Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Robert Waldinger - How to recover active directory if disaster should occur

4,562 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Robert Waldinger - How to recover active directory if disaster should occur

  1. 1. Robert Waldinger How to recover Active Directory if disaster should occur
  2. 2. Bio – Robert Waldinger • • • • System Consultant Work for Dell Software Live in Munich Blog: http://de.community.dell.com/techcenter/b/ windows_management/
  3. 3. Disaster • „it can never happen to me“ • „oh really?“
  4. 4. Disasters – What do you think of?
  5. 5. Companies think about this…
  6. 6. Disaster from IT’s Point of View
  7. 7. Disaster from Admin Point of View
  8. 8. How do companies prepare for a Disaster? • Disasters are unpredictable – recovery shouldn’t be • Recovery should be: – Planned, predictable and controlled – Documented for the people that will use it • Adjustable for unavailable team members – Tested, practiced and updated periodically • Automate where possible • Without practice, chance of success < 10% • Without planning, chance of success = 0%
  9. 9. AD-Recovery Use Cases • • • • • Recover object Recover attribute Recover GPO Recover Sysvol Forest Recovery
  10. 10. Recover Object
  11. 11. Tombstone Reanimation • isDeleted attribute • „CN=Deleted Objects“ (naming context) • 180 days – Default since Win 2003 SP1 delete Live Tombstoned Reanimate tombstone/ authoritative restore Garbagecollection Physically deleted
  12. 12. Recycle Bin • Prerequesites – All DC‘s must run Windows Server 2008 R2 or higher – Forest Level Windows Server 2008 R2 • Enable Recycle Bin – Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=test,DC=lab’ –Scope ForestOrConfigurationSet –Target ‘test.lab’ delete Live Deleted Undelete/ authoritative restore Recycle Recycled Garbagecollection Physically deleted
  13. 13. Deleted object lifetime - msDS-deletedObjectLifetime Tombstone lifetime (recycled object lifetime) - tombstoneLifetime Both in CN=Directory Service,CN=Windows NT, CN=Services,CN=Configuration,DC=test,DC=lab
  14. 14. Demo Recover Objects with Windows Server 2012 Admin Center and configure AD Recycle Bin
  15. 15. Recover attribute
  16. 16. Reasons for attribute recovery • Data import failed • Error in IDM systems
  17. 17. Problems • Object was not deleted  recycle bin would not help • Other changed attributes should not be overwritten • Also schema extensions should be covered
  18. 18. Demo Recover single attributes with Recovery Manager for AD
  19. 19. Recover GPO
  20. 20. Problems • 3rd party solution needed • Sysvol, AD and registry needs to be covered
  21. 21. Solutions AD Backup/Recovery tool GPO-Management tool • Additional benefits: – Versioning – Change history – workflows
  22. 22. Demo Recover GPO changes
  23. 23. Recover Sysvol
  24. 24. • Authoritive restore • Restore files/scripts • Restore system State offline
  25. 25. Forest Recovery
  26. 26. Microsoft Guideline Identify the problem Perform initial recovery Decide how to recover the forest Cleanup Redeploy remaining DC‘s • http://technet.microsoft.com/en-us/library/planning-activedirectory-forest-recovery(v=ws.10).aspx
  27. 27. Tools to be familiar with • • • • • Adsiedit.msc Ntdsutil.exe Repadmin.exe Netdom.exe Nltest.exe
  28. 28. Proof your concept • Make sure your concept reflects the Microsoft guide • Make sure you have a working backup and all needed information ready • Do a forest recovery test at least once a year (Fire drill)
  29. 29. Demo Forest-Recovery with Recovery-Manager-for-AD Forest Edition
  30. 30. AD Forest Disaster Recovery – What you don‘t know will hurt you • Whitepaper: https://software.dell.com/white paper/active-directory-forestdisaster-recovery-what-youdont-know-will-hurt-you822479
  31. 31. Please evaluate the session before you leave  .. and don’t forget to visit my blog: http://de.community.dell.com /techcenter/b/ windows_management

×