Wednesday, March 2, 2016

Backup Types in Windows Server 2012

For the new version of windows such Windows Server 2012, you can perform the following types of backups:
Full backup: A full backup is All block- level copies of all the blocks Server capacity. Instead of copying files and Folder backup media, the bottom block opposite media backup copy.
Incremental backup: incremental only those who have a backup copy of the blocks since the last full backup or incremental changes Backup. During an incremental backup, these Block copy backup media.

When this process is completed, the block is marked as a backup. During recovery, Default block is restored. Then, each group margins are applied recovered Data back to the appropriate state, in a consistent manner.

Implementing Windows Backup

What Needs to be Backed Up?
In planning a full backup Organizations to ensure the protection of resources This is the key task, such as:
 Critical resources
 Backup verification
 Backup security
 Compliance and regulatory requirements

Overview of Disaster Recovery

Identifying Disaster Recovery Requirements
Before the development of disaster recovery Strategy, companies must identify their Disaster recovery needed to ensure they provide enough protection Key resources. Following is a list of high-level Steps you can use to identify the disaster Recovery requirements:
1. Define a valuable resource for the organization. These resources include the data, services, and Servers run on the data and services.
2. Identify the risks associated with Key resources. For example, the data may be intentionally or unintentionally deleted, and a hard disk drive or Data stored in the storage controller can fail. In addition, the use of critical data services may fail or many reasons (such as network problems), the server may fail due to hardware failure. Primary Power outages can also cause the entire site is closed.
3. Determine the execution time required for recovery. According to their business needs, the organization must decide how much time to recover critical resources acceptable. Scenes Vary from minutes to hours or even a day.
4. Develop recovery strategies. Based on the previous step, the organization will define a service Level agreement will include services such as service levels and time. Organization should develop a disaster recovery strategy, which will help them reduce risk, and at the same time, Restore its key resources within their business needs minimum acceptable time.
 


NLB Features in Windows Server 2012

The most significant change in NLB Functional Windows Server 2012 Inclusive of Windows PowerShell support. That NetworkLoadBalancingClusters module it contains 35 NLB associated cmdlet. This module When the available servers, NLB Remote Server Administration Tools (RSAT) It is installed. In Windows PowerShell
cmdlet has the following terms:
• NlbClusterNode. Use to manage a cluster node. Includes the Add, Get, Remove, Resume, Set, Start, Stop, and Suspend verbs.
• NlbClusterNodeDip. Use to configure the cluster node’s dedicated management IP. Includes the Add, Get, Remove, and Set verbs.
• NlbClusterPortRule. Use to manage port rules. Includes the Add, Disable, Enable, Get, Remove, and Set verbs.
• NlbClusterVip. Use to manage the NLB cluster’s virtual IP. Includes the Add, Get, Remove, and Set verbs.
NlbCluster. Use to manage the NLB cluster. Includes the Get, New, Remove, Resume, Set, Start, Stop, and Suspend verbs.
• NlbClusterDriverInfo. Provides information about the NLB cluster driver. Includes the Get verb.
• NlbClusterNodeNetworkInterface. Use to retrieve information about a cluster node’s network interface driver. Includes the Get verb.
• NlbClusterIpv6Address. Use to configure the cluster’s IPv6 address. Includes the New verb.
• NlbClusterPortRuleNodeHandlingPriority. Use to set priority on a per-port rule basis. Supports the Set verb.
• NlbClusterPortRuleNodeWeight. Use to set node weight on a per-port rule basis. Supports the Set verb.
Note:To view the Windows PowerShell cmdlets for NLB list, you can use get-command–
module NetworkLoadBalancingClusters command.

How Network Load Balancing Works

When you configure the application Use NLB, client applications with the address NLB cluster address rather than the address Participation NLB cluster nodes. That NLB cluster address is a virtual address NLB cluster shared between hosts.
NLB following guide traffic Info: All the NLB cluster hosts receive Incoming traffic, but only one node
Cluster, which is determined by the NLB Process, will accept the traffic. All other nodes NLB cluster will drop traffic.
NLB cluster nodes that relies on the communication and configuration port policy Related settings. With these settings, you can decide whether to use a specific port traffic, Are any specific node agreement accepted or acceptable in the cluster and response.
NLB also send traffic to use the node based on the current node. New traffic is directed to the node we use the least. For example, if you have a four-node cluster where three nodes are From 10 clients in response to a request, a node in response to a request from five clients, the node With fewer customers will get more incoming traffic, until evenly balanced usage across Node.


Implementing Network Load Balancing

What Is NLB?
NLB is a scalable, high availability Feature, you can install all versions In Windows Server 2012. Scalable technology is that you Additional components can be added (in this case additional cluster nodes), to meet the growing needs. A node in Windows Server 2012 NLB cluster is a computer, whether physical or Virtual, running on Windows Server 2012 operating system.
In Windows Server 2012 NLB cluster You Nodes between 2 and 32. When you create a NLB cluster, it creates a virtual network address, Virtual network adapter. Virtual network adapter has an IP address and a Media Access Control (MAC) Address. Network traffic to this address evenly distributed across the nodes in the cluster. In a major NLB configuration, each node in the NLB cluster will be in the service which is roughly equivalent to the required speed in all other nodes in the cluster. 
When the NLB cluster receives a request, it forwards the request to the current node using the least. You can configure the number of nodes N LB priority over others.
NLB failed perception. This means that if one node NLB clusters offline requests will be forwarded to the node, the other nodes in the cluster but will continue to receive Request. When the failed node returns to service incoming requests are redirected to transportation All cluster nodes to balance.


Options for Updating a Certificate Template

In most organizations CA hierarchy for each job, there is a certificate template Function. For example, there may be a File encryption and certificate templates another code signing. Additionally, there may be some cover most of the function modules General topic.


As an IT administrator, you might need modify an existing template certificate Due to incorrect settings or other problems the original template document. You can also you need to combine multiple existing certificate Template with a single template.
You can update a certificate template by either modifying the template or superseding the existing template.

Configuring Certificate Template Settings

In addition to configuring security settings Certificate Templates, you can also configure There are many other settings for each template. This is But realize that this number can be configured the solution depends on the certificate template Version.
For example, version 1 certificates Templates allow any changes In addition to safety, while these settings from a higher version of the template, so you Most of the configuration options available.

Windows Server 2012 is available in several For the purpose of default certificate templates including code signing (for digital signatures Software), EFS (encrypted data), and the ability to use smart cards for users to sign. To customize Template for your company, to copy the template and then modify the configuration certificate.

What Are Certificate Templates?

Certificate Templates allow Administrators to customize distribution the form of the certificate, the certificate is defined Purposes, and authorized the use of these types with a certificate allowed. Administrators can make a template, and then you can quickly deploy their businesses, through the use of built-in graphical user interface or command-line management tools.

Associated with each certificate DACL is its template, it defines what Principal permission to read and Security Configuration templates and template-based automatic registration or registration certificate. Certificate Template and capability D DS a defined forest valid. If more than one CA Enterprise to run Active Directory forest, permission changes will affect all the CA.
When you define a template certificate, the definition of certificate templates should be available Forest All CA. This is done by storing the information on the certificate template to achieve Configure our context, where CN = Configuration, DC = and ForestRootName. Replication this information depends on Active Directory replication schedules and certificate template until the copy is complete are not available in all CA. Storage and replication is done automatically.

Overview of the AD CS Server Role in Windows Server 2012

All PKI related components Deployed as a service in the AD CS server role Effect. AC CS server role It is called the role of many parts Service. Each role is responsible for services certain parts of the infrastructure of the certificate, and work together to build a complete Solutions.
In the role of AD CS role services:
Ø  CA: This component certificates Users, computers, and services. It is also Management validity of the certificate. Can multiple CA It is linked to the development of a PKI hierarchy.
Ø  CA Web Enrollment: This component provides a way to publish and update the certificate Non join -domain users, computers, and equipment are not directly connected to the network, Or for non -Windows operating system users.
Ø  Online Responder: You can use this component to configure and manage OCSP validation and Revocation checking. Online response to decoding a particular request certificate revocation status checking the status of the certificate, and returns a signed response containing the requested certificate Status information. Unlike Windows Server 2008 R2, you can install any version of the online response Windows Server 2012 certificate revocation data can come from a CA on a computer Running Windows Server 2003, Windows Server 2008, or from a non-Microsoft CA.
Ø  Network Device Enrollment Service: With this component, routers, switches, and other Network equipment from AD CS certificate. In Windows Server 2008 R2, this element only for enterprise and data center version, but with Windows Server 2012, you can install Role in any version of the service.
Ø  Certificate Enrollment Web Service: This part can be used as a proxy between Windows 7 And client computers and Windows CA. Part 8 This is new to Windows Server 2008 R2 and In Windows Server 2012 and requires Active Directory forest, and at least Windows Server 2008 R2 level. It enables a user to perform the following method to connect to the CA through a Web browser:
  •  Request, updates, and install the issued certificate.
  •  Take CRL.
  •  Download the root certificate.
  •  Register or via the Internet or across forests (new in Windows Server 2008 R2).

Ø  Certificate Enrollment Policy Web Service: This part is the new Windows Server 2008 This R2 and Windows Server 2012 enables users to obtain certificate enrollment policy information. Certificate Enrollment Web Services combine to achieve policy -based certificate of registration when the client computer is not a member of a domain or when a domain member is not connected to Domain.


Implementing Active Directory Certificate Service

What Are CAs?
CA is a well-designed and high Users and computers using certificates, holding CRL’s, OCSP and optional response Request. You can install the CA AD CS role deployment environment Windows Server 2012 is installed beforehand CA, has developed a network of PKI and its Given the structure highest point.
You can have one or more certificates Authorities in a network , but only one may CA At the highest point of the CA hierarchy ( ie , CA is called the root CA , it will be Discussed later in this module ) .

The main objective of the CA to issue certificates, revoke certificates, and publish and AIA CRL information. In doing so, ensure that the CA certificate to users, services and computer issued It can be verified.
CA to perform various functions or roles in PKI. Separation between the roles of a PKI, CA’s Multiple servers are common. A CA provides a number of management tasks, including:
• verify the identity of the certificate requester.
• issue a certificate, requesting the users, computers and services.
• Manage certificate revocation.
When you first deploy network CA (Root CA), which will issue their own certificates. After this, Other CA certificate from the CA You can also choose to receive your certificate issued by CA Use one of the public CA.

Tuesday, March 1, 2016

What Are Event Subscriptions of Event Logs?

Event Viewer, you can view Events on a remote computer. However, Troubleshooting problems that may require you check store in a chain of events multiple logs on multiple computers. It Goal, Event Viewer provides the ability to collect copies of events from multiple remote Computer and then stored locally. To collect the specified event to create an event Subscription. After subscription active, the event is being collected; you can view and manipulate the forwarded events, you any other locally stored events.
To use event collection, you must configure the forwarding and collecting Computer. The event collection depends on the Windows Remote Management (WinRM) Services and Windows Event Collector service (WECSVC). Both services should be run Participation in computer forwarding and collection process.

What Is a Custom View of Event logs?

Event logs contain large amounts of data; it can be challenging to narrow set these events only event, your interest. on Previous versions of Windows, you can apply for Filters to log in, but you can not save the filter. In Windows Server 2008 and Windows Server 2012, custom views can query and sorting only events that you want to study. You too you can save, export, import and share custom Comment.
Event Viewer enables you to filter for specific events across multiple logs, and show that you can be a problem for all events Investigation. To specify a filter that spans multiple logs, you need to create a custom view. Actions pane, create a custom view in Event Viewer. You can be filtered based on a custom view A plurality of conditions, including:
• The time that the event was logged.
• Event level to display, such as errors or warnings.
• Logs from which to include events.
• Specific Event IDs to include or exclude.
• User context of the event.

• Computer on which the event occurred.

Overview of Event Viewer

Windows Event Viewer provides Windows Server 2012 event log . Event logs provide information about the system event appears in Windows. The events include information, warning and error messages about Windows components and applications installed.
Event Viewer provides basic classification of Windows event logs, including applications, security settings, and system events and packet logs installing Windows Components category from individuals and specific list of applications. Individual events provided about the events that occurred, when an event occurs, the source of the event , and detailed technical information to assist in troubleshooting the case of the type of detailed information .
In addition, the Event Viewer, you can consolidate from multiple computers to log on to a by subscribing to a centralized computer. Finally, you can configure the Event Viewer to execute According to a particular event or action occurred. This may include sending e-mail, Start the application, run a script, or may attempt to notify you or other maintenance operations Solve potential problems.
Windows Server 2012 Event Viewer contains the following important features:
• Includes several new log. You can access the logs and many individual parts Subsystem
• To view the power of multiple logs. You can filter specific events across multiple logs, thereby create simple, problem investigation and resolution may appear different problem log.
• Custom views are listed. You can use filters to narrow down the search, only in the event you are interested, you can save the filter views.
• Configure scheduled tasks, the ability to respond to events that run. You need to automate in response to these events. Event Viewer integrated Task Scheduler.
• Ability to create and manage subscriptions event. You can collect events from remote Computer and then stored locally.
Event Viewer tracks information in several different logs . The logs provide detailed information Comprising:
• Description of the event
• Number of Event ID
• components or subsystems that generated event
• information , warning or error condition
• Time of occurrence
• represents the user name of its events
• In the event occurs on a computer
• Link to Microsoft TechNet for detailed information about the event

Overview of Resource Monitor

Resource Monitor Interface Windows Server 2012 provides an in- depth See real -time performance of your server.
You can use Resource Monitor Use and performance monitoring of CPU, disk Network, real-time and memory resources. This allows you to identify and resolve Resource conflicts and bottlenecks. By extending monitoring elements, System administrators can identify which what resources processes. In addition, you can also use the Resource Monitor
By monitoring the selection process or processes Checkbox. When you select a process, it is the Resource Monitor, in which each pane stays choice Provided at the top of the screen, no matter where the information about the process, you need to You are in the interface.

Overview of Performance Monitor

Performance Monitor allows you to View current performance statistics, or view using data collected historical data Collectors set.
In Windows Server 2012, you can by monitoring the performance of the operating system Performance objects and object counter. Collection of data on Windows Server 2012 Counter in a variety of ways, including:
• A real-time snapshot value.
• The total since the last computer
• An average over a specific time interval.
• An average of last values.
• The number per second.
• A maximum value.
• A minimum value.
Work performance monitor, to provide you with a collection of objects and counters the use of data in computer resource record. There are many, you can analyze and consider counter monitoring, to meet your specific needs.
Primary Processor Counters: CPU counters are a feature of the computer’s CPU that stores the count of hardware-related events.
Primary Memory Counters: Including a description of the object in memory performance counters computer performance Physical and virtual memory. The amount of physical memory is a random access memory (RAM) in Computer. Virtual memory including physical memory and disk space. Many memories Counters monitor paging, which is moving the physical disks and between the pages of code and data Memory.
Primary Disk Counters: Physical Disk performance object includes a hard disk drive or a hard disk monitoring counters. Disk storage files, programs, data and paging . Disk read to get the item, and it is written in the records Change. Total amount of physical disk counters that all the amount of total logical Disk (or partition) , where they are divided.
Primary Network Counters: Most workloads require access to production networks to ensure communication with other Applications and services, and communicate with users. Network requirements include such by having multiple network connections through. You may need to access multiple workloads Different networks must remain secure.

Monitoring Windows Server 2012 using Task Manager

Overview of Task Manager
Task Manager has been enhanced Windows Server 2012 provides further this information can help you identify and resolve Performance- related issues. Task Manager It includes the following tabs:
Processes: Processes tab to display List of programs that are running, subdivided into Windows applications and internal processes. For each process running, this tab shows Processor and memory usage summary.
Performance: Tab performance displays a summary of the central processing unit (CPU) and memory usage, and network Statistics.
Users: Users tab of each user based on the display of resource consumption. You can also expand User view details about a specific process that the user is running.

Details: Details tab lists all running processes on the server, to provide relevant statistical data Consumption of CPU, memory and other resources. You can use this tab to manage the operation Process. For example, you can stop the process, stop the process and all related procedures, and change Process priority value. By changing the priority of a process, you determine how much CPU resources Process can consume. By increasing priority, so that this process requires more CPU resources. 
Services: The service tab provides a list of running Windows services, and related Information: This service is running, the operational cost of service processor identification (PID). You can start by using the list Services tab stop service. 
Under normal circumstances, you might consider using Task Manager, the first related to performance issues Performance. For example, you can check the operation of the process to determine whether a particular program Excessive use of CPU resources. Always remember, Task Manager shows current snapshot The real situation of resource consumption, and also may need to check the historical data to determine the Response from the server computer and load performance.

Overview of Enabling Audit Policy

Entry configuration auditing a file or folder security descriptor is not, In itself, enable auditing. Auditors should be By identifying appropriate audit enabled Object Access policy settings within the group Strategy.
After you enable auditing, security indicating the start of the access subsystem login Audit settings. Setting policy should be applied containing the audited server object. You can configure the policy settings Server Local Group Policy object (GPO), or you can use the range specified in the server GPO.
Then, you can define a successful audit events, failed events, or both strategies. Policy settings
You must specify the object type corresponds to an entry in the audit of the success or failure of attempts audit SACL not trigger recording.
Locating Audit Policy Settings
AD DS group policy management, GPO a group of standard settings, Audit control behavior. The range of setting audit policy configuration computer located the following nodes: Windows Settings\Security\Local Policies\Audit Policy. The audit policy settings as the following basic settings:
• Audit account logon events
• Audit account management
• Audit directory service access
• Audit logon events
• Audit object access
• Audit policy change
• Audit privilege use
• Audit process tracking
• Audit system events

Overview of Audit Policies

Audit Policy to configure a system Audit work category. If the audit policy is disabled, the server does not audit the Activities.

You can audit group policy Computer Configuration Policy. On Computer Configuration, expand Policies ->> Windows Settings Settings ->> Security ->> Local Policies, and then click Audit Policy. To Auditing configuration, you must specify a policy Settings. In the Group Policy Management Editor, Double- clicks any policy setting, and selects The Define These Policy Settings check box. Well, Select if the event was successful, failed events, or both audit. The following table specifies each audit policy on Windows Server 2012 domain controller default settings.

Overview of How to Configure Encryption

What Is EFS?
EFS encrypted file may work Stored on NTFS partition format. By default, this option is available to all users. You can also use EFS to encrypt files file Share.
After a file is encrypted using EFS It is accessed only by authorized users. If a the user is authorized, access to the file Transparent and open as possible Unencrypted file. If unauthorized users,
Try to open the file will result in access Denied message.
EFS encryption acts as an additional In addition to the security layer NTFS permissions. If the user is granted permission to read files on NTFS, they It must still be authorized to decrypt the file by EFS.

The default configuration of EFS requires no management. Users can start encryption File immediately, if people do EFS automatically generates a key pair user certificate that it does not yet exist. Use a certificate authority (CA) that issued your user certificate enhances manageability Certificate.
You can disable EFS on client computers by using Group Policy. In the Properties of the policy, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Polices\Encrypting Files System and then click Don’t allow.
How EFS Works
EFS uses a combination of public key And symmetric key encryption to protect files From attack. EFS uses symmetric key Encrypted file, and a public key to protect Symmetric key.
Symmetric key encryption uses the same Key to encrypt and decrypt files. Birthday Encryption is the ratio of the public faster, stronger Key encryption. Because it is difficult to ensure across a network with a symmetric key
Transmission, it requires extra security. Symmetric key encryption is a typical way of Encrypt the large amounts of data.
EFS uses public key encryption technology to protect the symmetric key needed to decrypt the file Content. Each user certificate contains a private key and a public key encryption Symmetric key. Only with the certificate and private key, the user can decrypt the symmetric key.

Configuring the Active Directory Recycle Bin

In Windows 2012, Active Directory technology Trash can be enabled to provide Restore deleted objects to simplify the process. This feature overcomes the problem Authoritative restore or tombstone reanimation. Active Directory Recycle Bin to make Administrator Recovery and deleted items Full functionality without the need to restore AD Backup data from DS, and then restart AD DS Or restart the domain controller. Active Directory Trash builds on the existing tombstone Infrastructure and improves your recovery the ability to save and restore accidental Deleted Active Directory object.

How Active Directory Recycle Bin Works
When you enable the Active Directory Recycle Bin, all link -mahal characteristics and values ​​nonlink Delete Active Directory objects are preserved and restored in all things These are deleted before the same logic state. For example, a user recover Account will automatically re all members of the group that they have appropriate access rights before deleting, within and across domains. Active Directory Recycle Bin for both AD DS and Active Directory Lightweight Directory Services (AD LDS) environment.
Enable Active Directory Recycle Bin, when an Active Directory object is deleted, all link-valued and non-link -mahal characteristics and the object is to keep things will be logically deleted. Deleted object is moved to Deleted Objects container, and the well-known names it is misplaced. Deleted object remains tombstone state of the deleted objects container the entire duration of the deleted object lifetime. In a deleted object life cycle, can be restored Create Event Active Directory objects back to Active Directory Recycle Bin and deleted items.
Enabling the Active Directory Recycle Bin
You can enable the Active Directory Recycle Bin only if the forest functional level is set to In Windows Server 2008 R2 or higher. To enable the Active Directory Recycle Bin in Windows 2012, you can do one the following:
• From the Windows PowerShell prompt Active Directory module, use Enable- ADOptionalFeature cmdlet’s.
• From the Active Directory Administrative Center, select the domain, and then click Enable Active Directory Recycle Bin in the task pane.
Only after opening the Active Directory Recycle Bin to remove items from the Recovery Active Directory Recycle Bin.
Restoring Items from the Active Directory Recycle Bin
In Windows Server 2012, Active Directory Management Center provides a graphical Interface is used to recover deleted AD DS objects. When Active Directory Recycle Bin When enabled, the Deleted Objects container found in Active Directory Administrative Center. Deleted the object is visible in the container, survival until they are deleted object passed. You may select objects restored to their original location or an alternate location in AD DS.


Understanding How to Restore Deleted Objects

When an object is deleted in AD DS, Move Deleted Objects container deprived of many important attributes. You may Expand continued when a property list Object is deleted, but you can not keep Property value link (such as group Membership).
As long as the object has not been Cleanup by the garbage collection process after reaching the end of its tombstone lifetime, you can restore deleted objects or resurrection.

Understanding Restartable AD DS

In most cases, where the AD DS need to be managed, you must restart in the directory service domain controller Recovery mode.
Windows Server 2012 is enabled Administrators can stop and start the AD DS Like any other service, and do not restart Domain controllers, do some Administrative tasks quickly. this feature The so-called restart Active Directory Domain Service.

Restartable AD DS to reduce the execution time required for their operations. You can stop AD DS This update can be applied to a domain controller. In addition, administrators can stop AD DS to perform Tasks, such as offline defragmentation of the Active Directory database, without restarting the domain Controller. Running on the server, and does not depend on AD DS to play a role in other services, Such as Dynamic Host Configuration Protocol (DHCP), remain available to satisfy client requests AD DS is stopped.
Restart AD DS by default in Windows Server running on all domain controllers 2012 there are no functional-level requirements or any other requirements for using this feature.
Note: You can not do the system state and stop AD DS domain controller recovery. To complete a domain controller system state recovery, we need to start the recovery directory service Mode (DSRM). However, you can do, and authoritative restore AD Active Directory objects DS is stopped by using Ntdsutil.exe.
Restart AD DS adds minor changes to existing Microsoft Management Console (MMC) Management unit. Display domain controller in the domain controller running Windows Server 2012 for AD DS Component Services snap-in and snap-in Computer Services (Local) node. Application The unit, the administrator can easily stop and restart AD DS the same way as any other service, running locally on the server.
Although stopping AD DS is similar to the Directory Services Restore Mode login, Restart AD DS provides a unique state, known as AD DS is stopped; it is a domain controller Running Windows Server 201

Monday, February 29, 2016

Managing AD DS Backup and Recovery

In earlier versions of Windows, Active Directory backup involves backing up the created System state, it is a small collection includes Active Directory database file Registry.
In Windows Server 2012, system state concept still exists, but it's bigger. Because of Teamwork server role, the physical configuration and Active Directory are system state now a subset of a full server backup, and some configuration, can be just as big. Backup Domain controller, you must be fully backed up all the critical volumes.
Restoring AD DS Data
When a domain controller or its directory is damaged, damage or failure, you have some with the option to restore the system.
Non-authoritative Restore
Such option is called normal or non-authoritative restore recovery. In a normal recovery In operation, you restore a backup Active Directory as a known good date. In fact, you roll domain controller back in time. When the AD DS domain controller is restarted, the domain controller Communicate with its replication partners, and requests all subsequent updates. In fact, the domain controller Catch by using the standard replication mechanism with the rest of the domain.
When a directory on a domain controller is destroyed normal recovery is useful or damaged, but the problem does not spread to other domain controllers. The circumstances in which the damage was done, and the damage is copied? For example, if you delete one or more and delete objects replicated?
In this case, a normal recovery is not enough. If you restore a known good version Active Directory and restart the domain controller, delete (ie to take place later Backup) is simply copied back to the domain controller.
Authoritative Restore
When a known good copy of AD DS is restored contains something must be covered AD DS database to an existing object, authoritative restore is necessary. At the authoritative restore, Active Directory can restore a known good version, as you would in a normal recovery. However, Restart the domain controller before the object that you have previously marked accidentally deleted or damaged You want to keep as authoritative, they can be copied from the recovery domain controller Replication partners. Behind the scenes, when you mark objects as authoritative back, Windows increment The version number of the characteristics of everything is so high, is almost guaranteed to be higher version Than all the other domain controllers version numbers.
When you restart the recovery domain controller, copy it from all replication partners Directory changes made. It also informs its partners, it has changed, and Change the version number of partners to ensure that the changes take and copy them over Directory service. Enable Active Directory Recycle Bin in the forest, you can use the Active Directory Recycle Bin as a simpler alternative authoritative restore.
Other Restore Options
A third option to restore the directory service is to restore the entire domain controller. It By starting a full backup of the Windows Recovery Environment, and then restore the server to complete Domain Controller. By default, this is a normal recovery. If you need something as powerful, You need to restart the server in Directory Services Restore Mode and set the object as authoritative Before starting the domain controller in normal working conditions.
Finally, you can restore to an alternate location on systemstate backups. This allows you to Check the file and potential, mount the file NTDS.DIT. You should not copy the files from a backup Product versions of files to restore location. Do not take the initiative to make gradual return Directory. If you want to use from the media install option, you can also use this option to create The new domain controller.


Managing Operations Master Roles

AD DS multi-master environment Replication means that all domain controllers And the ability to focus on the same general time Modify the AD DS database. However, some Operation should only be performed by a system. In AD DS, domain operations master The controller performs a specific function within the In a domain environment.
Forest-Wide Operations Master Roles
Schema master and domain naming Master in the forest must be unique. Each Only one paper from the domain controller in the forest.
Domain Naming Master Role
When you add or remove a domain, and application partition, domain, our role is to Forest. When you add or remove a domain or an application partition, the main domain, we must Access to, or the operation will fail.
Schema Master Role
Holds the schema master role is responsible for making any changes to the domain controller Forest architecture. Read-only mode holds a copy of all the other domain controllers. When you need Modify the schema changes must be sent to the domain controller that hosts the schema Master role.
Domain-Wide Operations Master Roles
Each domain maintains three single-master operations: Relative Identifier (RID) master, Owners of infrastructure, the primary domain controller (PDC) emulator. Each role is performed by only one Domain controllers in the domain.
RID Master Role
RID master role RID host security identifier (SID) is generated plays an important part of the security Principals such as users, groups, and computers. SID security principals must be unique. Because of Any domain controller can create an account, and therefore, a SID mechanism is necessary to ensure that SID generated by the domain controller is unique. Active Directory domain controller generates SID By adding a unique domain SI D. Domain RID RID master assigned a unique pool Off each domain controller in the domain. Thus, each domain controller cannot be sure It is unique in that it produces small island developing States. 
Infrastructure Master Role
Infrastructure master role In a multi-domain environment, which is a phenomenon is something other areas. For example, a group may include members from other domains. Its multi-valued attribute members It contains the distinguished name of each member. If the transfer to another member or domain rename, update infrastructure master domain object reference group.
PDC Emulator Role
PDC emulator role PDC emulator to perform multiple roles, the key functional domains: • In the domain-specific password update process to participate. When the user's password reset or change, make changes to the domain controller will immediately replicate these changes to the PDC Simulator. This particular domain controller replication to ensure understanding of the new password As soon as possible.
• Management domain Group Policy updates. If you change a GPO two domains At about the same time, the controller can have two versions of possible conflicts As GPO replication cannot be reconciled. To avoid this situation, PDC emulator default focus Point out to change all of the group policy.
• The primary time source domain. Many parts of Windows and technology Depending on the time stamp, the system time is synchronized with the entire domain is essential. PDC emulator the forest root domain is the master of time, by default. PDC emulator in each Forest root domain synchronizes time with PDC emulator. Other domain controllers in the domain synchronize their clocks for domain PDC emulator. All other members of the sync domain their time and their preferred domain controller.
• Act as a domain master browser. When you open Windows, you can see a list of Workgroup and domain, when you open a workgroup or domain, you'll see a list of computers.
Guidelines for Placing Operations Master Roles
• The role of high-performance field-level domain controller.
• Do not when the global catalog server domain-level master role, in addition to your forest contains only one domain or forest to all domain controllers are also global Directory.
• stay on a domain controller in the forest root domain of the forest-level two roles.
• PDC emulator workload adjustments, if necessary, by offloading non-AD DS role servers