You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-azure/troubleshoot-active-directory/includes/3-recover-active-directory-domain-services-database.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ The AD DS database is stored as a file named Ntds.dit. When you install and conf
9
9
10
10
Within the Ntds.dit file are all the partitions that the domain controller hosts. In the NTDS folder are other files that support the AD DS database. The Edb*.log files are the transaction logs for AD DS. When a change occurs in the directory:
11
11
12
-
1. It is first written to the log file.
12
+
1. It's first written to the log file.
13
13
14
14
1. The change is committed to the directory as a transaction.
15
15
@@ -22,7 +22,7 @@ The following table describes the different file-level components of the AD DS d
22
22
| Ntds.dit| Main AD DS database file. Contains Active Directory partitions and objects.|
23
23
| Edb*.log| Transaction logs. Under normal operations, new transactions in the transaction log overwrite old transactions. However, if many transactions occur within a short period, AD DS creates additional transaction log files. Therefore, if you look in the NTDS folder of a particularly busy domain controller, you might see several Edb*.log files.|
24
24
| Edb.chk| Database checkpoint file. The Edb.chk file acts like a bookmark in the log files. Edb.chk marks the location before which transactions have been successfully committed to the database, and after which transactions remain to be committed.|
25
-
| Edbres00001.jrs, Edbres00002.jrs| Reserve transaction log files. If a disk drive runs out of space, AD DS cannot write to the logs. So, AD DS maintains two extra log files, Edbres00001.jrs and Edbres00002.jrs. When a disk runs out of space for normal transaction logs, AD DS recruits the space used by these two files to write the transactions that are in a queue currently. After that, it safely shuts down Active Directory services, and dismounts the database.|
25
+
| Edbres00001.jrs, Edbres00002.jrs| Reserve transaction log files. If a disk drive runs out of space, AD DS can't write to the logs. So, AD DS maintains two extra log files, Edbres00001.jrs and Edbres00002.jrs. When a disk runs out of space for normal transaction logs, AD DS recruits the space used by these two files to write the transactions that are in a queue currently. After that, it safely shuts down Active Directory services, and dismounts the database.|
26
26
27
27
## Manage the AD DS database with NtdsUtil
28
28
@@ -57,25 +57,25 @@ You can use the following methods to restart AD DS:
57
57
- Windows PowerShell
58
58
59
59
> [!TIP]
60
-
> Other services running on the server that do not depend on AD DS to function, such as Dynamic Host Configuration Protocol (DHCP), remain available to respond to client requests while AD DS is stopped.
60
+
> Other services running on the server that don't depend on AD DS to function, such as Dynamic Host Configuration Protocol (DHCP), remain available to respond to client requests while AD DS is stopped.
61
61
62
-
Restartable AD DS requires minor changes to the existing Microsoft Management Console (MMC) snap-ins. By using the snap-in, an administrator can stop and restart AD DS more easily, as they would any other service that is running locally on the server. Although stopping AD DS is similar to signing in in DSRM, restartable AD DS provides a unique state, known as AD DS Stopped.
62
+
Restartable AD DS requires minor changes to the existing Microsoft Management Console (MMC) snap-ins. By using the snap-in, an administrator can stop and restart AD DS more easily, as they would any other service that is running locally on the server. Although stopping AD DS is similar to signing in DSRM, restartable AD DS provides a unique state, known as AD DS Stopped.
63
63
64
64
### What are the domain controller states?
65
65
66
66
The three possible states for a domain controller that is running Windows Server are as follows:
67
67
68
-
- AD DS Started. In this state, AD DS is started. The domain controller can perform AD DS–related tasks normally.****
68
+
- AD DS Started. In this state, AD DS is started. The domain controller can perform AD DS–related tasks normally.
69
69
70
-
- AD DS Stopped. In this state, AD DS is stopped. The domain controller has some characteristics of both a domain controller in DSRM and a domain-joined member server.****
70
+
- AD DS Stopped. In this state, AD DS is stopped. The domain controller has some characteristics of both a domain controller in DSRM and a domain-joined member server.
71
71
72
72
- DSRM. In this state, the AD DS database (Ntds.dit) on the local domain controller is offline. Another domain controller can be contacted for sign-in, if one is available. If no other domain controller can be contacted, you can do one of the following, by default:
73
73
74
74
- Sign in to the domain controller locally in DSRM by using the DSRM password.
75
75
76
76
- Restart the domain controller to sign in with a domain account.
77
77
78
-
As with a member server, the domain controller in the Stopped state is still joined to the domain. Because the domain controller is still joined to the domain, Group Policy and other settings still apply to the computer. However, a domain controller should not remain in the AD DS Stopped state for an extended period because in this state, it cannot service sign-in requests or replicate with other domain controllers.
78
+
As with a member server, the domain controller in the Stopped state is still joined to the domain. Because the domain controller is still joined to the domain, Group Policy and other settings still apply to the computer. However, a domain controller shouldn't remain in the AD DS Stopped state for an extended period because in this state, it can't service sign-in requests or replicate with other domain controllers.
79
79
80
80
## Manage AD DS snapshots
81
81
@@ -97,11 +97,11 @@ After completing the restoration, you must restart the server. The domain contro
97
97
98
98
In a normal restoration, you restore a backup of AD DS as of a known good date. Essentially, you roll the domain controller back in time. When AD DS restarts on the domain controller, the domain controller contacts its replication partners and requests all subsequent updates. In other words, the domain controller catches up with the rest of the domain by using standard replication mechanisms.
99
99
100
-
Normal restoration is useful when the directory on a domain controller has been damaged or corrupted, but the problem has not spread to other domain controllers. However, for certain situations a normal restoration is not sufficient. For example, normal restoration will not work where damage has replicated, such as when you delete one or more objects, and that deletion has replicated. If you restore a known good version of AD DS and restart the domain controller, the deletion—which happened after the backup—simply replicates back to the domain controller.
100
+
Normal restoration is useful when the directory on a domain controller has been damaged or corrupted, but the problem has not spread to other domain controllers. However, for certain situations a normal restoration isn't sufficient. For example, normal restoration won't work where damage has replicated, such as when you delete one or more objects, and that deletion has replicated. If you restore a known good version of AD DS and restart the domain controller, the deletion—which happened after the backup—simply replicates back to the domain controller.
101
101
102
102
### Perform authoritative restore
103
103
104
-
An authoritative restore is necessary when you have restored a known good copy of AD DS and it contains objects that must override existing objects in the AD DS database. In an authoritative restore, you restore the known good version of AD DS just as you do in a normal restore. However, before you restart the domain controller, you mark the accidentally deleted or previously corrupted objects that you wish to retain as authoritative, so that they will replicate from the restored domain controller to its replication partners. When you mark objects as authoritative, Windows increments the version number of all object attributes to be so high that the version is virtually guaranteed to be higher than the version number on all other domain controllers.
104
+
An authoritative restore is necessary when you have restored a known good copy of AD DS and it contains objects that must override existing objects in the AD DS database. In an authoritative restore, you restore the known good version of AD DS just as you do in a normal restore. However, before you restart the domain controller, you mark the accidentally deleted or previously corrupted objects that you wish to retain as authoritative, so that they'll replicate from the restored domain controller to its replication partners. When you mark objects as authoritative, Windows increments the version number of all object attributes to be so high that the version is virtually guaranteed to be higher than the version number on all other domain controllers.
105
105
106
106
When the restored domain controller restarts, it replicates from its replication partners all the changes made to the directory. It also notifies its partners that it has changes, and the version numbers of the changes ensure that partners take the changes and replicate them throughout the directory service.
107
107
@@ -114,7 +114,7 @@ To perform an authoritative restore, complete the following procedure:
114
114
115
115
1. Sign in with the Administrator account and the DSRM password.
116
116
117
-
1. Restore the directory with Windows Server Backup. Before restarting the domain controller, you must first mark as authoritative the objects that you wish to persist after restart—that is, the deleted objects that you are trying to restore. To mark an object as authoritative, at the command prompt, run the following commands:
117
+
1. Restore the directory with Windows Server Backup. Before restarting the domain controller, you must first mark as authoritative the objects that you wish to persist after restart—that is, the deleted objects that you're trying to restore. To mark an object as authoritative, at the command prompt, run the following commands:
Copy file name to clipboardExpand all lines: learn-pr/wwl-azure/troubleshoot-active-directory/includes/4-recover-sysvol.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,8 @@ Group Policy settings are presented as Group Policy Objects (GPOs) in AD DS user
6
6
| Group Policy Template| The Group Policy template stores the settings, and is a collection of files stored in the SYSVOL of each domain controller in the `%SystemRoot%\SYSVOL\Domain\Policies\GPOGUID` path, where GPOGUID is the GUID of the Group Policy container. When you make changes to the settings of a GPO, the changes are saved to the Group Policy template of the domain controller from which the GPO was opened.|
7
7
8
8
> [!NOTE]
9
-
> By default, this is the domain controller that holds the primary domain controller (PDC) emulator operations master role.
9
+
> By default, this is the domain controller that holds the primary domain controller (PDC) emulator operations master role.
10
+
10
11
## What is Group Policy replication?
11
12
12
13
Group Policy containers and Group Policy templates are both replicated between all domain controllers in a single domain in AD DS. But these two elements use different replication mechanisms:
@@ -30,7 +31,8 @@ There are a number of ways to perform an authoritative restore of SYSVOL. After
30
31
- Perform a system state restore using `wbadmin –authsysvol`
31
32
32
33
> [!TIP]
33
-
> If you have the option to restore a system state backup (that is, you are restoring AD DS to the same hardware and operating system instance) then using `wbadmin –authsysvol` is simpler.
34
+
> If you have the option to restore a system state backup (that is, you are restoring AD DS to the same hardware and operating system instance) then using `wbadmin –authsysvol` is simpler.
35
+
34
36
But if you need to perform a bare metal restore, then you need to edit the `msDFSR-Options` attribute.
35
37
36
38
### Perform an authoritative synchronization of DFSR-replicated SYSVOL
@@ -43,9 +45,9 @@ Use the following procedure to perform an authoritative synchronization of SYSVO
43
45
44
46
1. Enable both of the following from the **View** menu:
45
47
46
-
- Advanced Features
48
+
- Advanced Features
47
49
48
-
- User, Contacts, Groups, and Computers as containers
50
+
- User, Contacts, Groups, and Computers as containers
49
51
50
52
1. In your domain, expand **Domain Controllers**, expand the specific domain controller you restored, expand **DFSR-LocalSettings**, and then select **Domain System Volume**.
Copy file name to clipboardExpand all lines: learn-pr/wwl-azure/troubleshoot-active-directory/includes/5-troubleshoot-active-directory-domain-services-replication.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -116,7 +116,7 @@ The five operations master roles have the following distribution:
116
116
117
117
- Each AD DS domain has one relative ID (RID) master, one infrastructure master, and one primary domain controller (PDC) emulator.
118
118
119
-
The operations master perform the following functions:
119
+
The operations master performs the following functions:
120
120
121
121
- Domain naming master. This is the domain controller that you must contact when you add or remove a domain or make domain name changes. If the domain naming master is unavailable, you won't be able to add domains to the forest.
0 commit comments