Disaster Recovery

In preparation for the Active Directory forest to be upgraded (to Windows Server 2012 R2), it may be prudent to re-evaluate Active Directory disaster recovery plans.

Active Directory if configured correctly will just sit there and work; servicing all requests that are presented and because of this robustness, its importance is often overlooked and its criticality not understood.

Management buy in.

The most critical component in the disaster recovery plan, is the education of management and key stakeholders in the criticality of Active Directory to the business. No Active Directory can mean, no authentication; no authorisation; no name resolution or no printing;  effectively the IT function may cease to operate until the Active Directory is restored or made available.

Plan and approach.

Define what Active Directory recovery scenarios that are being catered for, is it total loss of the Active Directory or the loss of objects within the Active Directory?

Agree with the business and calculate realistic Recovery Point Objectives (RPO’s) and Recovery Time Objective (RTO’s) for Active Directory.

RPO – this is the point where you have to recover to (or the amount of information you can afford to lose).

RTO – this is the time you have to recover the environment back to the RPO.

Choose your method of backup

When if actually comes to backing up Active Directory, technical insight is needed to understand the scenarios that are being protect against.  Ensure that each scenario is catered for so that Active Directory can be recovered.

Domain/Forest Recovery.

In a worst case scenario it would mean restoring a single domain controller from backup and then rebuilding all the existing domain controllers to be domain controllers to this restored domain.

This could be a logistical nightmare to perform and orchestrate.

Object Recovery

This would usually mean restoring a domain controller from backup and then marking the object(s) that are to be recovered as authoritative.

Active Directory Recycle Bin.

The Active Directory Recycle Bin provides a certain degree of insurance in protecting Active Directory, but it will only enable the recovery of deleted items and not for example the recovery of modified users or groups. All domain controllers must be running at a minimum Windows Server 2008 R2 and the forest mode is Windows Server 2008 R2.

Backup

All of the well-known backup providers support the backing up of Active Directory, a key component of backing up the AD is that it is not only the Operating System that needs to be backed up, but the entire system state, which includes all the underlying  components of the Operating System and Active Directory.

Quest Recovery Manager for Active Directory – Forest Edition.

The only tool I have found on the market that provides Active Directory Disaster Recovery from a single pane of glass, it enables recovery from a single attribute to a full forest recovery.

Recovery Manager for Active Directory

Test your processes

Whatever process or method you take to back up your Active Directory, ensure that you are confident and able to recovery your Active Directory not only in the time required, but also physically able to do so.

As I review and update my old consulting notes I have decided to publishing them. These are by no means definitive and are intended as an ‘aide memoire’ to enable discussion.
Please feel free to comment.

Microsoft have updated the must read Active Directory document on Active Directory Forest Recovery.

The guide contains best-practice recommendations for recovering an Active Directory forest if forest-wide failure renders all domain controllers in the forest incapable of functioning normally. The steps, which you must customize for your particular environment, describe how to recover the entire Active Directory forest to a point in time before the critical malfunction. They also ensure that none of the restored domain controllers replicate from a domain controller with potentially dangerous data.

The steps in this guide apply to Active Directory forests where the domain controllers run Microsoft® Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 operating systems.”

Please ignore the fact that the document is titled “Windows Server 2008: Planning for Active Directory Forest Recovery” it covers all supported versions of Windows Server that can run Active Directory.

April 2013 Update.

Download it here.

This week I have been implementing Quest Recovery Manager for Active Directory Forest Edition.  As the implementation is a global implementation I have a requirement for more than one management console (if you know the product, you’ll know what I mean). The official documentation from Quest states that the process for this is:

Step 1: Export Data from Each Backup Registration Catalog to .Xml File
Step 2: Copy the .Xml File to the Forest Recovery Console Computer
Step 3: Provide the Exported Data to the Forest Recovery Console

Syntax

Get-RMADBackup | Export-RMADBackup -Path C:\Backup.xml

Import-RMADBackup -Path C:\Import\Backup.xml | Add-RMADBackup

Straight forward enough, except it did not work.  It created a file with only one server in it and not all of the the servers that the server was responsible for backing up (and knew about). On closer inspection I noticed that the file when created was going 0K, 12k, 0K, 12K…, as if the server details were being exported and overwriting the last one, one at a time rather than appending to the XML file.  I managed to open a few of the files as they were being created and confirmed my suspicions.

Solution

I managed to get it to work by executing the following syntax wrapped in a PowerShell PS1 file.

$b = Get-RMADBackup
Export-RMADBackup -Path C:\RMADFE\backup.xml -InputObject $b

The XML files produced were now all over 1MB (and growing) so I knew that I now have a solution that works.

(NB. I got around step two by implementing a DFS-R replicated DFS-Namespace and saving all files and scripts in the replicated target.)

Hope this helps and saves you some of the frustration I went through.

The Windows Sysinternals team have updated the excellent Active Directory Explorer tool to version 1.3

AD Explorer can be used to navigate the AD database; view object properties and attributes; modify permissions; view an object’s schema properties and create sophisticated searches that can be saved for regular use.

AD Explorer has the ability to save snapshots of an AD database for off-line viewing and comparison and for me the most useful snapshot feature is the ability to mount two snapshots of an Active Directory database and using AD Explorer’s comparison functionality compare the two snapshots to see what objects, attributes and security permissions differ.

Download

Microsoft have updated their Active Directory Forest Recovery whitepaper to reference Windows Server 2008 R2.

Hopefully nobody every has to go through a forest recovery – but just in case the day ever arises  – you should practice a forest recovery regularly; because you do not want to be learning how to do this on the fly with the Director of your organisation watching your every move as his entire organisation cannot work. 

Note: please ensure you  have the latest version of the “Planning for Active Directory Forest Recovery paper” which was recently updated and then quickly republished to correct an error in the procedures for re-installing DNS.
The error is also covered in KB 975654 

 Download updated 18/03/2010