How to backup active directory image?

Posted on 2015-01-07
Medium Priority
Last Modified: 2015-01-21
I need run some scripts to extend active directory schema. it was provided to me by Oracle support as follows. This is the most important step for this new Oracle EUS project. Before I run the script, I would like to backup my active directory schema, it's a windows 2003 domain level, how could I do it.

Below is the action plan provided by Oracle Support:

1.      Make a back-up copy of your Active Directory image. The schema extensions inside of Active Directory are permanent and cannot be canceled. The back-up image enables you to restore all your changes if required.
2.      Execute the following command to load the Enterprise User Security required schema, ExtendAD, into Active Directory using the Java classes included in Oracle Unified Directory.
The ExtendAD file is located in the $ORACLE_HOME/config/EUS/ActiveDirectory/ directory (Unix) or ORACLE_HOME\config\EUS\ActiveDirectory\ directory (Windows). You can use the java executable in the ORACLE_HOME/jdk/bin directory.
java ExtendAD -h Active_Directory_Host_Name -p Active_Directory_Port
-D Active_Directory_Admin_DN -w Active_Directory_Admin_Password
–AD Active_Directory_Domain_DN -commonattr
java ExtendAD -h myhost -p 389 -D cn=administrator,cn=users,dc=example,dc=com -w <pwd> -AD dc=example,dc=com -commonattr
3.      Install the Oracle Unified Directory Password Change Notification plug-in, oidpwdcn.dll, by performing the following steps:
1.      Complete the following depending on your Windows:
Windows 32-bit
Copy OUD_HOME\config\EUS\ActiveDirectory\win\oidpwdcn.dll file to the Active Directory WINDOWS\system32 directory.
Windows 64-bit
Copy OUD_HOME\config\EUS\ActiveDirectory\win64\oidpwdcn.dll file to the Active Directory WINDOWS\system64 directory.
2.      Use regedt32 or regedt64 to edit the registry and enable the oidpwdcn.dll. Start regedt32 by entering regedt32 at the command prompt.
3.      Add oidpwdcn to the end of the Notification Packages entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ registry, for example:
4.      RASSFM
5.      KDCSVC
6.      WDIGEST
7.      scecli
8.      oidpwdcn
This enables the password DLL and populates orclCommonAttribute attribute with the password verifier required by EUS.
9.      Restart the Active Directory system after making these changes.
Question by:Jason Yu
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2

Accepted Solution

Bahloul earned 860 total points
ID: 40536923
Schema updates are a one way function. You can only add new schema to AD, you can never delete anything. For this reason you should always carefully evaluate alternatives when software requires schema extensions or updates; so its very important to back A.D ntds system stat and verify this backup

Find the below article for A.D backup


Author Comment

by:Jason Yu
ID: 40536965
Hi, Bahloul

I feel the same way. I don't feel safe to extend the schema. However, this project was pending on our system admins team hand. The Oracle DBA team insist us to expand the schema since they need implement this new Oracle product call "EUS" (enterprise user security). I have no way but move forward.

I have cloned one DC to a test env and began to test the expending script. At the same time, I want to backup the schema.

I will read your article and give you an update.


Assisted Solution

Bahloul earned 860 total points
ID: 40536971
Schema is already included in system state backup also clone is good choice with system state .

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Assisted Solution

by:Shibu Kuttan
Shibu Kuttan earned 288 total points
ID: 40537375
Take a System state backup and proceed to perform the steps which provided by Oracle support team.

If anything going wrong in the activity you can get your old schema by restoring Active Directory
For restoring Active Directory you need to go DSRM (Directory Services Restore Mode) and restore your system state backup.

It is recommended you perform this activity in your test environment first before implement the production.
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 568 total points
ID: 40538273
Backing up the Active Directory System State is the best method of action. Do not use a clone to recover a Domain Controller. This will cause a lot of issues if doing so. The USN will be all out of whack and replication will not work properly.

Schema updates for Microsoft Products are typically bulletproof (i still personally like to test them) but I am always hesitant with 3rd party schema modifications. Does Oracle have another method like a LDS instance or something less invasive?

As already stated if you perform the schema modification you cannot turn back easily, even with system state backup there is some work involved to get it back to where it was.


Assisted Solution

Bahloul earned 860 total points
ID: 40538500
Cloning works good but you must backup any other integrated services with A.D.

LVL 20

Assisted Solution

compdigit44 earned 284 total points
ID: 40545613
Just out of curiosity do you know what extensions the schema update is adding? The only reason I am asking is if a newer domain function level like 2008, 2008 r2, 2012 would add the need functionality...

Just thinking out loud

Author Comment

by:Jason Yu
ID: 40545673
It's a function for Oracle EUS interfacing with AC. I don't know if this is the info for your question, I will check the detail and update you later.
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 568 total points
ID: 40545704
Do not use a cloned image of your DC unless you have a DC that is running server 2012 which holds the PDC role and your cloned DC also needs to be running server 2012. You only use a DC image in eariler versions when all of your DC's have been compromized (virus/corrupt database). You would then restore the single DC image and then from there add other DC's using dcpromo.  If you restore an entire DC image FSMO holder or not it will mess up the replication and USN (Update Sequence Numbers) for replication.


Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month11 days, 20 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question