Resolving Active Directory Backup and Recovery Requirements with Quest Software

Resolving Active Directory Backup and Recovery Requirements with Quest Software By Mike Danseglio Sponsored by

Table of Contents Backing Up Effectively... 1 Identifying an Incident... 2 Recovering from Incidents... 2 Recovering from Small Incidents... 3 Recovering from Big Incidents... 4 Quest Data Protection Solutions... 4 About Quest Software... 4 Sponsored by

There s no denying that Active Directory is a necessary and dominant presence in today s computer landscape. And this is for good reason. Active Directory (AD for short) provides a host of services that are considered basic and indispensible. Without AD virtually every aspect of security, identity, automated configuration, and centralized infrastructure for Windows goes out the door. For the most part, Microsoft has taken AD s central role to heart. They designed the software to prevent data loss and corruption, and they continue to design features that help to prevent downtime. The stability of Windows Server and its Active Directory features have continuously improved over the last ten years. Unfortunately for many AD administrators, the reliability improvements have often come at the expense of backup and restore features. The logic is easy to follow: if the data never becomes unavailable or inaccurate, there is no need for a data restoration option. Microsoft does continue to provide a core set of recovery features but most of these focus on the smoking crater scenario every part of AD goes away and the entire infrastructure must be restored to a single known-good point. If your IT department is like most you already recognize the gap. There are many scenarios between a perfectly intact AD and a complete loss. In fact, most environments never face a total loss of AD. Far more common are partial losses. Examples include the accidental deletion of an organizational unit (OU), the data corruption of a small number of AD objects within a large group of uncorrupted objects, or the removal of object attributes on an otherwise functional object. You certainly want to prepare your environment to withstand complete catastrophes. But quickly and easily addressing the middle-ground scenarios without making the problem bigger than it already is should be a high priority. And all of these scenarios rely on the fact that valid, confirmed backups were taken prior to the incidents. deliverable terms. But it doesn t need to be a complex concept. I can summarize a good backup strategy in three bullets: Simple to define Effortless to execute Monitored through a central process The simpler the backup is to plan and execute, the more likely it is to be done. The tools that you use must simplify the backup process to the point where it is nearly effortless. The easier the interface, and the more familiar you are with it from the beginning, the more likely you are to use it with minimal effort. Quest Software s Recovery manager for Active Directory exhibits these features in an interesting way. The backup process uses virtually the same view Microsoft uses in familiar tools like the Active Directory Users and Computers snap-in. Delivering the backup functionality in an already-familiar structure is incredibly helpful to administrators. Navigation through the user interface (UI) is easier for new users and existing users do not have to maintain two separate skill sets to be proficient. This results in backups actually happening. The interface also abstracts the administrator from the daily grind of backups by scheduling automated backups. So once the backups are scheduled, an administrator simply needs to verify that they happened. One of the biggest problems I see in recovery operations is the lack of an actual, tangible, good backup. All too often a wellplanned backup strategy is implemented and then never validated or revisited. Many organizations assume that the absence of failure equals success for backups. And the only time they detect failure is when something obvious happens, like a tape breaking or a backup drive catching fire. Those kinds of backup failures are rare. But too many organizations only find out This paper addresses all of these needs by showing you how Quest Software solutions deliver in the most commonly called-upon backup and recovery scenarios. BACKING UP EFFECTIVELY To begin any recovery or restoration discussion without addressing the need for good backups is putting the cart before the horse. The ability to recover is rooted in a solid backup strategy. Most IT professionals understand the need for regular and comprehensive backups as it has been drilled into us for years. But few can actually define it in straightforward and Figure 1. A familiar management interface is easier to understand and work with. 1

Figure 2. Backup errors are never nice to see, but they re far nicer to see before a system failure. that their backups were insufficient, and not monitored, when the backups are needed for incident recovery. Happily the backups scheduled by Recovery Manager for Active Directory can be easily monitored. This can be a result of the Recovery Manager for Active Directory console or as a result of Quest Software s ability to communicate with Microsoft System Center Operations Manager (SCOM). Once the backups are scheduled in Recovery Manager for Active Directory, any backup errors can be reported into SCOM for centralized monitoring and alerting of any problems. Figure 2 shows an error backing up a specific domain controller due to network connection failure. Because the error is reported to SCOM, automatic alerts can be triggered, help desk tickets created, and so forth, all within the centralized monitoring structure in place for the infrastructure. SCOM is great at reporting success and failure, not simply waiting for an error to crop up. When things don t happen as expected, Recovery Manager notifies SCOM, and SCOM makes sure someone knows. In this way, an administrator can find out about backups not working before they re actually needed. When things are going just peachy, SCOM acts as a dashboard for success reports as well, enabling proactive success monitoring and periodic auditing of disaster preparedness. Your organization may not use SCOM for centralized operations monitoring and management. In that case, Recovery Manager for Active Directory does a fine job of giving you the same information about backup status and problem alerts. As long as the backup messages are monitored you are in a better position for recovery tasks. dramatic music, and more. The IT world is not quite as straightforward. There are big obvious incidents to be sure, such as every user failing to login. But the majority of incidents can be subtle. They often impact a single network service, a small set of users, or a limited time or area. This can make the occurrence of an incident difficult to identify, and the subsequent research of determining the root cause even more difficult. The most common approach in identifying such issues is summarized by asking the question, What has changed? This is best answered for Active Directory by comparing one or more backups against the current AD data. Quest calls this feature Enhanced Comparison Reporting and it is invaluable in identifying the root cause of an incident. For example, an application might suddenly begin reporting errors while accessing AD data. Recovery Manager can be used to identify AD objects that have been deleted since the application was known to work, as shown in Figure 3. Once the deleted objects are listed you can determine which must be in place for the application to work. So rather than restoring all objects, or even the entire AD infrastructure, you can IDENTIFYING AN INCIDENT Movies and television shows are great at highlighting incidents with obvious signs like explosions, fire, screaming, a clock ticking, Figure 3. This report shows AD objects deleted since the backup date. 2

narrow down the cause of the incident and fix exactly what must be fixed to resolve the incident. RECOVERING FROM INCIDENTS Every incident is different, so there is no single all-encompassing incident recovery process. But there are some attributes that are important for every recovery operation, and in particular there are attributes that effective AD recovery tools must include. These include: A simple interface. Hopefully recovery happens infrequently. When it happens, that is not the time for an administrator to learn a new operational approach, naming convention, or tool layout. Recovery tools must look, feel, and function similar to tools in use every day. Recovery Manager accomplishes this by aligning closely with built-in AD management tools, and in many cases integrating with those tools for a seamless administrator experience. Automated operations. Some AD recovery operations can be technically complex, such as when recovery must be implemented over time to avoid peak-time restores or address critical need restore operations first. Recovery Manager handles these tasks without continuous administrator input. It knows which AD components must be brought up or taken down, which order, and so forth. This automated system helps avoid human error and minimize the human impact of otherwise time-consuming tasks. Recovery planning and reporting. Knowing what to restore is important, but seeing a plan for the recovery process is immensely useful. Recovery Manager Forest Edition creates and shows you the entire plan to recover AD so you have a better understanding of the tasks and can communicate more details about the operation to others. Figure 4. Using Recovery Manager to select the users that must be restored. to another. For example, the total failure of a Domain Controller (DC) that serves a remote region may seriously impact users if that environment was designed to rely on local authentication services. The same DC failure in an IT environment that provides multiple backup paths and does not heavily leverage domain-based authentication may be minimally impacted. To keep the definition simple, the criteria I use to distinguish between incidents in this paper is the scope of the incident. Small incidents are things like a handful of missing objects, invalid objects, or some invalid attributes on an otherwise valid object. Big incidents include things like a corrupted schema extension as a result of an application upgrade. It is easier to read about the recovery process if incidents are split out into some type of categories. For this paper I will explain them in two categories: small and big. I first need to explain the distinction between small and big incidents. Really there are no small incidents. Every incident has the potential to impact the functionality of the IT environment and services, the productivity of employees, the compliance to regulations, and a multitude of other things. Most importantly, a small incident to one organization may be a big incident Figure 5. The recovery operation is limited to a single attribute within the object. 3

RECOVERING FROM SMALL INCIDENTS Recovering a small amount of AD data to resolve an incident is always a desired scenario. It avoids large-scale downtime, minimizes user impact, and helps avoid data loss due to object conflicts. Recovery Manager excels in this space. Figure 4 shows a typical dialog box that displays deleted and changed AD user objects. Also notice that Recovery Manager allows you to select the user objects that you have determined must be restored. Rather than restoring all users, or all users within a specific container, you just select the users that you ve determined need to be restored. This selection enables you to perform the restore in a single operation and avoids the unwanted approach of restoring the good with the bad and then having to clean up the rest later. This same approach to restoring the necessary AD data applies to most recovery operations in Recovery Manager. For example, if a user object contains one incorrect attribute, Recovery Manager allows you to select just that attribute for rollback as shown in Figure 5. Overall, the rule with restore and rollback tasks is to limit them to only the necessary data. Recovery Manager does this by first providing detailed reports on AD changes, and then by enabling a highly granular recovery process where those changes can be individually selected. Recovery Manager handles potential conflicts and replication issues seamlessly, further simplifying the administrative tasks and reducing the time needed to resolve the incident. RECOVERING FROM BIG INCIDENTS I hope you never need to read this section. Big AD incidents are always unpleasant. The scope of a big incident is usually the entire forest or multiple domain controllers. In today s distributed infrastructures, big incidents often span geographies and organizations, impacting all users and most services. One benefit to a big incident is that most administrators are familiar with the amount of work necessary for resolution. However, the severity and scope of the incident is not always proportional to the work involved. As an example, let s assume your domain has been thoroughly infiltrated by a malicious attacker. Your recovery process for such an incident is to restore the entire domain from a known good backup. That sounds like a huge process and it is. The process is complex, time-consuming, and requires interaction with a number of services and systems in the proper order and timing to get it right. If objects are restored in the wrong order, or domain controllers are not managed correctly throughout the process, a significant post-restore cleanup operation could be required. Such an operation is not desired and avoidable. Thankfully there is a way to deal with this while retaining your sanity. Recovery Manager for Active Directory Forest Edition can restore an entire domain with a relatively small amount of administrative effort. Recovery Manager handles the complexity and long hours itself. You are only exposed to the process and complexity when you want to be, such as when sending a status update to users and management. QUEST DATA PROTECTION SOLUTIONS Quest s data protection solutions for Active Directory minimize system downtime, prevent data loss and ensure business continuity. Our solutions include: Recovery Manager for Active Directory Offers an easy-to-use solution for fast, recovery without taking AD offline. Comparison reports highlight what objects and attributes have been changed or deleted in Active Directory enabling efficient, focused recovery at the object or attribute level. For more information, go to: http://www.quest.com/recovery-managerfor-active-directory Recovery Manager for Active Directory Forest Edition Automates the restore of your entire Active Directory forest from a single console, eliminating the need for physical interaction at each domain controller as is required when using native tools speeding the recovery time significantly. For more information, go to: http://www.quest.com/recovery-manager-for-activedirectory-forest-edition OnDemand Recovery for Active Directory Enables scheduled, online backups and facilitates quick, scalable recovery of Active Directory data, similar to Recovery Manager. This service, however, requires no on-premises deployment or maintenance and can be accessed anytime, from any location, with a supported web browser. For more information, go to: http:// www.quest.com/ondemand-recovery-for-active-directory/ ABOUT QUEST SOFTWARE Quest Software simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more about about Quest, go to: www.quest.com Sponsored by 4