer.
- In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair, and then click Next.
- Under Choose a recovery tool, click Windows Complete PC Restore.
- If the backup is stored on a remote server, a message indicates that Windows cannot find a backup on the hard disks or DVDs on this computer. Click Cancel to close the message.
- Click Restore a different backup, and then click Next.
- On the Select the location of the backup page, perform either set of the following steps, depending on whether the backup is stored locally or on a network shared folder:
- If the backup is stored on the local computer, select the location of the backup, and then click Next.
Or - If the backup is stored on a network shared folder, click Advanced, and then click Search for a backup on the network.
- Click Yes to confirm that you want to connect to the network.
- In Network Folder, type the Universal Naming Convention (UNC) name for the network share, and then click OK.
- Type credentials for a user account that has sufficient permissions to restore the backup, and then click OK.
- On the Select the location of the backup page, click the location of the backup, and then click Next.
- Click the backup to restore, and then click Next.
- If you want to replace all data on all volumes, regardless of whether they are included in the backup, on the Choose how to restore the backup page, select the Format and repartition disks check box.
- To prevent volumes that are not included in the restore from being deleted and re-created, click Exclude Disks, select the check box for the disks that you want to exclude, and then click OK.
- Click Next, and then click Finish.
- Select the I confirm that I want to format the disks and restore the backup check box, and then click OK.
Performing a full server recovery of a domain controller by using the command line
Use the following procedure to perform full server recovery of a domain controller from the command line.
There are no administrative credential requirements. No authentication is performed when you start in Windows RE.
To perform full server recovery of a domain controller (a nonauthoritative restore) by using the command line
- Insert the Windows Server 2008 installation DVD into the disk drive, and then restart the domain controller.
- When you are prompted, press a key to start from the DVD.
- At the initial Windows screen, accept or select language options, the time and currency format, and a keyboard layout, and then click Next.
- At the Install now screen, click Repair your computer.
- In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair, and then click Next.
- Under Choose a recovery tool, click Command Prompt.
- At the Sources prompt, type diskpart, and then press ENTER.
- At the Diskpart prompt, type list vol, and then press ENTER.
- Identify the volume from the list that corresponds to the location of the full server backup that you want to restore.
The drive letters in Windows RE do not necessarily match the volumes as they appear in Windows Server 2008.
- Type exit, and then press ENTER.
- At the Sources prompt, type the following command, and then press ENTER:
wbadmin get versions -backupTarget::
-machine:
Where: : is the location of the backup that you want to restore. is the name of the computer where you want to recover the backup. This parameter is required, if the backup is stored on a remote computer.
- Identify the version that you want to restore.
You must enter this version exactly in the next step.
- At the Sources prompt, type the following command, and then press ENTER:
wbadmin start sysrecovery -version:
-backuptarget:: -machine:
-restoreAllVolumes
Where: is the version of the backup that you want to restore. : is the drive that contains the backup. is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken.
- When you are prompted, press Y to proceed with the restore process.
- After the recovery operation has completed, minimize the command window, and then, in the System Recovery Options dialog box, click Restart.
Post Recovery Tests
Repadmin /replsum
dcdiag /test:CheckSecurityError /s:DRDC01
repadmin /showrepl
w32tm /monitor
dcdiag /s:DCName
dcdiag /test:dns /e /s:DCName
dcdiag /test:netlogons /v /s:DCName
dcdiag /test:fsmocheck /s:DCName
<<NTDS.ps1>>;
Additional considerations
Be aware of the following issues when you perform a full server recovery of a domain controller:
- Wbadmin.exe does not require that you provide the recovery target. By specifying the backup version that you want to recover, the command proceeds to recover to the source location of the specified backup version.
- Backup files are named for the date and time of the backup. When you recover, the version must be stated in the form MM/DD/YYYY-HH:MM, which specifies the name of the backup that you want to recover.
- After the restore is completed, restart the server normally, and perform basic verification. When you restart the computer normally, AD DS and Active Directory Certificate Services (AD CS) automatically detect that they have been recovered from a backup. They perform an integrity check and index the database again.
- After you log on to the system, browse AD DS. Verify that the following conditions are met:
- All of the user objects and group objects that were present in the directory at the time of the backup are restored.
| Note |
| Active Directory replication updates the objects that you restore with any changes that have been made to them since the time that the backup was taken. |
- Files that were members of a File Replication Service (FRS) replica set and certificates that were issued by AD CS are present.
- The Windows Time service (W32time) is synchronized correctly.
- The NETLOGON and SYSVOL folders are properly shared.
- The Preferred DNS server address is configured correctly.
- Host (A) and service (SRV) resource records are registered correctly in Domain Name System (DNS).
Requirements - Full Server Recovery of a Domain Controller
Requirements - Full Server Recovery of a Domain Controller
02 February 2011
09:09
When you perform a full server recovery, you recover all volumes from the backup set to the server. The procedure to perform full server recovery of a domain controller is the same as for any server running Windows Server 2008. Whenever you perform a full server recovery of a domain controller, you perform a nonauthoritative restore of Active Directory Domain Services (AD DS).
You can use these procedures to perform full server recovery of a domain controller by using Windows Complete PC Restore (a graphical user interface (GUI) tool) and Wbadmin.exe from the command line
Requirements for performing a full server recovery of a domain controller
Full server recovery of a domain controller has the following requirements:
- You must have a full server backup available. This type of backup contains all volumes that were on the server at the time that you made the backup.
- You can store the backup on a separate, internal or external hard drive or a DVD. If you performed a manual backup, you can perform a full server recovery from a network shared folder.
| Note |
| Windows Server Backup does not enumerate drives that are not attached or turned on when you start the Recovery Wizard. If you attach or turn on a drive after you start the wizard, and you do not see it in the list of backup locations that you can restore from, close, and then restart Windows Server Backup. |
- You must have the Windows Server 2008 operating system DVD or have Windows RE installed on a different partition than the critical partitions that are used by the domain controller that you are restoring.
- If you are recovering to new hardware, the new hardware must provide enough storage capacity to recover all volumes. In other words, the hard drives that you are recovering data to must be as large as-or larger than-the drives that are included in the backup set.
Forest Recovery Post recovery steps
Forest Recovery Post recovery steps
Perform the following post recovery steps as needed:
Ensure DC's are health by running admin scripts below
· After the entire forest is recovered, you can revert to the original DNS configuration, including configuration of the preferred and alternate DNS servers on each of the domain controllers. After the DNS servers are configured as they were before the malfunction, their previous name resolution capabilities will be restored. Delete any DNS records for domain controllers that have not been recovered.
· Delete Windows Internet Name Service (WINS) records for all domain controllers that have not been recovered.
· You can transfer the operations master roles to other domain controllers in the domain or forest and add more global catalog servers based on your pre-failure configuration.
· Because the entire forest is restored to a previous state, any objects (such as users and computers) that were added and all updates (such as password changes) that were made to existing objects after this point are lost. Therefore, you should re-create these missing objects and reapply the missing updates as appropriate.
· You might also need to restore outgoing trusts with external domains, because these external trust relationships are not restored automatically from backups.
· If you suspect that the forest-wide failure was related to network intrusion or malicious attack, you can reset the account passwords for members of the Enterprise Admins and Domain Admins groups.
· Restore or reinstall any software applications that were running on domain controllers before recovery. Restoring AD DS on the first domain controller in the domain also restores the registry because they both are part of System State data. Keep this in mind if you had any applications running on these domain controllers and if they had any information stored in the registry.
· For client computers, you might have to reset their secure channel with domain controllers or rejoin them to the domain. To reset the secure channel, you can use Netdom.exe. At a command prompt, type the following command, and then press ENTER:
netdom reset /domain:
Repadmin /replsum
dcdiag /test:CheckSecurityError /s:DRDC01
repadmin /showrepl
w32tm /monitor
dcdiag /s:DCName
dcdiag /test:dns /e /s:DCName
dcdiag /test:netlogons /v /s:DCName
dcdiag /test:fsmocheck /s:DCName
<<NTDS.ps1>>;
Forest Recovery Procedures - Stage 2
Forest Recovery Procedures - Stage 2
31 January 2011
13:59
Removing the global catalog
Use the following procedure to remove the global catalog from a domain controller.
Restoring a global catalog server from backup could result in the global catalog holding newer data for one of its partial replicas than the corresponding domain that is authoritative for that partial replica. In such a case, the newer data will not be removed from the global catalog and might even replicate to other global catalog servers. As a result, even if you did restore a domain controller that was a global catalog server, either inadvertently or because that was the solitary backup you trusted, you should remove the global catalog soon after the restore operation is complete. When the global catalog is removed, the computer removes all its partial replicas. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.
To remove the global catalog
1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.
3. Expand the Servers container, and then expand the server object for the domain controller from which you want to remove the global catalog.
4. Right-click NTDS Settings, and then click Properties.
5. Clear the Global Catalog check box.
Raising the value of available RID pools
Use the following procedure to raise the value of the relative ID (RID) pools that the RID operations master will allocate after that domain controller is restored. By raising the value of the available RID pools, you can ensure that no domain controller allocates a RID for a security principal that was created after the backup that was used to restore the domain. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.
To raise the value of available RID pools
1. At the command prompt, change directories to the folder that contains the Windows Support Tools, type the following command, and then press ENTER:
ldp
2. Click Connection, click Connect, type the name of the server on which you want to raise the RID pool, and then click OK.
3. Click Connection, click Bind, type your administrative credentials, and then click OK.
4. Click View, click Tree, and then type the following distinguished name path:
CN=RID Manager$,CN=System,DC=
This account has an attribute named rIDAvailablePool. This attribute value maintains the global RID space for an entire domain. The value is a large integer with upper and lower parts. The upper part defines the number of security principals that can be allocated for each domain (0x3FFFFFFF or just over 1 billion). The lower part is the number of RIDs that have been allocated in the domain. To view both parts, in Ldp.exe use the Large Integer Converter command in the Utilities menu.
· Sample Value: 4611686014132422708 (Insert in Large Integer Calculator in the Utilities menu of Ldp.exe)
· Low Part: 2100 (beginning of the next RID pool to be allocated)
· Upper Part: 1073741823 (total number of RIDs that can be created in a domain)
When you increase the value of the large integer, you increase the value of the low part. For example, if you add 100,000 to the sample value of 4611686014132422708 for a sum of 4611686014132522708, the new low part is 102100. This indicates that the next RID pool that will be allocated by the RID master will begin with 102100 instead of 2100.
5. Click Browse, and then click Modify.
6. Add 100,000 to the current rIDAvailablePool value, and then type the sum into Values.
7. In Dn, type cn=RID Manager$,cn=System,dc=.
8. In Edit Entry Attribute, type rIDAvailablePool.
9. Select Replace as the operation, and then click Enter.
10. Click Run to run the operation.
String:
High Part:
Low Part:
Close
11073741823
1103101
Run" width="283" height="137">
High Part:
Low Part:
Close
11073741823
1103101
Run" width="283" height="137">
r Edit Entry
Attribute: rlDAvailablePool
Values: 4611686014132623709
Operation
r r Add r Delete ( Replace [nsert fil Enter
Entry List
[Repa:&îCDA .ablePool:46 11686014132623709
Edit Remove
P' Synchronous Close
r Extended Run" width="342" height="368">
Attribute: rlDAvailablePool
Values: 4611686014132623709
Operation
r r Add r Delete ( Replace [nsert fil Enter
Entry List
[Repa:&îCDA .ablePool:46 11686014132623709
Edit Remove
P' Synchronous Close
r Extended Run" width="342" height="368">
Seizing an operations master role - If the recovered DC does not hold the FSMO Roles
Use the following procedure to seize an operations master role (also known as a flexible single master operations (FSMO) role). You can use Ntdsutil.exe, a command-line tool that is installed automatically on all domain controllers. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.
To seize an operations master role
1. At the command prompt, type the following command, and then press ENTER:
ntdsutil
2. At the ntdsutil: prompt, type the following command, and then press ENTER:
roles
3. At the FSMO maintenance: prompt, type the following command, and then press ENTER:
connections
4. At the server connections: prompt, type the following command, and then press ENTER:
Connect to server ServerFQDN
Where ServerFQDN is the fully qualified domain name (FQDN) of this domain controller, for example: connect to server nycdc01.example.com.
If ServerFQDN does not succeed, use the NetBIOS name of the domain controller.
5. At the server connections: prompt, type the following command, and then press ENTER:
quit
6. Depending on the role that you want to seize, at the FSMO maintenance: prompt, type the appropriate command as described in the following table, and then press ENTER.
| Role | Credentials | Command |
| Domain naming master | Enterprise Admins | For Windows Server 2003: Seize domain naming master For Windows Server 2008: Seize naming master |
| Schema master | Schema Admins | Seize schema master |
| Infrastructure master | Domain Admins | Seize infrastructure master |
| PDC emulator master | Domain Admins | Seize pdc |
| RID master | Domain Admins | Seize rid master |
After you confirm the request, Active Directory or AD DS attempts to transfer the role. When the transfer fails, some error information appears, and Active Directory or AD DS proceeds with the seizure. After the seizure is complete, a list of the roles and the Lightweight Directory Access Protocol (LDAP) name of the server that currently holds each role appears.
Note
If this computer was not a RID master before the failure and you attempt to seize the RID master role, the computer tries to synchronize with a replication partner before accepting this role. However, because this step is performed when the computer is isolated, it will not succeed in synchronizing with a partner. Therefore, a dialog box appears asking you whether you want to continue with the operation despite this computer not being able to synchronize with a partner. Click Yes.
Windows Server 2008: Deleting a domain controller using Active Directory Users and Computers
When you use the version of Active Directory Users and Computers in Windows Server 2008, metadata cleanup is performed automatically when you delete the domain controller object. In addition, the server object and the computer object are also deleted automatically, which eliminates the need to perform those additional procedures.
As an alternative, you can also use Active Directory Sites and Services in Windows Server 2008 to delete a domain controller object. If you use Active Directory Sites and Services, you must delete the associated server object and NTDS Settings object before you can delete the domain controller object.
If you do not have Windows Server 2008, you can instead download and use the Microsoft Remote Server Administration Tools for Windows Vista (http://go.microsoft.com/fwlink/?LinkID=115118) to perform this procedure.
To delete a domain controller object using Active Directory Users and Computers in Windows Server 2008
1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, double-click the domain container, and then double-click the Domain Controllers organizational unit (OU).
3. In the details pane, right-click the domain controller that you want to delete, and then click Delete.
Resetting the krbtgt password
Use the following procedure to reset the krbtgt password for the domain. The following procedure applies to domain controllers that run Windows Server 2003 or writable domain controllers (not read-only domain controllers (RODCs)) that run Windows Server 2008.
Important
If you leave RODCs online during the forest recovery, do not delete the krbtgt accounts for the RODCs. The krbtgt account for an RODC is listed in the format krbtgt_number.
To reset the krbtgt password
1. Click Start, point to Control Panel, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, double-click the domain container, and then click Users.
3. In the details pane, right-click the krbtgt user account, and then click Reset Password.
4. In New password, type a new password, retype the password in Confirm password, and then click OK.
Notes
As mentioned in "Recovery steps," earlier in this guide, you should perform this operation twice.
Resetting the computer account password of the domain controller
Use the following procedure to reset the computer account password of the domain controller. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.
To reset the computer account password of the domain controller
1. At a command prompt, type the following command, and then press ENTER:
netdom help resetpwd
2. Use the syntax that this command provides for using the NetDom command-line tool to reset the computer account password, for example:
netdom resetpwd /server: /userD:administrator /passwordd:*
Where is the local domain controller that you are recovering.
Note
As mentioned in "Recovery steps," earlier in this guide, you should run this command twice.
Resetting a trust password on one side of the trust - If you have trusts inplace
Use the following procedure to reset a trust password on one side of the trust. This includes implicit trusts between child and parent domains as well as explicit trusts between this domain (the trusting domain) and another domain (the trusted domain).
Reset the password on only the trusting domain side of the trust, known in Windows Server 2003 as the incoming trust (the side where this domain belongs). Then, use the same password on the trusted domain side of the trust. In Windows Server 2003, this trusted domain is called the specified domain, and the trust is called the outgoing trust. Reset the password of the outgoing trust when you restore the first domain controller in each of the other (trusted) domains.
Important
To perform the following procedure, use the latest Netdom.exe command-line tool in the Windows Server 2003 Service Pack 1 32-bit Support Tools, which you can download from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=70775), or use Netdom.exe, which is included in Windows Server 2008 or in the Microsoft Remote Server Administration Tools for Windows Vista. Do not use older versions of the Netdom.exe command-line tool.
To reset a trust password on one side of the trust
1. At a command prompt, type the following command, and then press ENTER:
netdom experthelp trust
2. Use the syntax that this command provides for using the NetDom tool to reset the trust password.
For example, if there are two domains in the forest-parent and child-and you are running this command on the restored domain controller in the parent domain, use the following command syntax:
netdom trust /domain: /resetOneSide /passwordT: /userO:administrator /passwordO:*
When you run this command in the child domain, use the following command syntax:
netdom trust /domain: /resetOneSide /passwordT: /userO:administrator /passwordO:*
Note
passwordT should be the same value on both sides of the trust. Run this command only once (unlike the netdom resetpwd command) because it automatically resets the password twice.
Adding the global catalog
Use the following procedure to add the global catalog to a domain controller. The following procedure applies to domain controllers that run Windows Server 2003 or Windows Server 2008.
To add the global catalog
1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. In the console tree, expand the Sites container, and then select the appropriate site that contains the target server.
3. Expand the Servers container, and then expand the server object for the domain controller to which you want to add the global catalog.
4. Right-click NTDS Settings, and then click Properties.
5. Select the Global Catalog check box.
Once complete Plug back the NIC and restart
On all Rebuilt DC boxes configure the Name, IP and configuration as per the topology report
Once each machine join back to the domain and run DCPROMO as per original design
Additional considerations
Be aware of the following issues when you perform a nonauthoritative restore of AD DS:
- If the nonauthoritative restore procedure is preliminary to performing an authoritative restore of any restored objects, do not restart the domain controller until after you have completed the authoritative restore procedure.
- When you use System Recovery Options to restore a Windows Server 2008 domain controller in an environment that has Distributed File System (DFS) Replication implemented, the SYSVOL restore is performed nonauthoritatively by default. To perform an authoritative restore of SYSVOL, include the -authsysvol switch in your recovery command, as shown in the following example:
wbadmin start systemstaterecovery-authsysvol
- If you use File Replication Service (FRS), the restore operation sets the BURFLAGS registry keys for FRS, which affects all replica sets that are replicated by FRS.
- Wbadmin.exe does not require that you provide the target for the recovery. By specifying the backup version that you want to recover, the command proceeds to recover to the source location of the specified backup version.
- Backup files are named for the date and time of the backup. When you recover, the version must be stated in the form MM/DD/YYYY-HH:MM, which specifies the name of backup that you want to recover.
- After the restore is completed, restart the server normally, and perform basic verification. When you restart the computer normally, AD DS and Active Directory Certificate Services (AD CS) automatically detect that they have been recovered from a backup. They perform an integrity check and index the database again.
- After you log on to the system, browse AD DS, and verify that the following conditions are met:
- All of the user objects and group objects that were present in the directory at the time of the backup are restored.
| Note |
| Active Directory replication updates the objects that you restore with any changes that have been made to them since the time that the backup was taken. |
- Files that were members of a FRS replica set and certificates that were issued by AD CS are present.
- The Windows Time service (W32time) is synchronized correctly.
- The NETLOGON and SYSVOL folders are properly shared.
- The Preferred DNS server address is configured correctly.
- Host (A) and service (SRV) resource records are registered correctly in Domain Name System (DNS).
Forest Bare Metal Recovery -
Forest Bare Metal Recovery - Windows & AD Failed
02 February 2011
12:48
To recover: Windows, Disks and Applications
Loss of a Active Directory Forest
Requirements: Full Bare Metal backup & System State
You need to make sure that a full server backup is available!
You need to know the DSRM Admin account and password
Performing a full Forest recovery of a domain controller by using the GUI
Because this is the first writable domain controller in the domain, you must perform a nonauthoritative restore of AD DS and an authoritative restore of the SYSVOL folder
An authoritative restore of SYSVOL is required because replication of the SYSVOL replicated folder must be started after you recover from a disaster. All subsequent domain controllers that are added in the domain must resynchronize their SYSVOL folder with a copy of the folder that has been selected to be authoritative before the folder can be advertised
If you are restoring a domain controller that runs Windows Server 2008, use Wbadmin.exe to perform a nonauthoritative restore of AD DS. At the same time, perform an authoritative restore of SYSVOL by including the -authsysvol switch in your recovery command, as shown in the following example:
wbadmin start systemstaterecovery -authsysvol
The first DC we will restore is the FSMO owner in the root domain, this will be a complete bare metal recovery so that it restores the server with Directory Services installed. Once recovered then the latest system state with authorative sysvol will be recovered.
You can use this procedure to perform full server recovery of a domain controller with Windows Complete PC Restore.
There are no administrative credential requirements. No authentication is performed when you start in Windows RE.
Make sure the DC is not connected to the network
A full server recovery recovers every volume on the server. Use this type of recovery to recover from hard drive failures or file corruption on the same hardware with the same operating system installed.
A full server recovery reformats and repartitions all disks that are attached to the server. Use this scenario if you want to recover onto new hardware or if all other attempts to recover the server on the existing hardware have failed.
Before you perform a full server recovery, be aware that any existing data that is not included in the backup will be deleted when you complete this operation. This includes any volumes that are currently used by the server but not included in the backup.
For example, suppose you back up drives C, D, and E and disk 1, and the server also includes application data on disk 2. When you use that backup to perform a full server recovery, all the application data on disk 2 is lost.
If you recover to a dynamic disk that is not included in the backup, the partition-and the data that is stored on it-are deleted and then re-created without the data.
To perform full server recovery of a domain controller by using the GUI
- Insert the Windows Server 2008 installation DVD into the disk drive, and then restart the domain controller.
- When you are prompted, press a key to start from the DVD.
- At the initial Windows screen, accept or select language options, the time and currency format, and a keyboard layout, and then click Next.
- At the Install now screen, click Repair your computer.
- In the System Recovery Options dialog box, click anywhere to clear any operating systems that are selected for repair, and then click Next.
- Under Choose a recovery tool, click Windows Complete PC Restore.
- If the backup is stored on a remote server, a message indicates that Windows cannot find a backup on the hard disks or DVDs on this computer. Click Cancel to close the message.
- Click Restore a different backup, and then click Next.
- On the Select the location of the backup page, perform either set of the following steps, depending on whether the backup is stored locally or on a network shared folder:
- If the backup is stored on the local computer, select the location of the backup, and then click Next.
Or - If the backup is stored on a network shared folder, click Advanced, and then click Search for a backup on the network.
- Click Yes to confirm that you want to connect to the network.
- In Network Folder, type the Universal Naming Convention (UNC) name for the network share, and then click OK.
- Type credentials for a user account that has sufficient permissions to restore the backup, and then click OK.
- On the Select the location of the backup page, click the location of the backup, and then click Next.
- Click the backup to restore, and then click Next.
- If you want to replace all data on all volumes, regardless of whether they are included in the backup, on the Choose how to restore the backup page, select the Format and repartition disks check box.
- Note the drive with the backup is already excluded so you can just select next
- To prevent volumes that are not included in the restore from being deleted and re-created, click Exclude Disks, select the check box for the disks that you want to exclude, and then click OK.
- Click Next, and then click Finish.
- Select the I confirm that I want to format the disks and restore the backup check box, and then click OK.
- Next we need to restore to the best system state
- Click Start, click Command Prompt, and then click Run as administrator.
- At the command prompt, type the following command, and then press ENTER:
bcdedit /set safeboot dsrepair
- Type the following command, and then press ENTER:
shutdown -t 0 -r
- The server will now boot into Directory Services Repair Mode
- At the Windows logon screen, click Switch User, and then click Other User.
- Type .\administrator as the user name, type the DSRM password for the server, and then press ENTER.
- Click Start, right-click Command Prompt, and then click Run as Administrator..
- At the command prompt, type the following command, and then press ENTER:
- wbadmin get versions -backuptarget:
:
-machine:
- wbadmin get
wbadmin 1.0 - Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
Backup time: 1/28/2011 1:05 PM
Backup target: 1394/USB Disk labeled E:
Uersion identifier: 01/28/2011-13:05
onsbackuPtaret:e:
Can Recover: Application(s), System State
Backup time: 1/31/2011 12:18 PM
Backup target: 1394/USB Disk labeled E:
Ijersion identifier: 01/31/2011-12:18
Can Recover: Application(s), System State" width="575" height="168">
- Where:
: is the location of the backup that you want to restore. is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken.
- Identify the version that you want to restore.
You must enter this version exactly in the next step.
- At the command prompt, type the following command, and then press ENTER:
wbadmin start systemstaterecovery -version:
-backuptarget:: -machine: -authsysvol
-quiet
- Backup target: 1394/USB Disk labeled E:
Uersion identifier: 01/28/2011-13:05
Can Recover: Application(s). System State
Backup time: 1/31/2011 12:18 PM
Backup target: 1394/USB Disk labeled E:
Uersion identifier: 01/31/2011-12:18
Can Recover: Application(s), System State
C:\Users\Administrator.DRDCOÃ>wbadmin start systemstaterecovery -version:01/31/2
011-12:18 -backuptarget:E: -machine:DRDCO1 -authsysvol
wbadmin 1.0 - Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
Do you want to start the system state recovery operation?
[Y] Yes [N] No y" width="598" height="220">
- Where:
is the version of the backup that you want to restore. : is the volume that contains the backup. - t
is the name of the computer where you want to recover the backup. This parameter is useful when you have backed up multiple computers to the same location or you have renamed the computer since the backup was taken.
If you do not specify the -quiet parameter, you are prompted to press Y to proceed with the restore process and press Y to confirm that the replication engine for SYSVOL has not changed since you created the backup.
After the recovery operation has completed, if you are not going to perform an authoritative restore of any restored objects, restart the server as below
Now Restart the server and follow STAGE 2
- To restart the server normally after you perform the restore operation, type the following command, and then press ENTER to have the server restart normally:
bcdedit /deletevalue safeboot
Type the following command, and then press ENTER:
shutdown -t 0 -r
