Question

The Active Directory database can be moved to a new location if you decide that there is a need to relocate it due to space limitations. How do you accomplish this? When you back up Active Directory, what must be included?

Explain the basic functions of a directory service and how Active Directory Domain Services fulfills them and describe how DNS names are formed out of domains and a hostname.

# Note: No plagiarism, please

Answer 1

we can move it to a different location with help of ntdsutil.exe. Let’s see in details how we can do it.

For my demo I am using a DC which holds its AD database files in default C:\Windows\NTDS\ folder. I need to move it to my new disk I added to the server. So new path I need to move it is E:\ADDB

Before we start this task we need to stop the active directory domain services. So make sure you aware of the impact it will make on network operations by stopping it.

1)    Log in to the primary domain controller as domain or enterprise administrator.
2)    Server Manager > Tools > Services

3)    Once mmc loaded right click on “Active Directory Domain Services” and click stop

4)    Then it will ask if it’s okay to stop associated services. Click “yes” to continue.

Once services are stopped we can go ahead with the database move.

1)    Right click on start button and click on “Command Prompt (Admin)”

2)    Once command prompt load up type ntdsutil and press enter

3)    Then type “activate instance ntds” and press enter
4)    Then type “files” and enter

5)    In the files maintenance we need to specify the command to move the db. So I need to move it to E:\ADDB so the command will be move db to E:\ADDB. If you using space in folder path make sure you put the folder path inside double colon(“”). Once it execute it will move the db file and give an output as following.

6)    As you can see it move the database files successfully. But the logs are still in NTDS folder. To move the logs type move logs to E:\ADDB

7)    Now it’s moved logs and database successfully to the new location.

8)    Now it’s time to start the Active directory domain services again. Please go to services.mmc and start the service we stopped at the beginning of this step

What Data Must Be Backed Up?

• Active Directory Domain Services
• Domain Controller System Registry
• Sysvol directory
• COM+ class registration database
• DNS zone information integrated with Active Directory
• System files and boot files
• Cluster service information
• Certificate services database (if your Domain Controller is a certificate service server)
• IIS meta folders (if Microsoft Internet Information Services are installed on your Domain Control

Basic function of active directory-

Active Directory Domain Services (AD DS) are the core functions in Active Directory that manage users and computers and allow sysadmins to organize the data into logical hierarchies.

AD DS provides for security certificates, Single Sign-On (SSO), LDAP, and rights management.

Active Directory and DNS

Active Directory (AD) depends on DNS for name resolution and locating resources on a network. DNS has a database that maintains resource records, which helps identify various servers, domains, and services on the network. Some of the common types of DNS resource records are:

Record Type	Format	Purpose
A	abc.com. IN A 172.9.54.11	Maps a host name to an IPv4 address
CNAME	cba.com. IN CNAME abc.com.	Makes one domain an alias of another domain
PTR	11.54.9.172.in-addr.arpa. IN PTR abc.com.	Maps an IPv4 address to a host name
MX	*.ab.bc.com. 14400 IN MX 0 ms1.ab.bc.com.	Identifies the mail server for a particular domain
SRV	_http._tcp.abc.com. IN SRV 0 5 80 ws1.abc.com.	Maps a service to a particular server

A domain controller (DC) registers an AD DNS entry at boot time with an A record. The DC also registers AD DNS Service (SRV) records which help in mapping services like Kerberos, LDAP, etc., to itself. When a client computer joins a network, it locates the DC by querying the DNS for the service name. DNS retrieves the SRV record from its database and provides the DC’s host name to the client. The client further queries the DNS using this host name to obtain the DC’s IP address. Thus, without the DNS, a client wouldn’t be able to authenticate into AD or find various services.

Active Directory DNS zones

The DNS has a distributed database i.e., the information about all the domains, subdomains, and host mappings are not stored on just one DNS server but distributed across many servers. The management of the DNS database is made easy by dividing the DNS name space into multiple zones and assigning the responsibility of a zone to a particular server. An AD DNS zone is a collection of hierarchial domain names with the root domain delegated to one or more name servers. A zone contains all the information about a domain except for the parts of the domain delegated to other name servers. The zone files begin with a AD DNS SOA or Start of Authority resource record that indicates the primary name server for the zone.
Imagine a company, ABC, that has a name space abc.com delegated to the name server ns1.abc.com. All the domains under abc.com  viz., sales, HR, finance, and admin can be placed in one zone. However, let us now imagine that the company’s HR, finance, and admin domains are administered in India and the sales domain is administered in the USA. In order to simplify the management of the DNS database, the HR, finance, admin, and abc domains can be placed in zone 1 and the responsibility can be given to ind.abc.com name server while the sales subdomain can be placed in a separate zone (zone 2 as shown in the figure below) and its responsibility can be delegated to us.sales.abc.com name server.

Active Directory DNS delegation

The names within a zone can be delegated to another zone maintained by a different server. Thus the responsibility of a subdomain can be passed on to a different name server which will handle requests for the resource records through a process called AD DNS delegation. Delegation can be brought in to effect with the help of NS and A resource records as shown below:

sales.abc.com IN NS             ns1.sales.abc.com
ns1.sales.abc.com IN A 192.168.14.9
DNS plays a very important role in the smooth functioning of a network. In the event of DNS failure, it would be difficult to find the IP address of a host, and thereby difficult to access any service. DNS acts as a bidirectional translator between IP addresses and host names, thus making our network communications easy.