Robert Waldinger - How to recover active directory if disaster should occur
Upcoming SlideShare
Loading in...5

Robert Waldinger - How to recover active directory if disaster should occur






Total Views
Views on SlideShare
Embed Views



4 Embeds 1,628 845 683 98 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • System Administrator since early days of Windows NT 4Went through all versions of Active Directory from 2000 on
  • So whatis a Disaster?
  • VirusComputer crymeWormmaliciousemployeesPhishingHacker
  • Hours to days of downtimeNo productivityCompanies like automotive industry cannot produce cars
  • What does this mean for YOU as an Administrator?
  • This are the Use Cases I want to go through with youIncluding live demos
  • Native AD featuresTombstone ReanimationRecycle Bin
  • Invented windows server 2003Increased the livetime from 60 to 180 days with 2003 SP1Recover ObjectGUID, objectSidGarbage Collection every 12 hours on every DC (garbageCollPeriod – Attribute)Using 3rd party tools it’s possible (also in windows 2000) to “recover” objects online
  • Deleted ObjectAfter you enable Active Directory Recycle Bin, when an Active Directory object is deleted the system preserves all the object’s link-valued and non-link-valued attributes and the object becomes “logically deleted,” which is a new state in Windows Server 2008 R2. A deleted object is moved to the Deleted Objects container, with its distinguished name mangled. A deleted object remains in the Deleted Objects container in a logically deleted state throughout the duration of the deleted object lifetime.Within the deleted object lifetime, you can recover a deleted object and make it a live Active Directory object again. Within the deleted object lifetime, you can also recover a deleted object through an authoritative restore from a backup of AD DS.Recycled ObjectAfter the deleted object lifetime expires, the logically deleted object is turned into a recycled object and most of its attributes are stripped away. A “recycled object,” which is a new state in Windows Server 2008 R2, remains in the Deleted Objects container until its recycled object lifetime expires. After the recycled object lifetime expires, the garbage-collection process physically deletes the recycled Active Directory object from the database.By default, a recycled object in Windows Server 2008 R2 preserves the same set of attributes as a tombstone object in Windows Server 2003 and Windows Server 2008. To change the set of attributes that are preserved on a Windows Server 2008 R2 recycled object (that is, to make sure that a particular attribute of an object is preserved when this object becomes recycled), set the value of the searchFlags attribute in the schema. This process is similar to the process for preserving attributes on Windows Server 2003 and Windows Server 2008 tombstone objects.DeletedobjectlifetimemsDS-deletedObjectLifetimeTombstone lifetime (recycledobjectlifetime)tombstoneLifetimeBoth in CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC=test,DC=lab
  • CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=your,DC=domain
  • Objects are NOT deleted!
  • Not possible with native tools
  • Marked provides different solutions/approaches
  • Web interface
  • HopefullyneverhappensLot ofmanualsteps
  • Be sure to HAVE A PLAN!Even with only 1 or 2 DC’s

Robert Waldinger - How to recover active directory if disaster should occur Robert Waldinger - How to recover active directory if disaster should occur Presentation Transcript

  • Robert Waldinger How to recover Active Directory if disaster should occur
  • Bio – Robert Waldinger • • • • System Consultant Work for Dell Software Live in Munich Blog: windows_management/
  • Disaster • „it can never happen to me“ • „oh really?“
  • Disasters – What do you think of?
  • Companies think about this…
  • Disaster from IT’s Point of View
  • Disaster from Admin Point of View
  • How do companies prepare for a Disaster? • Disasters are unpredictable – recovery shouldn’t be • Recovery should be: – Planned, predictable and controlled – Documented for the people that will use it • Adjustable for unavailable team members – Tested, practiced and updated periodically • Automate where possible • Without practice, chance of success < 10% • Without planning, chance of success = 0%
  • AD-Recovery Use Cases • • • • • Recover object Recover attribute Recover GPO Recover Sysvol Forest Recovery
  • Recover Object
  • Tombstone Reanimation • isDeleted attribute • „CN=Deleted Objects“ (naming context) • 180 days – Default since Win 2003 SP1 delete Live Tombstoned Reanimate tombstone/ authoritative restore Garbagecollection Physically deleted
  • Recycle Bin • Prerequesites – All DC‘s must run Windows Server 2008 R2 or higher – Forest Level Windows Server 2008 R2 • Enable Recycle Bin – Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=test,DC=lab’ –Scope ForestOrConfigurationSet –Target ‘test.lab’ delete Live Deleted Undelete/ authoritative restore Recycle Recycled Garbagecollection Physically deleted
  • Deleted object lifetime - msDS-deletedObjectLifetime Tombstone lifetime (recycled object lifetime) - tombstoneLifetime Both in CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC=test,DC=lab
  • Demo Recover Objects with Windows Server 2012 Admin Center and configure AD Recycle Bin
  • Recover attribute
  • Reasons for attribute recovery • Data import failed • Error in IDM systems
  • Problems • Object was not deleted  recycle bin would not help • Other changed attributes should not be overwritten • Also schema extensions should be covered
  • Demo Recover single attributes with Recovery Manager for AD
  • Recover GPO
  • Problems • 3rd party solution needed • Sysvol, AD and registry needs to be covered
  • Solutions AD Backup/Recovery tool GPO-Management tool • Additional benefits: – Versioning – Change history – workflows
  • Demo Recover GPO changes
  • Recover Sysvol
  • • Authoritive restore • Restore files/scripts • Restore system State offline
  • Forest Recovery
  • Microsoft Guideline Identify the problem Perform initial recovery Decide how to recover the forest Cleanup Redeploy remaining DC‘s •
  • Tools to be familiar with • • • • • Adsiedit.msc Ntdsutil.exe Repadmin.exe Netdom.exe Nltest.exe
  • Proof your concept • Make sure your concept reflects the Microsoft guide • Make sure you have a working backup and all needed information ready • Do a forest recovery test at least once a year (Fire drill)
  • Demo Forest-Recovery with Recovery-Manager-for-AD Forest Edition
  • AD Forest Disaster Recovery – What you don‘t know will hurt you • Whitepaper: paper/active-directory-forestdisaster-recovery-what-youdont-know-will-hurt-you822479
  • Please evaluate the session before you leave  .. and don’t forget to visit my blog: /techcenter/b/ windows_management