The Evolution of Active Directory Recovery

SIA319 The Evolution of Active Directory Recovery Ulf B. Simon-Weidner Senior Consultant, Author, Trainer, Speaker Computacenter, Germany

The Evolution of Windows – – The Evolution Active Directory • Windows Server Evolution

Active Directory gone bad DC Recovery • Recreate or Restore • Where's a backup? • Is it the same Hardware? Domain Recovery • Replicated Error in the domain partition • No DCs in the Domain are functional / replicate Forest Recovery • Replicated Error in the configuration partition • Faulty Schema-Update • Corrupted Data (malicious or accidental) • No DCs in the Forest are functional / replicate

Different Scenarios Multi-Object Recovery • Wrong Processes • Accidential Deletion • Bad Scripts / Tools Object Recovery • Wrong Processes • Accidential Deletion • Bad Scripts / Tools Attribute Recovery • Bad Scripts • Active Directory-Users and –Computers (WS2k3+): "Accidential editing" multiple Objects Replication My Users My Users My Groups My Groups My Computers My Computers

AuthoritativeRestore Non-AuthoritativeRestore • Getting a Domain Controller back via System State Restore AuthoritativeRestore • Using a Non-AuthoritativeRestored DC(whichhas not beereplicated) • Or DC whichdidn‘treceivethedeletionyet • Mark Objects asnewer • Replicate * Replication * My Users My Users * * My Groups My Groups My Computers My Computers

Main Issue: Restoring Links • Users are members of Groups • There are other links, like Managers, Password Settings Objects, ... To restore links: • Only Forward-Links are writeable • Only FW-Links will be restored where the Target is available Solution: • AuthoritativeRestoreat least twiceor • Use LDIFs (Windows Server 2003+) • Recycle Bin

Behind thescenes: NTDS.dit

Behind thescenes: NTDS.dit Deletion: Object is moved into „Deleted Objects“-Container and marked as deleted.Links are removed on each DC.

Recycle Bin: Lifecycle No Recycle bin feature Delete Live Object TombstoneObject GarbageCollection Tombstone Lifetime 60/180 Days Auth Restore • with Recycle Bin enabled Delete Live Object Deleted Object TombstoneObject* GarbageCollection Deleted Object Lifetime 60/180 Days TombstoneLifetime 60/180 Days Undelete © Microsoft

NTDS.dit: AD Recyclebin Link-Table Data-Table * * Schema extended Forest-Level  Enable Recycle-Bin

NTDS.dit: AD Recyclebin Link-Table Data-Table User Deleted Object (Duration: Deleted Objects-Lifetime)

OU=Finance CN=Tom CN=Sally OU=Admins Restoring multiple Objects Deleted Objects-Container • Everything flat • DN changed, Attributes still exist, lastKnownParent is helping Objects must be reanimated into existing containers • Top-Bottom • Evaluate lastKnownParent and lastKnownRDN • RDN > 128 chars truncated OU=Finance CN=Tom CN=Sally OU=Admins CN=Mark CN=Mark • Undelete Delete CN=Deleted Objects CN=Robert\0ADEL:… CN=Mark\0ADEL:… CN=Tom\0ADEL:… CN=Sally\0ADEL:… OU=Admins\0ADEL:… OU=Finance\0ADEL:... © Microsoft

Issuesandsolutionpaths Object(s) fully deleted Recycle Bin >=WS2k8R2

AD Recycle bin • Requires ForestlevelWindows Server 2008 R2 • New in R2: Rollback to 2008 DL/FL when Recycle bin is not enabled • Optional Feature Recycle bin must be enabled • once on cannot be turned off • Now you are stuck with your forest level • Make sure that you have a solid state before • Enables to fully restore objects • To the state when they were deleted Additional Scripts and Data helps

New in Windows Server 2012 Active Directory Administrative Center • Supports Domain- and Forest level upgrade in the GUI • Supports enabling the Recycle bin in the GUI • Supports undeleting of single objects in the GUI Undeleting multiple objects still requires PowerShell-Script

WS2k8+: Active Directory Snapshots Create Snapshot Ntdsutil.exe -> Snapshot -> Activate Instance NTDS -> Create Mount Snapshot in File system -> List All / Mount ID -> Mount {GUID} Ntdsutil.exe -> Snapshot Snapshot as Read-Only Directory Dsamain.exe –dbpath c:\$snap2007...\ntds.dit –ldapport 10000 Accessing the R/O Directory‘s Data Active Directory-Users & - Computers, LDP, ADSIEdit, dsquery, ... against Port 10000

Reanimating Tombstones e.g. ADRestore, admod, LDP Manually, Script, LDIF,..

Virtual DCs, ready for today? • “The most (forest/domain) recovery scenarios I’ve seen are caused by virtual environments!” • Lingering Objects or USN-Rollbacks are caused many times from virtual environments! • “Don’t use it? Wrong! Do it right!” Spread DCs across VM-Infrastructures Don’t roll back Snapshots Synchronize the right time

Virtualizing DCs: USN-Rollback USN 2200 2210 2220 2230 2240 2250 2260 2270 ? DC01 USN 1020 1030 1040 1050 1060 1070 1080 1090 DC02 • DC01 (USN 2220) and DC02 (USN 1040) in sync – DC02 Snapshot created • DC01 (USN 2260) in sync with DC02 (USN 1080) • DC02 rolled back to Snapshot at USN 1040 • Result: • DC01 thinks he has all updates from DC02 since 1080, however DC02 is at 1040: changes between 1040 and 1080 not replicated to DC01

Virtualizing DCs in Windows Server 2012 • Domain controllers recognize when being rolled back • DCs take same action when supported System State Restore is done and reinitializes replication agreements • Requirements: • VM Host must support „VM Generation Identifyer“ (e.g. Hyper-V 3.0) • VM Guest (=DC) must support feature(Windows Server 2012)

best practices Prevention of errors andPreparing for recovery

Preventing human errors • DELEGATE!!! • If somehow possible delegate permissions • Avoid using Built-in Groups, especially Account Operators • Delegate Domain Admins if possible • Tools are helping

Preventing accidental deletions • In Windows Server 2008 (and R2): • Protect OUs from accidental deletion (GUI) • Migrated? Use PowerShell: get-ADOrganizationalUnit –filter * | set-ADOrganizationalUnit –protectedFromAccidentalDeletion $true • Can (and should) be done in W2k(3) „manually“: • DENY Delete & Delete Subtree for Everyone on all Ous for /f "tokens=*" %i in ('dsquery ou -limit 0') do dsacls %i /d everyone:SDDT • Suggestion: • Change default security descriptor of OUs to ensure that delegated admins and older tools “inherit” the default

Preperation: Backup • It is very important to backup the right data • Systemstate (at least) • List of objects (distinguishedNames) • GPOs (contents) • GPO-Links • Optionally: maintain Versions of Backup • Optionally: keep AD-Snapshots

Windows Backup • System State Backup • Data which is needed to restore the DC over existing OS • WS2k8 only: System State needs to be done via commandline powershell.exe -command "&{import-module ServerManager; add-windowsfeature Backup}" • Critical Volume Backup • On „Dedicated DCs“ usually just 15% more • Bare Metal Restore • If incremental backups are used, don’t forget to create full backups also regulary • Needs to be installed:

Lists of objects • All distinguished names (for authoritative restore): ldifde -f c:\Backupdata\DomainGpoLinks.ldf -r "(gplink=*)" -l gplink,gpoptions ldifde -f c:\Backupdata\SiteGpoLinks.ldf -d cn=configuration,dc=… -r "(gplink=*)" -l gplink,gpoptions dsquery * domainroot -scope subtree -attr modifytimestamp distinguishedname -limit 0 > c:\backupdata\objlist.txt • All GPOs (requires BackupAllGPOs.wsf and Lib_CommonGPMCFunctions.js from the GPMC-Scripts): cscript e:\scripts\BackupAllGPOs.wsf c:\BackupData • GPO-Links and their options, of the domain and sites

Create Backup / Snapshots • Create the Backup in the script: wbadmin.exe START BACKUP -backupTarget:%TargetUNC% -allCritical -include:c:,e: -noVerify -vssFull -quiet • Create AD-Snapshots: Ntdsutil.exe snapshot “Activate Instance NTDS” create quit quit

Maintain Versions How many backups should be kept at the UNC? Set Backup2Keep=10 SETLOCAL ENABLEDELAYEDEXPANSION set count=0 for /f "tokens=*" %%i in ('dir /o:-d /b %TargetUNC%\WindowsImageBackup\%computername%\backup*.') do ( set /a count=!count! + 1 if !count! GTR %Backup2Keep% ( echo DELETE !Count!: %%i rd/s /q "%TargetUNC%\WindowsImageBackup\%computername%\%%i" ) else ( echo MAINTAIN !Count!: %%i ) ) works against local or remote (UNC) repositories, even SMB-Filer ;)

consider Additional Technologies

Snapshots as additions • Enable „Versions“ Can be used in Quests AD Recovery Manager • Should be „managed“: • VSS only assures the „Volume“ of recent Snapshots to be kept • They grow over time • The dit might be small • What we do: • Configure how many snapshots are kept fully • Copy the DIT out of the snapshot to a repository • Configure how many DITs are kept • Delete old snapshots / DITs

Issues and solution paths Object(s) fully deleted Recycle Bin >=WS2k8R2

Recyclebin • Enable Recyclebin • Enable-ADOptionalFeature ‘Recylce Bin Feature’ –Scope • ForestOrConfigurationSet –target (Get-ADForest).Name • Find Deleted Objects Get-ADObject –LDAPFilter ‘(&(name=Ulf*)(isDeleted=*))’ -IncludeDeletedObjects • Restore Deleted Objects (and their Links) • … | Restore-ADObject • Restore Tree:Leverage script from http://blogs.msdn.com/adpowershell/archive/2009/06/01/inspecting-deleted-objects-before-restore.aspx

Restoring Object Data • LDIFDE –r "(name=)" –m • –f filename.ldf –p port • LDIFDE –i –z –f input.ldf dn: CN=User,OU=Demo,DC=xyz,DC=com changetype: add cn: User_Marketing sn: Marketing c: DE l: Hometown title: Worker-Bee - dn: CN=User,OU=Demo,DC=xyz,DC=com changetype: modify replace: cn cn: User_Marketing - dn: CN=User,OU=Demo,DC=xyz,DC=com changetype: modify replace: sn sn: Marketing - dn: CN=User,OU=Demo,DC=xyz,DC=com changetype: modify replace: c c: DE -

Different Scenarios • Objects underneath an specific OU ldifde–d “ou=Demo,dc=…” –m –f filename.ldf –p port • Specific Objects ldifde –d “ou=Demo,dc=…” –r “(objectClass=User)” –f filename.ldf –p port • Specific attributes ldifde –d “ou=demo,dc=…” –l “physicalDeliveryOfficeName, telephoneNumber”filename.ldf–p port

Restoring Links Forward-Link in the Restored Object Will be recovered if target is there Read from Snapshot and update Backlink in the Restored Object: Update the object in the Backlink, e.g. update the group in memberOf with the object recovered dsget user cn=Ulf,ou=Demo,dc=xyz,dc=com -s localhost:10002 -memberof | dsmod group -addmbrcn=Ulf,ou=Demo,dc=xyz,dc=com Multi-Domain Run this procedure against a GC (recovered or snapshot) in every domain

Waystogetdata • Recycle Bin:Availableif all DCs are WS2k8R2 orhigher • Snapshots:Availableifone DC (per Domain) is WS2k8+ • W2k(3): Backups also create a consistentstateofthe DIT • WS2k3-DITS andhighercanbemountedwithdsamain (-allowUpgrade) • WS2k8 w/o DC (member or stand alone) can mount DITs: AD binaries or AD-LDS • Windows 7/8: AD-LDS for Win7 bringsdsamain

StrategyforVersioning / Online Recovery

Deployyour Backup-Strategy Group Policy Preferences in WS2k8R2: • Create Policy which • Create Folders • Copies Files needed • Creates Scheduled Task • One Policy for • DCs_which_are_backed_up • DCs_which_maintain_snapshots (create and manage) • All_DCs to synchronize NTDS-Password

Additional • Prepare RDP for Directory Services Restore Mode • RDP into Machine  Change default boot option Boot RDP into DSRM • bcdedit /copy {current} /d • bcdedit /set {%i} safebootdsrepair • Sync DSRM Password: • Deactivated Domain Account • Regulary set Password • Schedule the following Commandline on all DCs (via GPO) • ntdsutil "set dsrm password“ "sync from domain account xyz“ q q

Get your data up-to-date after the restore • Documented Changes are helping • Windows Server 2008+: Auditing of object changes • Windows Server 2008+: Auditing of object changes • auditpol /get /category:“DS Access“ • auditpol /set /subcategory:“Directory Service Changes“ • auditpol /get /category:“DS Access“ • auditpol /set /subcategory:“Directory Service Changes“ • Maybe a ntds.dit of the faulty state, use the AD Snapshot Browser • Link-Value Replication also helps (if the Domain is at Windows Server 2003 and the group was editied afterwards)

Extendingthe Management Interfaces • Active Directory Administrative Center • Registering legacy-tabs for objects is possible • Extending the Context-Menu is not possible • Active Directory Users and Computers • Both options are still possible

Consider DC-CloningforRecoveryin Windows Server 2012 First DC recoveredfrom Backup Additional DCs deployedusingCloning DC01 First DC recoveredfrom Backup Additional DCs deployedusingCloning DC01

customer Store-Infrastructure as a Managed Service

Think beyond One company manages 5000 separate, single domain forests via slow lines Data needs to stay on decentral premises Minimum Infrastructure / Storage, regular backup to large 1 DC + Clients, quite at physical risk to be stolen

Single-DC-Restore Task: How to restore an AD without using large Backups? • Known AD- and OU-Structure which is installed automatically • Create a dump of all Users and Groups with min. Information (import would create them) • Create a dump of all Users and Groups with all Information (import will modify attributes) • Create a list of all computers • Create a list of all Users/Groups and their SIDs

Single-DC-Restore To restore: • During installation of AD, Server recognizes he's being rebuild • Creates minimum Users and Groups from script • Modifies all writeable attributes from Users and Groups (incl. Links) • Add new SIDs to list of Users/Groups + Old  SID • Reacl: change all Permissions Old-SID  New  SID • Rejoin Computers to domain (netdom + reacl)

The Evolution of Active Directory Recovery

Related Content Note to Track-Owner / „PowerpointScrubbers“: I haveoneofthe last sessions. Product Demo Stationsareclosed after I‘mfinished, so I cannotbethereforattendees after mysession (and IMHO does not make sense mentioningtheProduct Demo Station on thisslide. I‘llbeavailable after thesessionfor Q&A, maybetakingit outside in the hall, or via contact on myblog • Breakout Sessions: SIA313 (2:45 S220A), Review Sessions you missed online Hands-on Labs: SIA11-HOL, SIA21-HOL, WSV44-HOL Related Certification Exam: (70-410 + 70-411 + 70-412) or 70-416 (available later this year) Find Me Later: Q&A after the session, www.msmvps.com/UlfBSimonWeidner

SIA, WSV, and VIR Track Resources #TESIA319 Talk to our Experts at the TLC Hands-On Labs DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver DOWNLOAD Windows Azure Windowsazure.com/ teched

Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://europe.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn

The Evolution of Active Directory Recovery

The Evolution of Active Directory Recovery

Presentation Transcript

Active Directory Disaster Recovery

Active Directory

Active Directory Maintenance And Data Recovery

ACTIVE DIRECTORY MAINTENANCE, TROUBLESHOOTING, AND DISASTER RECOVERY

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory

Active Directory Disaster Recovery

Active directory

Active Directory

Active Directory Maintenance, Troubleshooting, and Disaster Recovery

ACTIVE DIRECTORY

Active Directory