Active Directory Recovery Planning - .microsoft

1y ago
40 Views
2 Downloads
1.30 MB
83 Pages
Last View : 1d ago
Last Download : 2m ago
Upload by : Emanuel Batten
Transcription

SVR302Active Directory RecoveryPlanningChewy ChongSenior ConsultantSystems Engineering PracticeAvanade Australia

Key TakeawaysPrepare - Proactive steps that can betaken to better prepare for differentdisastersRecover - Best practicerecommendations to recover fromdifferent disaster scenariosExperience - Stories from the field

AgendaPlanning for the WorstPractical Recovery ExamplesSummaryQuestions

AgendaPlanning for the WorstAssessPrepareBest PracticesPractical Recovery ExamplesSummaryQuestions

Planning for the WorstAssessHow well do you really know yourenvironment?PeopleInfrastructureProcesses and ProceduresBusiness Expectations / SLAs

Planning for the WorstAssessFind and document your gapsLack of skillsInfrastructure shortcomingsNo processes / lack of clear proceduresBe honest with yourself. This was thehand you were dealt.

AgendaPlanning for the WorstAssessPrepareBest PracticesPractical Recovery ExamplesSummaryQuestions

Planning for the WorstPrepareWrite down your “*YP” eventsOops. I deleted the ‘Executives’ OU.Hmm what would happen if I turned thison Draw boundariesKnow when to call for help(amputated finger example)Create operational run booksBook 1 – Accidental Deletion of AD objectBook 2 –

Planning for the WorstPrepareKnow your toolsParanoia and PatienceMicrosoft ToolsBackup utility, DNS Manager, Active Directory Domains and TrustsMicrosoft Management Console snap-in, Active Directory InstallationWizard, Active Directory Schema snap-in, Active Directory Sites andServices MMC snap-in, Active Directory Users and Computers MMCsnap-in, Adsi edit MMC snap-in, Dcdiag.exe, Event Viewer, Ldp.exe,Net.exe, Netdiag.exe, Netdom.exe, Nltest.exe, Ntdsutil.exe, RegistryEditor, Repadmin.exe, Secedit.exe, Services snap-in, Ultrasound,W32tm.exe3rd Party ToolsMore details http://firechewy.com/blog

AgendaPlanning for the WorstAssessPrepareBest PracticesPractical Recovery ExamplesSummaryQuestions

Planning for the WorstBest PracticesAn ounce of prevention is worth apound of cure.

Planning for the WorstBest Practices28.34 grams of prevention is worth0.453 kilograms of cure.

Planning for the WorstBest Practices28.34 grams of verified prevention isworth 0.453 kilograms of cure.

Planning for the WorstBest Practices – BACKUPS!!What am I saying?BACKUPS are essential for any ADrecovery process.Backup DCs with GC / DNSVerify backups.Do not take anything for granted.

Planning for the WorstBest Practices – BACKUPS!!

Planning for the WorstBest PracticesSpare DC for everyday disasterrecovery purposesA small DC that can be ‘mailed’somewhereDo not have a multi-purposed DCFile/Print/DC combo is bad newsTo many moving parts and typicallycauses problems

Planning for the WorstBest PracticesHave some sort of emergency responseprocedureLockdownAssessActBe extra careful while doing stuff thatmay impact AD“Only the paranoid survives”Take steps to protect AD such astemporarily stopping replication

AgendaPlanning for the WorstPractical Recovery ExamplesObject RecoverySingle DC RecoveryMulti DC RecoveryForest Wide RecoverySummaryQuestions

Object RecoveryProblem statement & recoveryObject has been accidentally deletedOr modified considerablyObject can’t be re-createdDifferent object as far as AD is concernedDifferent GUID & SIDRecovery methodsAuthoritative restoreTombstone reanimationGPMC to restore a deleted GPO

Object RecoveryAuthoritative restoreBoot DC in DS restore modeRestore System State but don’t rebootRun Ntdsutil & mark object to beauth restoredNeed to know the full DN of the objectIf deleted object is an application partition,also auth restore the cross-ref objectReboot

Object Restore Using anAuthoritative Restore

Object Restore Using a3rd Party Object Recovery Tooland Windows 2003

Recovery Manager Console

Granular RestoreRestore Wizarddisplays only objectsthat have beenchanged or deletedin Active Directory.Granularselection ofobjects torestore

Granular Attribute RestoreGranularselection ofattributes torestore/rollbackfor the object

Comparison ReportingReports provide a listof all objects thathave been changed ordeleted in ActiveDirectory.

Comparison ReportingReports provide a listof all objects thathave been changed ordeleted in ActiveDirectory.Drill down in thereport todetermineexactly whatdata wasmodified.

Object RecoveryBest PracticesThat ‘spare DC’ would come in handyNever auth restore whole databaseRemember DSRM admin passwordEvery DC’s is potentially differentAuth restore is not the end of itYou have other tasks such as restoringgroup membershipsExpedite restore by backing to diskBackup Group Policy using GPMC

AgendaPlanning for the WorstPractical Recovery ExamplesObject RecoverySingle DC RecoveryMulti DC RecoveryForest Wide RecoverySummaryQuestions

Single DC RecoveryProblem statementLost single DC to AD failure orhardware failureOriginating changes that haven’treplicated to other DCs are lostTemporary loss of FSMO/GC/DNS RoleIncreased workload on other DCs

Single DC RecoveryRecovery methodMethod I: Restore DC from its own backupBoot into DSRM or reinstall OSRestore from backupRebootMethod II: Promote DCForce demote DC or reinstall OSClean metadata of old DCInstall AD:Via replicationFrom backup media (Windows Server 2003 only)Seize FSMO role (if required)

Single DC RecoveryPros and ConsMethod IRestore is faster than replicationFewer moving partsNo dcpromo; No metadata cleanupNo FSMO role seizure required (unlessmachine is unavailable for long time)Method IIGood backup of failed DC not availableUpgrading to different hardware

Single DC RecoveryBest PracticesHave sufficient DCs to handle clientworkload in absence of one DCHave quick access to backup mediaStore a recent backup on diskHave a well defined procedure and personnelwho have rehearsed the processHave DSRM password handy (or OS CD)Know which FSMO roles the machine hasKnow which applications/services areinstalled

AgendaPlanning for the WorstPractical Recovery ExamplesObject RecoverySingle DC RecoveryMulti DC RecoveryForest Wide RecoverySummaryQuestions

Multi-DC RecoveryProblem statementLost more than 1 DC in the domain(potentially the whole domain)Physical location housing site ispartially or completely destroyed bycatastrophic event (fire)Temporary loss (or slowness) ofoperations in that siteClients will find other DCs (potentially inother sites)

Multi-DC RecoveryProblem statementStory: Louisiana High Water

Multi-DC RecoveryRecovery methodSame as single DC recovery donemultiple timesIf whole domain is destroyed, thenfollowing additional steps need to beperformedDuring restore operation, mark SYSVOLof exactly 1 DC as “primary”So that SYSVOL data is pushed to other DCsRaise RID Available Pool by a large valueSo that new Security Principals get fresh SIDs

Multi-DC RecoveryBest PracticesProvide redundancy by not havingentire domain in a single physicallocationBackup multiple DCs (GCs) per domain,in different physical locationsStore backups securely offsiteHave similar hardware availableHave a well defined procedure andcopy of your AD infrastructure

AgendaPlanning for the WorstPractical Recovery ExamplesObject RecoverySingle DC RecoveryMulti DC RecoveryForest Wide RecoverySummaryQuestions

Forest RecoveryProblem statementEvery DC in the forest is “affected” bysome replicated “corruption”Affected DCs might provide some levelof service or none at all

Forest RecoveryProblem statementStory: DC’s “USE BY:xx-xx-xx” Date

Forest RecoveryCheck your boundariesThis type of disaster may warrantcalling in outside helpRemember my ‘severed finger’ analogy

Working com

Disaster StrikesContoso.comSome ‘corrupt’update is madeSales.Contoso.comProduct.Contoso.com

“Corruption” ReplicatesXAffected DCsContoso.comUpdate replicatesto partner DCsXSales.Contoso.comProduct.Contoso.com

“Corruption” ReplicatesXAffected com

“Corruption” ReplicatesXXAffected o.com

Entire Forest Is AffectedXXXAffected ntoso.com

Forest RecoveryConsiderationsCorruption can replicate from “affected” DCs torestored DCsCan’t shutdown all “affected” DCs before restoredDCs are brought onlineRestore exactly 1 DC per domain from backup,becauseThe only thing worse than having to perform a forestrecovery is having to perform it twiceBackups need to be tested for each DC you restoreMultiple DCs will have to be booted into isolationYou would have to perform the right recovery steps oneach DC you restore

Forest RecoveryConsiderationsSelect a backup that is unaffected by the“corruption”If using AD integrated DNS, then preferably backupshould be that of a DNS serverRestore at least 1 GC, because without a GC:Users/computers can’t authenticateCan’t install a DCSecure dynamic updates of DNS records failMS Exchange would not functionRestoring a GC could result in lingering objectswhich would have to be cleaned later

Affected ct.Contoso.com

1. Identify uct.Contoso.com

2. Select a mXXXDNSX DCProduct.Contoso.com

3. Isolate DC to Be SXDCXXProduct.Contoso.comX DCDNS

4. Recover Isolated DCBoot in DSRM (need DSRM admin password)2. Restore System State (and System drive) from backup3. Mark SYSVOL primaryGC4. Reboot in normal mode5. Log on as Administrator (onlyDNSaccount that works inabsence of GC)6. Point to root DC as the primary DNS serverContoso.com7. Raise RID available pool by a large value (100,000)8. Seize FSMO roles9. Cleanup metadataDNSof all other DCs in domain10. Cleanup DNS records of all other DCs in domainDNSDC “affected” DCs by breaking11. Stop replication withDCmutual authentication Reset computer account password (twice)Sales.Contoso.comProduct.Contoso.comGC Reset krbtgt password Delete computer accounts of all other DCs in domainDNS Reset trust password on one side of the trust (twice)1.XXXXXXXXXXX

4. Recover Isolated SXProduct.Contoso.comDC

5. Remove AD From“Affected” DCsForce demote DCGCorDNSXReinstall ontoso.comDC

6. Bring Isolated DCs DCProduct.Contoso.com

7. Verify XDNSDCProduct.Contoso.com

8. Promote Remaining DCsVia ReplicationorGCVia ct.Contoso.com

Forest RecoveryPost-recovery stepsRestore DNS to its original configurationAdd additional GCs, DNS serversFix up user/machine passwords that failTransfer FSMO roles to appropriate DCsRecover missing objectsFix Exchange mailboxes for missing usersRecover other AD dependent applicationsRemove lingering objects on GCs

AgendaPlanning for the WorstPractical Recovery ExamplesSummaryQuestions

SummaryTo be able to restore from a backuprequires having taken oneHave you checked your spare tire?While you’re at it, check your smokealarms alsoRemember the ‘severed finger’ Nothing wrong with knowing yourboundaries and asking for help.Practice makes perfect

ResourcesForest Recovery ils.aspx?displaylang en&FamilyID 3EDA5A79-C99B-4DF9-823C-933FEBA08CFEWindows Server 2003 Operation /cits/mo/winsrvmg/adpog/adpog1.mspxWindows Server 2003 SP1 authoritative restore -4475-b9b4-46f76c9c7c90.mspxTombstone reanimation ?url /library/enus/ad/ad/active directory.aspHow to force demote a DC:http://support.microsoft.com/default.aspx?scid kb;en-us;332199Group Policy Administration using a9c0f2b8-4803-4d63-8c323040d76aa98d/GPMC Administering.doc

ResourcesChewy ChongEmail: chewyc@avanade.comBlog: firechewy.com/blog

Your Feedbackis Important!Please write the number located in the bottom lefthand corner of your name badge, on the top of theEvaluation Form. This number links back to yourregistration details so that we can contact you afterTechEd.When completing the Evaluation Form, please tick thenumber that best corresponds to your experience atTechEd. For additional comments, use the commentssection at the end of each form.

2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Active Directory Recovery Planning Chewy Chong Senior Consultant Systems Engineering Practice Avanade Australia SVR302 . Key Takeaways . Backup utility, DNS Manager, Active Directory Domains and Trusts Microsoft Management Console snap-in, Active Directory Installation Wizard, Active Directory Schema snap-in, Active Directory Sites and .

Related Documents:

DNS is a requirement for Active Directory. Active Directory clients such as users computers) use DNS to find each other and locate services advertised in Active Directory by the Active Directory domain controllers. You must decide whether DNS will be integrated with Active Directory or not. It is easier to get Active Directory up and

An Active Directory forest is a collection of one or more Active Directory domains that share a common Active Directory schema . Most Active Directory environments exist with one Active Directory domain in its own Active Directory forest .

Active Directory and Non Microsoft DNS: Facts and Fiction Jeremy Moskowitz, Group Policy MVP 6 The case for non-Microsoft DNS Active Directory administrators naturally want Active Directory to perform at its highest capabilities. The key activities that Active Directory and its domain controllers should be performing are: Authentication

Module 4: Principles of Active Directory Integration This module explains how Active Directory can be integrated and used with other Active Directory Forests, X.500 Realms, LDAP services and Cloud services. Lessons Active Directory and The loud _ User Principle Names, Authentication and Active Directory Federated Services

Active Directory for Name Resolution Overview Store and resolve Net names through Active Directory -Active Directory is used instead of tnsnames.ora -Authenticated connection to Active Directory (11g and later) -Anonymous connection for older clients Enhanced tools support for Net naming -Oracle Net Configuration Assistant

1. The Structure of the Active Directory Environment The whole AD environment composes the following systems and services Active Directory Server: A server that is running Microsoft Windows Server 2008 Enterprise with DNS, DHCP, Active Directory Domain Services, and Active Directory Certificate Service, which provides AD, DNS, and DHCP services.

Active Directory: Microsoft's modern directory service for Windows, originating from the X.500 directory and supports LDAP. Apache Directory Server: Directory service written in Java, supporting LDAP, Kerberos 5 and the Change Password Protocol. eDirectory: This is NetIQ's implementation of directory services.

AKKINENI NAGESWARA RAO COLLEGE, GUDIVADA-521301, AQAR FOR 2015-16 1 The Annual Quality Assurance Report (AQAR) of the IQAC Part – A AQAR for the year 1. Details of the Institution 1.1 Name of the Institution 1.2 Address Line 1 Address Line 2 City/Town State Pin Code Institution e-mail address 08674Contact Nos. Name of the Head of the Institution: Dr. S. Sankar Tel. No. with STD Code: Mobile .