Robert Waldinger - How to recover active directory if disaster should occur


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • System Administrator since early days of Windows NT 4Went through all versions of Active Directory from 2000 on
  • So whatis a Disaster?
  • VirusComputer crymeWormmaliciousemployeesPhishingHacker
  • Hours to days of downtimeNo productivityCompanies like automotive industry cannot produce cars
  • What does this mean for YOU as an Administrator?
  • This are the Use Cases I want to go through with youIncluding live demos
  • Native AD featuresTombstone ReanimationRecycle Bin
  • Invented windows server 2003Increased the livetime from 60 to 180 days with 2003 SP1Recover ObjectGUID, objectSidGarbage Collection every 12 hours on every DC (garbageCollPeriod – Attribute)Using 3rd party tools it’s possible (also in windows 2000) to “recover” objects online
  • Deleted ObjectAfter you enable Active Directory Recycle Bin, when an Active Directory object is deleted the system preserves all the object’s link-valued and non-link-valued attributes and the object becomes “logically deleted,” which is a new state in Windows Server 2008 R2. A deleted object is moved to the Deleted Objects container, with its distinguished name mangled. A deleted object remains in the Deleted Objects container in a logically deleted state throughout the duration of the deleted object lifetime.Within the deleted object lifetime, you can recover a deleted object and make it a live Active Directory object again. Within the deleted object lifetime, you can also recover a deleted object through an authoritative restore from a backup of AD DS.Recycled ObjectAfter the deleted object lifetime expires, the logically deleted object is turned into a recycled object and most of its attributes are stripped away. A “recycled object,” which is a new state in Windows Server 2008 R2, remains in the Deleted Objects container until its recycled object lifetime expires. After the recycled object lifetime expires, the garbage-collection process physically deletes the recycled Active Directory object from the database.By default, a recycled object in Windows Server 2008 R2 preserves the same set of attributes as a tombstone object in Windows Server 2003 and Windows Server 2008. To change the set of attributes that are preserved on a Windows Server 2008 R2 recycled object (that is, to make sure that a particular attribute of an object is preserved when this object becomes recycled), set the value of the searchFlags attribute in the schema. This process is similar to the process for preserving attributes on Windows Server 2003 and Windows Server 2008 tombstone objects.DeletedobjectlifetimemsDS-deletedObjectLifetimeTombstone lifetime (recycledobjectlifetime)tombstoneLifetimeBoth in CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC=test,DC=lab
  • CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=your,DC=domain
  • Objects are NOT deleted!
  • Not possible with native tools
  • Marked provides different solutions/approaches
  • Web interface
  • HopefullyneverhappensLot ofmanualsteps
  • Be sure to HAVE A PLAN!Even with only 1 or 2 DC’s
  • Robert Waldinger - How to recover active directory if disaster should occur

    1. 1. Robert Waldinger How to recover Active Directory if disaster should occur
    2. 2. Bio – Robert Waldinger • • • • System Consultant Work for Dell Software Live in Munich Blog: windows_management/
    3. 3. Disaster • „it can never happen to me“ • „oh really?“
    4. 4. Disasters – What do you think of?
    5. 5. Companies think about this…
    6. 6. Disaster from IT’s Point of View
    7. 7. Disaster from Admin Point of View
    8. 8. How do companies prepare for a Disaster? • Disasters are unpredictable – recovery shouldn’t be • Recovery should be: – Planned, predictable and controlled – Documented for the people that will use it • Adjustable for unavailable team members – Tested, practiced and updated periodically • Automate where possible • Without practice, chance of success < 10% • Without planning, chance of success = 0%
    9. 9. AD-Recovery Use Cases • • • • • Recover object Recover attribute Recover GPO Recover Sysvol Forest Recovery
    10. 10. Recover Object
    11. 11. Tombstone Reanimation • isDeleted attribute • „CN=Deleted Objects“ (naming context) • 180 days – Default since Win 2003 SP1 delete Live Tombstoned Reanimate tombstone/ authoritative restore Garbagecollection Physically deleted
    12. 12. Recycle Bin • Prerequesites – All DC‘s must run Windows Server 2008 R2 or higher – Forest Level Windows Server 2008 R2 • Enable Recycle Bin – Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=test,DC=lab’ –Scope ForestOrConfigurationSet –Target ‘test.lab’ delete Live Deleted Undelete/ authoritative restore Recycle Recycled Garbagecollection Physically deleted
    13. 13. Deleted object lifetime - msDS-deletedObjectLifetime Tombstone lifetime (recycled object lifetime) - tombstoneLifetime Both in CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC=test,DC=lab
    14. 14. Demo Recover Objects with Windows Server 2012 Admin Center and configure AD Recycle Bin
    15. 15. Recover attribute
    16. 16. Reasons for attribute recovery • Data import failed • Error in IDM systems
    17. 17. Problems • Object was not deleted  recycle bin would not help • Other changed attributes should not be overwritten • Also schema extensions should be covered
    18. 18. Demo Recover single attributes with Recovery Manager for AD
    19. 19. Recover GPO
    20. 20. Problems • 3rd party solution needed • Sysvol, AD and registry needs to be covered
    21. 21. Solutions AD Backup/Recovery tool GPO-Management tool • Additional benefits: – Versioning – Change history – workflows
    22. 22. Demo Recover GPO changes
    23. 23. Recover Sysvol
    24. 24. • Authoritive restore • Restore files/scripts • Restore system State offline
    25. 25. Forest Recovery
    26. 26. Microsoft Guideline Identify the problem Perform initial recovery Decide how to recover the forest Cleanup Redeploy remaining DC‘s •
    27. 27. Tools to be familiar with • • • • • Adsiedit.msc Ntdsutil.exe Repadmin.exe Netdom.exe Nltest.exe
    28. 28. Proof your concept • Make sure your concept reflects the Microsoft guide • Make sure you have a working backup and all needed information ready • Do a forest recovery test at least once a year (Fire drill)
    29. 29. Demo Forest-Recovery with Recovery-Manager-for-AD Forest Edition
    30. 30. AD Forest Disaster Recovery – What you don‘t know will hurt you • Whitepaper: paper/active-directory-forestdisaster-recovery-what-youdont-know-will-hurt-you822479
    31. 31. Please evaluate the session before you leave  .. and don’t forget to visit my blog: /techcenter/b/ windows_management