1 / 27

What y ou n eed t o k now t o s uccessfully r ecover Active Directory

WSV326a. What y ou n eed t o k now t o s uccessfully r ecover Active Directory. Alex Pubanz Senior PFE, Microsoft. Overview what we will cover in this session. What is an Active Directory Disaster Forest Recovery AD Topology Diagrammer AD Recycle Bin

vasilis
Télécharger la présentation

What y ou n eed t o k now t o s uccessfully r ecover Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WSV326a What you need to know to successfully recover Active Directory Alex Pubanz Senior PFE, Microsoft

  2. Overviewwhat we will cover in this session • What is an Active Directory Disaster • Forest Recovery • AD Topology Diagrammer • AD Recycle Bin • Group Policy Backup and Recovery

  3. Active Directory – Why is it important and what to document in a disaster recovery plan

  4. Why is Active Directory so importantKey AD DS functions • Authentication – Establishes trusted communication between systems and users • Logon, resource access • Data delivery – Provides data storage and recall for applications in a distributed environment • GPO data, Exchange configuration, SharePoint, etc. • Replication – Helps ensure that data is loosely consistent across all copies of the database in a distributed environment • Consistent configuration and settings across the environment

  5. Active Directory Disaster Recovery defining a disaster • An issue that affects one of the mentioned functions (outage) to the point it impacts the business (disaster) • Outages and disasters can affect the service or data • Functions need to be brought back ASAP (recovery) • Most companies focus on service recovery (DR sites), and not on data recovery or corruption • Small things add up, and the recovery might take longer than planned

  6. Active Directory Disaster Recovery how to recover? • Non-authoritative restore, or reinstall a DC? • Authoritatively restore AD DS objects, reanimate tombstones, use AD Recycle Bin, or use third-party tools? • Authoritatively restore GPOs, or use a GPO backup?

  7. Active Directory Disaster Recovery decide which DCs to use for a forest restore • Avoid holders of master operations (FSMO) roles, because you will bring these boxes down • Avoid DCs with DHCP, DNS Primary Zonesor WINS • Make sure the DC is DNS server (if you use app partitions for DNS data) • Consider using a virtual machine (easier to restore system state) • Define at least two DCs per writable naming context

  8. Active Directory Disaster Recovery decide which backup strategy to use • System-state backup vs. full backup • Windows Server Backup in Windows Server 2008/2008R2 and Windows Server 2012 • Bare-metal restore on Windows Server 2008/2008R2 and Windows Server 2012 • Dedicated backup volume-block-level backup with VSS to a VHD • Windows Recovery Environment (press F8)

  9. Active Directory Disaster Recovery decide which backup strategy to use • Third-party tools • Usually can reanimate tombstones with attribute restore in seconds, with GUI-based wizards • However, always use native Windows or Windows Server backup tools on at least two DCs per domain (so it’s supported by Microsoft) • Some third-party backup solutions require AD DS authentication (dead lock)

  10. Active Directory Disaster Recovery documentation • All DCs, names, IP addresses, OS versions, SP levels • Use the AD Topology Diagrammertool, Visio, MBSA • Document which DC holds each FSMO role • DSRM password for all DCs • Every DC has one local user for database maintenance • Ntdsutil resets the DSRM password on DCs • User name and password for the -500 user • The default Administrator account • The only user who can log on when no GCs are available

  11. Recovering from a Forest-wide disaster

  12. Active Directory Disaster Recovery forest-wide disasters and recovery • What kind of scenarios require a forest recovery? • Logical or physical compromise of the forest (internal or external) • Loss of a large number of DCs • Physical damage, incorrect distribution of software, viruses, etc. • Two ways to recover a forest • While all DCs are offline, restore one DC per domain, and then promote additional new DCs • Restore all DCs to a previous state at the same time • Impact of both the disaster and the restore are catastrophic

  13. Forest-wide Disasters and Recoveryrecovery process overview • Phase 1 – Minimal Operational Active Directory Forest • Restore one DC at the root domain, in an isolated network • Mark FRS/DFS-R for SYSVOL as authoritative • Make sure all critical services are up, running, and configured (including DNS) • Clean up the environment – remove the old DCs (metadata cleanup) • Un-GC the DC, seize operations master roles, increase the rIDAvailablePool, reset passwords • Restore one DC in all child domains • Mark DCs as GCs after all domains are up and replicating

  14. Forest-wide Disasters and Recoveryrecovery process overview • Phase 2 – Active Directory Forest operational at strategic locations • Re-connect restored DCs to the production network • Re-promote additional DCs for all the domains, e.g. using cloning in Windows Server 2012 • Phase 3 – Active Directory Forest at full operational strength • Bring the applications and dependent services back

  15. Recovery Scenario Imulti domain forest DomainA contoso.com DomainC DomainB europe.contoso.com redmond.contoso.com

  16. Recovery Scenario II (demo)single domain forest contoso.com

  17. demo Forest Recovery

  18. demo Documenting your environment using ADTD

  19. Active Directory Recycle Bin – What’s new in Windows Server 2012

  20. Active Directory Recycle Bin What’s new, what’s not • Available in Windows 2008 R2 and later • Requires Windows Server 2008 R2 Forest Functional Level • Once enabled, Active Directory Recycle Bin cannot be disabled • Enables functionality to Recover Deleted Objects in AD DS • No restore from backup required • No DC reboot required • Recovery of ALL attributes from a Deleted Object • Including Linked Attributes (e.g. Group Membership) • AD Administrative Center includes a GUI for Recycle Bin • Available in Windows Server 2012

  21. demo AD Recycle bin GUI + Adtree-restore.ps1

  22. Group Policy Backup and Recovery

  23. Group Policy Disasterspreparing to recover • A GPO restore can be quite complicated and time consuming • It requires a restore of both: • AD DS objects (GPC and GPLINKs)—authoritative AD restore • SYSVOL objects (GPT)—SYSVOL restore • Use backup methods other than a regular system-state or full backup to speed up the process • GPMC scripts (BackupAllGPOs.wsf) • Windows Powershellcmdlet (Backup-GPO) • Advanced Group Policy Management (AGPM)

  24. demo Group Policy Backup and Recovery

  25. Useful Resources • Microsoft Active Directory Topology Diagrammer http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=13380 • Planning for Active Directory Forest Recovery http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(v=WS.10).aspx • Restore-Adtree.ps1 http://technet.microsoft.com/en-us/library/dd379504(WS.10).aspx • Ask the Directory Services Team blog http://blogs.technet.com/b/askds/

  26. Related Content Find Me Later At the “Microsoft Services Premier Support” stand - Expo area • WSV331 - Kick Starting your Migration to Windows Server 2012

  27. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related