Active Directory Recovery: What It Is, and What It Isn t



Similar documents
Active Directory Auditing: What It Is, and What It Isn t

How To Protect Your Active Directory (Ad) From A Security Breach

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

Dell Statistica. Statistica Document Management System (SDMS) Requirements

Organized, Hybridized Network Monitoring

Dell InTrust Preparing for Auditing Cisco PIX Firewall

Spotlight Management Pack for SCOM

Best Practices for an Active Directory Migration

formerly Help Desk Authority Quest Free Network Tools User Manual

Simplify Your Migrations and Upgrades. Part 1: Avoiding risk, downtime and long hours

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

About Recovery Manager for Active

Go beyond basic up/down monitoring

Top 10 Most Popular Reports in Enterprise Reporter

Introduction to Version Control in

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Dell Statistica Statistica Enterprise Installation Instructions

Dell InTrust Preparing for Auditing CheckPoint Firewall

Object Level Authentication

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

Data center and cloud management. Enabling data center modernization and IT transformation while simplifying IT management

Dell InTrust Preparing for Auditing Microsoft SQL Server

Dell NetVault Backup Plug-in for Advanced Encryption 2.2. User s Guide

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

Dell Unified Communications Command Suite - Diagnostics 8.0. Data Recorder User Guide

Security Analytics Engine 1.0. Help Desk User Guide

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Spotlight Management Pack for SCOM

Quickly Recovering Deleted Active Directory Objects

New Features and Enhancements

Dell One Identity Quick Connect for Cloud Services 3.6.1

Dell One Identity Manager 7.0. Help Desk Module Administration Guide

14 Ways to More Secure and Efficient Active Directory Administration

Dell One Identity Quick Connect for Cloud Services 3.6.0

Dell Migration Manager for Enterprise Social What Can and Cannot Be Migrated

Dell InTrust 11.0 Best Practices Report Pack

Desktop Authority vs. Group Policy Preferences

Dell One Identity Cloud Access Manager How to Configure for High Availability

4.0. Offline Folder Wizard. User Guide

Dell NetVault Backup Plug-in for SQL Server 6.1

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Logging and Alerting for the Cloud

Navigating the NIST Cybersecurity Framework

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Dell Recovery Manager for Active Directory 8.6.0

Dell NetVault Backup Plug-in for SQL Server

The Definitive Guide. Active Directory Troubleshooting, Auditing, and Best Practices Edition Don Jones

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Dell Statistica Document Management System (SDMS) Installation Instructions

Defender Delegated Administration. User Guide

Dell Spotlight on Active Directory Deployment Guide

formerly Help Desk Authority HDAccess Administrator Guide

Dell Enterprise Reporter 2.5. Configuration Manager User Guide

Dell One Identity Cloud Access Manager Installation Guide

Quick Connect Express for Active Directory

Active Directory Change Notifier Quick Start Guide

How to Deploy Models using Statistica SVB Nodes

Enterprise Reporter Report Library

Quest vworkspace Virtual Desktop Extensions for Linux

Quest ChangeAuditor 4.8

11 ways to migrate Lotus Notes applications to SharePoint and Office 365

Dell NetVault Backup Plug-in for SharePoint 1.3. User s Guide

The Top 10 Things DBAs Should Know About Toad for IBM DB2

8.7. Target Exchange 2010 Environment Preparation

formerly Help Desk Authority Upgrade Guide

SharePlex for SQL Server

DATA GOVERNANCE EDITION

Understanding Enterprise Cloud Governance

2007 Quest Software, Inc. ALL RIGHTS RESERVED. TRADEMARKS. Disclaimer

Dell Migration Manager for Exchange Product Overview

FOR WINDOWS FILE SERVERS

Dell Recovery Manager for Active Directory 8.6. Deployment Guide

Understanding and Configuring Password Manager for Maximum Benefits

Quest Collaboration Services 3.5. How it Works Guide

Proactive Performance Management for Enterprise Databases

Quest Collaboration Services How it Works Guide

Dell Recovery Manager for Active Directory 8.6.3

Dell One Identity Cloud Access Manager SonicWALL Integration Overview

2.0. Quick Start Guide

Dell NetVault Backup Plug-in for Hyper-V User s Guide

Dell Client Profile Updating Utility 5.5.6

Spotlight on Messaging. Evaluator s Guide

The Definitive Guide. Active Directory Troubleshooting, Auditing, and Best Practices Edition Don Jones

Why Endpoint Encryption Can Fail to Deliver

NetVault LiteSpeed for SQL Server version Integration with TSM

Transcription:

Active Directory Recovery: What It Is, and What It Isn t Abstract Does your Active Directory recovery plan address all of the most common failure scenarios? This white paper explains how to handle each scenario with native tools (spoiler alert: don t count on Recycle Bin to save you in most of them!), and how the right third-party tools can make recovery preparedness a snap. Introduction No sane administrator wants to work in an environment that doesn t have a sensible Active Directory recovery plan that s designed to address a variety of possible failure scenarios. With the advent of Windows Server 2008 R2 and the well-known Active Directory Recycle Bin, administrators have all breathed a bit easier, knowing that even more failure scenarios can be handled natively in the product. But that Recycle Bin is often misunderstood, as are some of Active Directory s other native recovery features. Some administrators also fail to give timeliness the attention it deserves. Look, we ve all been involved in a bad situation where the boss was breathing down our neck, so we should all know how much more important quick recovery is.

A tour of recovery scenarios So let s look at some recovery situations and see if you re wellpositioned to recover quickly when they occur. Consider virtualizing all of your domain controllers and using Server Core as their base operating system. Virtual machines are easy to recover. 1. A domain controller dies No big deal. You ve got more than one, right? Nuff said. Just take the old one offline, demote it, re-promote it, and let it replicate with the remaining DCs. Sure, you might take a performance hit in the location that s temporarily missing a DC, but that isn t a tragedy. In fact, consider virtualizing all of your DCs and using Server Core as their base operating system. Virtual machines are easy to recover. Note that backups don t even come into play here. Active Directory is selfrecovering in this scenario. What s that? You work in a small environment and have a domain with only one domain controller? You re insane. Flat-out crazy. Bonkers. Get another domain controller up and running, stat. Make it a virtual machine they re easy to spin up and don t require dedicated hardware. In a truly small environment, they won t even need many virtual resources. Just make sure each domain has at least two domain controllers, and you ll have the redundancy you need to easily survive a failed domain controller. 2. Someone deletes an organizational unit As hard as this is to do nowadays, what with the accidental deletion protection feature in Active Directory, some folks still manage to pull it off. An entire organizational unit, complete with all of the users, computers, groups, contacts, and other objects inside it, is gone. It s okay to cry a little, because this is going to hurt. In an older domain, you ll be taking a domain controller offline. You re going to need your backup tapes, because while the original objects are still in the domain, their attributes have been largely deleted. Simply un-deleting them by clearing the tombstone attribute won t bring everything back, so you ll be performing an authoritative restore on an offline domain controller. Knock on wood, that won t present performance problems for whatever part of the business that will be doing without a DC for a bit. And, hopefully you remember all of the rather complex command-line syntax you ll be typing to make it happen. You ll need to bring the OU back first, and then bring back the objects that were in it. Give yourself half an hour or so, at a minimum. In a Windows Server 2008 R2-level domain, where you ve enabled the Recycle Bin (you remembered to do that, right?), you can just go into the Recycle Bin oh wait, no, you can t. There s no actual Recycle Bin as part of the Recycle Bin. Weird. You ll be going into Windows PowerShell then. Again, you ll have to restore the OU first, and then search for the objects that used to be in it so that you can restore them as well. If you remember the half dozen or so commands that you ll need to run, or can look them up on the Internet, this should take only about 15 minutes or so. The good news is that everything will come right back to life, with all the attributes intact. Most folks who ve had to perform either of these kinds of recovery would rather never do so again, ever. It s time-consuming, and you know you don t know the right syntax. You probably don t even have it written down anywhere handy. So your first stop will be Google, where you re going to be frantically searching for the right recovery syntax. 2

3. Someone deletes an object See above. Recovering an individual object isn t harder than recovering an entire OU, except that you won t need to take the step of restoring the OU first, obviously. So, domain controller offline, backup tapes, authoritative restore. Or, in an up-level domain with the Recycle Bin enabled, open PowerShell and run a few commands. You might want to jot those commands down on a sticky note or something, just to have them handy. It s going to need to be a decent-sized sticky note, though, because the necessary commands are neither short nor especially intuitive. 4. Someone modifies an object This has to be the most common AD recovery scenario. Some goofball goes in and modifies a bunch of attributes for some user, or takes users out of a group, or something stupid, and now you have to fix it. This is incredibly easy to do, and it s the one thing that s likely to be done by someone outside the IT team if you ve been delegating permissions. After all, we rarely delegate permissions to delete objects, let alone organizational units, so someone in IT would have to mess up to make that happen. But we are more likely to delegate the ability to mess with attributes, so that, for example, Human Resources, rather than IT, can keep track of everyone s job titles, managers, office locations, and whatnot. Of course, when they misuse that delegated power and mess something up, guess who gets to fix it? Yep, you. First, you need to figure out what they changed, because you can t rely on them to remember. That s going to be tricky, but in a Windows Server 2008 R2 domain you can start by looking in the event log for the before and after auditing information. Assuming you ve turned on that level of auditing in the domain of course. If you re in an older domain, or if you haven t been auditing the right stuff, you re on your own. Good luck! The Recycle Bin won t be of any help, here. It doesn t keep changed objects, only deleted ones. So the good news is that you won t be running PowerShell commands! The bad news is that unless you can identify every changed attribute and put all of them back manually, you re going to be treating this like a deleted object in a down-level domain: Offline DC, backup tapes, authoritative restore. Hey, you might write that authoritative restore syntax on a sticky note, too. It keeps popping up. Honestly, fixing objects rather than restoring them wholesale is one of the biggest gaps in the native Active Directory toolset. There s just no way to do it, even if it is the most common failure scenario. There s gotta be a better way Offline DCs, authoritative restores, that whole scenario is just horrible. It s like someone assumed nobody would ever really need to restore anything when they were making Active Directory! The Recycle Bin in Windows Server 2008 R2 is a nice step up, but it s still awfully limited. Every DC has to be running that version of Windows, the domain functional level has to be upgraded, and you ll be using the feature entirely in Windows PowerShell, using some of the more-arcane syntax that the shell offers. And even if you master that, the Recycle Bin won t protect you against the most common kinds of changes where objects are modified but not actually deleted. It s almost as if the world is crying out for a tool to do a better job of all this. The better way Check out Active Administrator. It s a set of integrated tools that addresses pretty much all the things that the native tools should, but don t. Backup and recovery is just the tip of the Active Administrator iceberg, but it s a pretty impressive tip. Let s revisit those recovery scenarios and see how Active Administrator would handle things. It s almost as if the world is crying out for a tool to do a better job of all this. 3

Active Administrator can perform a complete restore without taking a domain controller offline. 1. A domain controller dies Active Administrator can perform a complete restore without taking a domain controller offline, but in this case it s probably still easier and faster just to demote and re-promote the DC after fixing whatever ails it. 2. Someone deletes an organizational unit No problem. Pop into Active Administrator, choose one of its online backups (look Ma, no tapes!), and restore your OU. Simple, and takes like three minutes. When you re done, click on Active Administrator s Auditing tab to see who deleted the OU and apply the appropriate amount of head-smacking correction to the source. 3. Someone deletes on object See above. Open Active Administrator, select archive, select object, click Restore. That s it! 4. Someone modifies an object You actually have two choices, here. First, Active Administrator includes a detailed log of what s happened in AD, including who, what, when, and where information on changes that includes before and after attribute information. You can even use Live View if the changes were just made, and quickly scan through recent AD change activity to spot the change. If the change was minor, you can just look it up in the auditing log and manually put the information back to the way you want it. Or you can go to the Recovery tab in Active Administrator instead. Choose an archive, choose the object, and then choose which attributes you want to restore. If a bunch of attributes were changed, this can be faster and easier than manually resetting everything. Still, you re talking maybe five minutes total. All this, and so much more Active Administrator offers lots more, including Group Policy management, superior delegation capabilities, Active Directory health monitoring and auditing. If you visit www.quest.com/activeadministrator, you can play with Active Administrator in a live, online TestDrive no need to set up your own lab. Or you can try Active Administrator in your own environment by downloading a free trial. What are you waiting for? 4

2013 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. ( Dell ). Dell, Dell Software, the Dell Software logo and products as identified in this document are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. About Dell Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit www.dell.com. If you have any questions regarding your potential use of this material, contact: Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dell.com Refer to our Web site for regional and international office information. Whitepaper-Active-DirectoryRecovery-US-SW-01-11-13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information