Brief tidbit of information that I can’t believe I just found out today. As we all know, you may choose to use distribution groups if you don’t want to use a group to assign permissions to. Now I knew you could convert from distribution group to security group and vice versa and also that the conversion from a distribution group to a security group happens automatically if you assign the distribution group to the ACL of an object. What I didn’t think of is that anyone can do this not just admins. For example, if a user gives a distribution group permission to their Outlook calendar, that distribution group is now a security group. I learned something new today.
Quick note for today. If you copy the WindowsImageBackup folder say from a network share or another computer to your local computer, and you want Windows Server Backup to recognize it so you can perform a restore, place the WindowsImageBackup folder in the root of a local drive.
Well, I’ve been taking a closer look at backing up and restoring Windows Server in general since I have been practicing forest restore procedures. I initially did a simulation with Windows 2003 and wanted to perform a simulation with Windows 2008 as well. But, as I was preparing the backups for my domain controllers, I realized I wasn’t really all that familiar with how the new Windows Server Backup (WSB) utility actually works.
So, in this post I want to take a closer look at what actually happens when you take a backup and the differences between WSB in 2008 and 2008R2.
Windows 2008 includes some new tools for working with backups of the Active Directory database. One of these is the Dsamain.exe tool which can create LDAP instances from snapshots of the Active Directory database that you can then browse with standard tools like Ldp.exe or Active Directory Users and Computers.
One of the situations you hear given as an example of how Dsamain can be helpful is when you have multiple backups of a domain controller and you want to view the contents of those backups. If you are new to this process, it may not be readily clear how can you view the contents of the Active Directory database in a backup. After all, Windows Server Backup creates its backups in a VHD file. How the heck are you suppose to view the Active Directory database?
I’ve been looking a lot at backing up and recovering domain controllers from disaster lately. It is something I haven’t had to do a whole lot of (thankfully) in the past so I wanted to do some research and a little labbing to understand possible actions that can be taken.
Obviously one of the most common things that can be done to recover a domain controller is restoring the system state from backup. A system state backup is actually the bare minimum that is needed to recover Active Directory in the event of disaster. However, because the system state consists of very critical components of the operating system, it can be notoriously quirky when being restored. So, in this post I just wanted to list some of the things I’ve noticed and would want to keep in mind when looking at restoring the system state.
Some of the materials I have read on Active Directory and DNS I feel have not done a clear job explaining exactly what the _msdcs subdomain is and how it is used in an Active Directory forest.
The following is my explanation which I hope makes some sense out of the issue.
I’ve read a lot of materials that when explaining global catalogs, emphasize that a global catalog must be available for a user to logon to the domain. I’ve seen a lot of these materials also state that even if another domain controller is available, as long as a global catalog is not available a user will not be able to log on to the domain.
I’ve done a little digging on Technet and setup a lab to understand this better. But, ultimately whether a global catalog is needed for users to log on to the domain is dependent on whether you are in a single or multiple domain forest.