Because Active Directory stores information about all the objects on the network, it is very important to make sure that the information contained in the AD is timely and accurate. Protecting the integrity of the data stored in your Active Directory and optimizing the directory’s performance involves frequent monitoring and tweaking. I recommend assigning a set schedule for performing maintenance tasks.
The most important part of your network is its users. If you’ve created a good Organizational Unit structure and assigned Group Policies in an efficient manner, you shouldn’t have much trouble maintaining user accounts. If an employee leaves the company and can potentially return, it is best to disable, rather than delete, the account.
It is extremely important to back up data regularly. Users can lose data through malicious virus or worm attacks, by catastrophic hardware failure, or because of a simple mistake, such as accidentally deleting an important file. The safest policy is to keep frequent, multiple copies of data at separate locations.
The Active Directory can be backed up using the Windows Backup program included with Windows 2000. You’ll probably have to schedule backups for late-night hours, because Windows Backup won’t back up files that are in use and locked by applications. Also, the data transfer during a backup can use up quite a bit of network bandwidth.
Windows 2000 has a Backup Wizard to help you organize and implement a backup strategy. You can start the Backup Wizard using the following steps:
There are two types of restoration options for an Active Directory domain controller, authoritative and non-authoritative. You must always perform a non-authoritative restore before you can perform an authoritative restore. You have to reboot into Directory Services restore mode before starting either type of restoration:
- Non-authoritative restore
Restores only those settings that aren’t replicated from other domain controllers. If any modifications have been made to the replicated data, that data will be automatically updated the next time the restored computer receives replication data.
- Authoritative restore
If you accidentally delete an object or objects, you can use a backup from before the deletion to non-authoritatively restore the object(s). Then you can use the NTDSUTIL program to mark those objects as authoritative. This will give them precedence in the replication process, so the other domain controllers will replicate the restored objects.
Network performance is determined by the combined speed and efficiency of many components working together. Potential bottlenecks can form because of a lack of bandwidth on the network media, slow hard drives on file servers, or too many authentication requests handled by an insufficient number of domain controllers.
You should frequently monitor Active Directory’s performance to make sure everything is running smoothly. There are two tools you can use, the Event Viewer and the Performance Console :
- Event Viewer
Monitors services and applications and stores information in event logs. These logs include information about applications, the directory and file replication services, security, and system errors.
- Performance Console
Provides counters to keep track of the performance of both local and remote computers on the network. The Performance Console contains the System Monitor and Performance Logs and Alerts.
Performance logs can be used for instant feedback or kept as a baseline to be compared to future readings. Also, the NTDS object counters can be used in much the same way to trace Active Directory performance.