560 likes | 810 Vues
SIA319. The Evolution of Active Directory Recovery. Ulf B. Simon-Weidner Senior Consultant, Author, Trainer, Speaker Computacenter, Germany. The Evolution of Windows – – The Evolution Active Directory. Windows Server Evolution. Active Directory gone bad. DC Recovery
E N D
SIA319 The Evolution of Active Directory Recovery Ulf B. Simon-Weidner Senior Consultant, Author, Trainer, Speaker Computacenter, Germany
The Evolution of Windows – – The Evolution Active Directory • Windows Server Evolution
Active Directory gone bad DC Recovery • Recreate or Restore • Where's a backup? • Is it the same Hardware? Domain Recovery • Replicated Error in the domain partition • No DCs in the Domain are functional / replicate Forest Recovery • Replicated Error in the configuration partition • Faulty Schema-Update • Corrupted Data (malicious or accidental) • No DCs in the Forest are functional / replicate
Different Scenarios Multi-Object Recovery • Wrong Processes • Accidential Deletion • Bad Scripts / Tools Object Recovery • Wrong Processes • Accidential Deletion • Bad Scripts / Tools Attribute Recovery • Bad Scripts • Active Directory-Users and –Computers (WS2k3+): "Accidential editing" multiple Objects Replication My Users My Users My Groups My Groups My Computers My Computers
AuthoritativeRestore Non-AuthoritativeRestore • Getting a Domain Controller back via System State Restore AuthoritativeRestore • Using a Non-AuthoritativeRestored DC(whichhas not beereplicated) • Or DC whichdidn‘treceivethedeletionyet • Mark Objects asnewer • Replicate * Replication * My Users My Users * * My Groups My Groups My Computers My Computers
Main Issue: Restoring Links • Users are members of Groups • There are other links, like Managers, Password Settings Objects, ... To restore links: • Only Forward-Links are writeable • Only FW-Links will be restored where the Target is available Solution: • AuthoritativeRestoreat least twiceor • Use LDIFs (Windows Server 2003+) • Recycle Bin
Behind thescenes: NTDS.dit Deletion: Object is moved into „Deleted Objects“-Container and marked as deleted.Links are removed on each DC.
Recycle Bin: Lifecycle No Recycle bin feature Delete Live Object TombstoneObject GarbageCollection Tombstone Lifetime 60/180 Days Auth Restore • with Recycle Bin enabled Delete Live Object Deleted Object TombstoneObject* GarbageCollection Deleted Object Lifetime 60/180 Days TombstoneLifetime 60/180 Days Undelete © Microsoft
NTDS.dit: AD Recyclebin Link-Table Data-Table * * Schema extended Forest-Level Enable Recycle-Bin
NTDS.dit: AD Recyclebin Link-Table Data-Table User Deleted Object (Duration: Deleted Objects-Lifetime)
OU=Finance CN=Tom CN=Sally OU=Admins Restoring multiple Objects Deleted Objects-Container • Everything flat • DN changed, Attributes still exist, lastKnownParent is helping Objects must be reanimated into existing containers • Top-Bottom • Evaluate lastKnownParent and lastKnownRDN • RDN > 128 chars truncated OU=Finance CN=Tom CN=Sally OU=Admins CN=Mark CN=Mark • Undelete Delete CN=Deleted Objects CN=Robert\0ADEL:… CN=Mark\0ADEL:… CN=Tom\0ADEL:… CN=Sally\0ADEL:… OU=Admins\0ADEL:… OU=Finance\0ADEL:... © Microsoft
Issuesandsolutionpaths Object(s) fully deleted Recycle Bin >=WS2k8R2
AD Recycle bin • Requires ForestlevelWindows Server 2008 R2 • New in R2: Rollback to 2008 DL/FL when Recycle bin is not enabled • Optional Feature Recycle bin must be enabled • once on cannot be turned off • Now you are stuck with your forest level • Make sure that you have a solid state before • Enables to fully restore objects • To the state when they were deleted Additional Scripts and Data helps
New in Windows Server 2012 Active Directory Administrative Center • Supports Domain- and Forest level upgrade in the GUI • Supports enabling the Recycle bin in the GUI • Supports undeleting of single objects in the GUI Undeleting multiple objects still requires PowerShell-Script
WS2k8+: Active Directory Snapshots Create Snapshot Ntdsutil.exe -> Snapshot -> Activate Instance NTDS -> Create Mount Snapshot in File system -> List All / Mount ID -> Mount {GUID} Ntdsutil.exe -> Snapshot Snapshot as Read-Only Directory Dsamain.exe –dbpath c:\$snap2007...\ntds.dit –ldapport 10000 Accessing the R/O Directory‘s Data Active Directory-Users & - Computers, LDP, ADSIEdit, dsquery, ... against Port 10000
Reanimating Tombstones e.g. ADRestore, admod, LDP Manually, Script, LDIF,..
Virtual DCs, ready for today? • “The most (forest/domain) recovery scenarios I’ve seen are caused by virtual environments!” • Lingering Objects or USN-Rollbacks are caused many times from virtual environments! • “Don’t use it? Wrong! Do it right!” Spread DCs across VM-Infrastructures Don’t roll back Snapshots Synchronize the right time
Virtualizing DCs: USN-Rollback USN 2200 2210 2220 2230 2240 2250 2260 2270 ? DC01 USN 1020 1030 1040 1050 1060 1070 1080 1090 DC02 • DC01 (USN 2220) and DC02 (USN 1040) in sync – DC02 Snapshot created • DC01 (USN 2260) in sync with DC02 (USN 1080) • DC02 rolled back to Snapshot at USN 1040 • Result: • DC01 thinks he has all updates from DC02 since 1080, however DC02 is at 1040: changes between 1040 and 1080 not replicated to DC01
Virtualizing DCs in Windows Server 2012 • Domain controllers recognize when being rolled back • DCs take same action when supported System State Restore is done and reinitializes replication agreements • Requirements: • VM Host must support „VM Generation Identifyer“ (e.g. Hyper-V 3.0) • VM Guest (=DC) must support feature(Windows Server 2012)
best practices Prevention of errors andPreparing for recovery
Preventing human errors • DELEGATE!!! • If somehow possible delegate permissions • Avoid using Built-in Groups, especially Account Operators • Delegate Domain Admins if possible • Tools are helping
Preventing accidental deletions • In Windows Server 2008 (and R2): • Protect OUs from accidental deletion (GUI) • Migrated? Use PowerShell: get-ADOrganizationalUnit –filter * | set-ADOrganizationalUnit –protectedFromAccidentalDeletion $true • Can (and should) be done in W2k(3) „manually“: • DENY Delete & Delete Subtree for Everyone on all Ous for /f "tokens=*" %i in ('dsquery ou -limit 0') do dsacls %i /d everyone:SDDT • Suggestion: • Change default security descriptor of OUs to ensure that delegated admins and older tools “inherit” the default
Preperation: Backup • It is very important to backup the right data • Systemstate (at least) • List of objects (distinguishedNames) • GPOs (contents) • GPO-Links • Optionally: maintain Versions of Backup • Optionally: keep AD-Snapshots
Windows Backup • System State Backup • Data which is needed to restore the DC over existing OS • WS2k8 only: System State needs to be done via commandline powershell.exe -command "&{import-module ServerManager; add-windowsfeature Backup}" • Critical Volume Backup • On „Dedicated DCs“ usually just 15% more • Bare Metal Restore • If incremental backups are used, don’t forget to create full backups also regulary • Needs to be installed:
Lists of objects • All distinguished names (for authoritative restore): ldifde -f c:\Backupdata\DomainGpoLinks.ldf -r "(gplink=*)" -l gplink,gpoptions ldifde -f c:\Backupdata\SiteGpoLinks.ldf -d cn=configuration,dc=… -r "(gplink=*)" -l gplink,gpoptions dsquery * domainroot -scope subtree -attr modifytimestamp distinguishedname -limit 0 > c:\backupdata\objlist.txt • All GPOs (requires BackupAllGPOs.wsf and Lib_CommonGPMCFunctions.js from the GPMC-Scripts): cscript e:\scripts\BackupAllGPOs.wsf c:\BackupData • GPO-Links and their options, of the domain and sites
Create Backup / Snapshots • Create the Backup in the script: wbadmin.exe START BACKUP -backupTarget:%TargetUNC% -allCritical -include:c:,e: -noVerify -vssFull -quiet • Create AD-Snapshots: Ntdsutil.exe snapshot “Activate Instance NTDS” create quit quit
Maintain Versions How many backups should be kept at the UNC? Set Backup2Keep=10 SETLOCAL ENABLEDELAYEDEXPANSION set count=0 for /f "tokens=*" %%i in ('dir /o:-d /b %TargetUNC%\WindowsImageBackup\%computername%\backup*.') do ( set /a count=!count! + 1 if !count! GTR %Backup2Keep% ( echo DELETE !Count!: %%i rd/s /q "%TargetUNC%\WindowsImageBackup\%computername%\%%i" ) else ( echo MAINTAIN !Count!: %%i ) ) works against local or remote (UNC) repositories, even SMB-Filer ;)
consider Additional Technologies
Snapshots as additions • Enable „Versions“ Can be used in Quests AD Recovery Manager • Should be „managed“: • VSS only assures the „Volume“ of recent Snapshots to be kept • They grow over time • The dit might be small • What we do: • Configure how many snapshots are kept fully • Copy the DIT out of the snapshot to a repository • Configure how many DITs are kept • Delete old snapshots / DITs
Issues and solution paths Object(s) fully deleted Recycle Bin >=WS2k8R2
Recyclebin • Enable Recyclebin • Enable-ADOptionalFeature ‘Recylce Bin Feature’ –Scope • ForestOrConfigurationSet –target (Get-ADForest).Name • Find Deleted Objects Get-ADObject –LDAPFilter ‘(&(name=Ulf*)(isDeleted=*))’ -IncludeDeletedObjects • Restore Deleted Objects (and their Links) • … | Restore-ADObject • Restore Tree:Leverage script from http://blogs.msdn.com/adpowershell/archive/2009/06/01/inspecting-deleted-objects-before-restore.aspx
Restoring Object Data • LDIFDE –r "(name=)" –m • –f filename.ldf –p port • LDIFDE –i –z –f input.ldf dn: CN=User,OU=Demo,DC=xyz,DC=com changetype: add cn: User_Marketing sn: Marketing c: DE l: Hometown title: Worker-Bee - dn: CN=User,OU=Demo,DC=xyz,DC=com changetype: modify replace: cn cn: User_Marketing - dn: CN=User,OU=Demo,DC=xyz,DC=com changetype: modify replace: sn sn: Marketing - dn: CN=User,OU=Demo,DC=xyz,DC=com changetype: modify replace: c c: DE -
Different Scenarios • Objects underneath an specific OU ldifde–d “ou=Demo,dc=…” –m –f filename.ldf –p port • Specific Objects ldifde –d “ou=Demo,dc=…” –r “(objectClass=User)” –f filename.ldf –p port • Specific attributes ldifde –d “ou=demo,dc=…” –l “physicalDeliveryOfficeName, telephoneNumber”filename.ldf–p port
Restoring Links Forward-Link in the Restored Object Will be recovered if target is there Read from Snapshot and update Backlink in the Restored Object: Update the object in the Backlink, e.g. update the group in memberOf with the object recovered dsget user cn=Ulf,ou=Demo,dc=xyz,dc=com -s localhost:10002 -memberof | dsmod group -addmbrcn=Ulf,ou=Demo,dc=xyz,dc=com Multi-Domain Run this procedure against a GC (recovered or snapshot) in every domain
Waystogetdata • Recycle Bin:Availableif all DCs are WS2k8R2 orhigher • Snapshots:Availableifone DC (per Domain) is WS2k8+ • W2k(3): Backups also create a consistentstateofthe DIT • WS2k3-DITS andhighercanbemountedwithdsamain (-allowUpgrade) • WS2k8 w/o DC (member or stand alone) can mount DITs: AD binaries or AD-LDS • Windows 7/8: AD-LDS for Win7 bringsdsamain
Deployyour Backup-Strategy Group Policy Preferences in WS2k8R2: • Create Policy which • Create Folders • Copies Files needed • Creates Scheduled Task • One Policy for • DCs_which_are_backed_up • DCs_which_maintain_snapshots (create and manage) • All_DCs to synchronize NTDS-Password
Additional • Prepare RDP for Directory Services Restore Mode • RDP into Machine Change default boot option Boot RDP into DSRM • bcdedit /copy {current} /d • bcdedit /set {%i} safebootdsrepair • Sync DSRM Password: • Deactivated Domain Account • Regulary set Password • Schedule the following Commandline on all DCs (via GPO) • ntdsutil "set dsrm password“ "sync from domain account xyz“ q q
Get your data up-to-date after the restore • Documented Changes are helping • Windows Server 2008+: Auditing of object changes • Windows Server 2008+: Auditing of object changes • auditpol /get /category:“DS Access“ • auditpol /set /subcategory:“Directory Service Changes“ • auditpol /get /category:“DS Access“ • auditpol /set /subcategory:“Directory Service Changes“ • Maybe a ntds.dit of the faulty state, use the AD Snapshot Browser • Link-Value Replication also helps (if the Domain is at Windows Server 2003 and the group was editied afterwards)
Extendingthe Management Interfaces • Active Directory Administrative Center • Registering legacy-tabs for objects is possible • Extending the Context-Menu is not possible • Active Directory Users and Computers • Both options are still possible
Consider DC-CloningforRecoveryin Windows Server 2012 First DC recoveredfrom Backup Additional DCs deployedusingCloning DC01 First DC recoveredfrom Backup Additional DCs deployedusingCloning DC01
customer Store-Infrastructure as a Managed Service
Think beyond One company manages 5000 separate, single domain forests via slow lines Data needs to stay on decentral premises Minimum Infrastructure / Storage, regular backup to large 1 DC + Clients, quite at physical risk to be stolen
Single-DC-Restore Task: How to restore an AD without using large Backups? • Known AD- and OU-Structure which is installed automatically • Create a dump of all Users and Groups with min. Information (import would create them) • Create a dump of all Users and Groups with all Information (import will modify attributes) • Create a list of all computers • Create a list of all Users/Groups and their SIDs
Single-DC-Restore To restore: • During installation of AD, Server recognizes he's being rebuild • Creates minimum Users and Groups from script • Modifies all writeable attributes from Users and Groups (incl. Links) • Add new SIDs to list of Users/Groups + Old SID • Reacl: change all Permissions Old-SID New SID • Rejoin Computers to domain (netdom + reacl)
Related Content Note to Track-Owner / „PowerpointScrubbers“: I haveoneofthe last sessions. Product Demo Stationsareclosed after I‘mfinished, so I cannotbethereforattendees after mysession (and IMHO does not make sense mentioningtheProduct Demo Station on thisslide. I‘llbeavailable after thesessionfor Q&A, maybetakingit outside in the hall, or via contact on myblog • Breakout Sessions: SIA313 (2:45 S220A), Review Sessions you missed online Hands-on Labs: SIA11-HOL, SIA21-HOL, WSV44-HOL Related Certification Exam: (70-410 + 70-411 + 70-412) or 70-416 (available later this year) Find Me Later: Q&A after the session, www.msmvps.com/UlfBSimonWeidner
SIA, WSV, and VIR Track Resources #TE(sessioncode) Talk to our Experts at the TLC Hands-On Labs DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver DOWNLOAD Windows Azure Windowsazure.com/ teched
Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://northamerica.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn