In Windows 2000, backing up and restoring Active Directory is a very important job. In NT, all information about user and enterprise configuration is stored in the registry, so we only need to back up the registry. But in Windows 2000, all security information is stored in Active Directory, and its backup method is completely different from that in NT.
You can't back up Active Directory separately, and Windows 2000 backs up Active Directory as part of the system state data. System status data includes the registry, system startup files, class registration database, certificate service data, file copy service, cluster service, domain name service and Active Directory 8 parts, usually only the first 3 parts. These 8 parts cannot be backed up separately and must be backed up as part of the system status data.
1. Backing up Active Directory data
If there is more than one DC in a domain, it is not necessary to back up Active Directory when reinstalling one of the DCs. You only need to put it in. When a DC is removed from the domain, reinstalled, and brought back to the domain, the other DC will naturally copy the data to this DC.
If the last DC is left in a domain, it is necessary to back up Active Directory. The detailed process is as follows:
1. "Start" menu -> "Run", enter "ntbackup", start the win2000 backup tool.
2. Use "Backup Wizard" in the "Welcome" tab, select "Backup only system status data" in the Backup Contents page of the Backup Wizard dialog box, and the next step.
3. In the "Backup Saved Location" page, enter the name of the file where the backup data is stored, such as "d:?akAD0322.bkf". Next, complete the backup wizard. If you want to make some settings, such as verifying the data after the backup is complete, use the "Advanced" option to configure.
4. Select "Done" to start the backup. Depending on the amount of data, it may take a few minutes to ten minutes or even longer. The backup report will be generated after the backup is completed.
5. Suggestion: Usually the files to be backed up are relatively large. I have backed up a few times between 250-300M, so I need to find a large-capacity space for storage. Because the backup contains very sensitive account information, etc., the backup data should be properly saved.
2. Active Directory Recovery
There are two ways to recover Active Directory.
The first is to recover data from other DCs in the domain, provided that there is still one DC available in the domain. When the damaged DC is reinstalled and added to its original domain, DC Data replication is automatically performed and Active Directory is restored.
Another way is to recover from backup media. Usually, for most small companies, there is only one domain for the entire company, and there is only one DC due to various restrictions on funds, so recovering Active Directory from media is a common problem.
1. Authentication and non-authentication methods
There are two ways to perform Active Directory recovery from backup media: authoritative restore and nonauthoritative restore.
Normally, Windows 2000 uses non-authentication mode recovery: After Active Directory recovers from backup media, other DCs in the domain will overwrite the old recovered old data with new data during the replication process. For example, let's say that today is Friday, you used a Wednesday backup to restore Active Directory, then the data that has changed since Wednesday will be copied to the DC where you are restoring Active Directory, that is, new data will overwrite you. Use the backup to recover the data.
The authentication mode is completely different. It will forcibly copy the data recovered from the backup media to all DCs in the domain, regardless of whether the data has changed since the backup. Also take the above example, when you use the backup of Wednesday to restore Active Directory on Friday, the recovered data will be copied to all DCs in the domain, forcibly overwriting all the data changed after the backup, the data in the domain It is restored to the state at the time of backup. Authentication mode recovery Active Directory is usually used in this situation: Active Directory has a serious error on a DC in the domain, and this error is spread to other DCs in the domain through replication, then it needs to be used on a DC. The authentication method restores Active Directory and forces the domain to return to its original good state. It should be said that this method is used in a more efficient way to restore Active Directory.
2. Non-Verified Recovery Active Directory
To achieve non-authenticated recovery, the directory service must be offline (the directory service does not have to be offline when backing up Active Directory). In order to recover Active Directory, you must use the server in "Directory Services Recovery Mode". To do this, you need to restart the server. When the screen prompts you to select the operating system, press F8 to start the system startup advanced menu and select "Directory Service Recovery Mode".
When the Windows 2000 user login window appears, enter the local administrator account and password (note that the administrator's account and password are not in Active Directory, because Active Directory is offline and unavailable. You Only use the administrator account and password stored in the Security Account Manager, sometimes called SAM. Once the login is successful, you can resume Active Directory operations.
(1) Start the backup program that comes with Windows 2000: "Start" -> "Run", enter "ntbackup";
(2) Select "Restore Wizard" in the welcome tab, skip The welcome screen, the backup program displays a backup set that can be used for data recovery.
(3) Select the appropriate backup file to complete the data recovery. Restart the machine.
(4) Note: Under normal circumstances, you can not restore the Active Directory data backed up 60 days ago, this is because of Windows2000 tombstone lifetime (can be understood as the survival time, because it can not accurately translate its meaning, have to copy On.----Bohai), unless you have set it up.
3. Authentication Mode Recovery Active Directory
To implement authentication mode recovery, you must first implement non-authentication mode recovery, then you can use the NTDSUTIL command line tool to implement authenticated Active Directory recovery. Verification recovery enables recovery of all or part of Active Directory data.
(1) Use non-authentication to restore Active Directory and restart the machine.
(2) Start Windows2000 again using "Directory Service Recovery Mode" and log in as an administrator.
(3) "Start" -> "Run", enter "ntdsutil", start the command line tool.
(4) To recover the entire Active Directory database, use the following command:
authoritative restore
restore database
To recover part of Active Directory data, use the following command:
authoritative restore
restore subtree ou=Brien,dc=files,dc=COM
The red part should be determined according to the actual situation, for example, your domain name is mydom. Net, the OU to be restored is myou, the second line command should be: restore subtree ou=myou, dc=mydom, dc=net, and so on. The way to recover some data is sometimes used to recover deleted OUs. For example, there are two administrators in a domain. You and A, A have a little dish :), accidentally deleted an important OU last night, you can Use Authenticated Recovery to restore this OU, the premise is that you have a backup before the OU was deleted.
Finally use the quit command to exit and restart the machine.