Best Practice

In preparation for the Active Directory forest to be upgraded (to Windows Server 2012 R2), it may be prudent to re-evaluate Active Directory disaster recovery plans.

Active Directory if configured correctly will just sit there and work; servicing all requests that are presented and because of this robustness, its importance is often overlooked and its criticality not understood.

Management buy in.

The most critical component in the disaster recovery plan, is the education of management and key stakeholders in the criticality of Active Directory to the business. No Active Directory can mean, no authentication; no authorisation; no name resolution or no printing;  effectively the IT function may cease to operate until the Active Directory is restored or made available.

Plan and approach.

Define what Active Directory recovery scenarios that are being catered for, is it total loss of the Active Directory or the loss of objects within the Active Directory?

Agree with the business and calculate realistic Recovery Point Objectives (RPO’s) and Recovery Time Objective (RTO’s) for Active Directory.

RPO – this is the point where you have to recover to (or the amount of information you can afford to lose).

RTO – this is the time you have to recover the environment back to the RPO.

Choose your method of backup

When if actually comes to backing up Active Directory, technical insight is needed to understand the scenarios that are being protect against.  Ensure that each scenario is catered for so that Active Directory can be recovered.

Domain/Forest Recovery.

In a worst case scenario it would mean restoring a single domain controller from backup and then rebuilding all the existing domain controllers to be domain controllers to this restored domain.

This could be a logistical nightmare to perform and orchestrate.

Object Recovery

This would usually mean restoring a domain controller from backup and then marking the object(s) that are to be recovered as authoritative.

Active Directory Recycle Bin.

The Active Directory Recycle Bin provides a certain degree of insurance in protecting Active Directory, but it will only enable the recovery of deleted items and not for example the recovery of modified users or groups. All domain controllers must be running at a minimum Windows Server 2008 R2 and the forest mode is Windows Server 2008 R2.

Backup

All of the well-known backup providers support the backing up of Active Directory, a key component of backing up the AD is that it is not only the Operating System that needs to be backed up, but the entire system state, which includes all the underlying  components of the Operating System and Active Directory.

Quest Recovery Manager for Active Directory – Forest Edition.

The only tool I have found on the market that provides Active Directory Disaster Recovery from a single pane of glass, it enables recovery from a single attribute to a full forest recovery.

Recovery Manager for Active Directory

Test your processes

Whatever process or method you take to back up your Active Directory, ensure that you are confident and able to recovery your Active Directory not only in the time required, but also physically able to do so.

As I review and update my old consulting notes I have decided to publishing them. These are by no means definitive and are intended as an ‘aide memoire’ to enable discussion.
Please feel free to comment.

This guide follows on from the excellent Windows Server 2008 and 2008 R2 Performance Tuning Guidelines and describes important tuning parameters and settings that you can adjust to improve the performance and energy efficiency of the Windows Server 2012 operating system. It describes each setting and its potential effect to help you make an informed decision about its relevance to your system, workload, and performance goals.

The guide is for information technology (IT) professionals and system administrators who need to tune the performance of a server that is running Windows Server 2012.

Included in this white paper:

  • Choosing and Tuning Server Hardware
  • Performance Tuning for the Networking Subsystem
  • Performance Tools for Network Workloads
  • Performance Tuning for the Storage Subsystem
  • Performance Tuning for Web Servers
  • Performance Tuning for File Servers
  • Performance Tuning for a File Server Workload (FSCT)
  • Performance Counters for SMB 3.0
  • Performance Tuning for File Server Workload (SPECsfs2008)
  • Performance Tuning for Active Directory Servers
  • Performance Tuning for Remote Desktop Session Host (Formerly Terminal Server)
  • Performance Tuning for Remote Desktop Virtualization Host
  • Performance Tuning for Remote Desktop Gateway
  • Performance Tuning Remote Desktop Services Workload for Knowledge Workers
  • Performance Tuning for Virtualization Servers
  • Performance Tuning for SAP Sales and Distribution
  • Performance Tuning for OLTP Workloads

Performance Tuning Guidelines for Windows Server 2012

I have previously written about this, but feel it’s worthy of another mention.  Microsoft have hidden away on their WHDC (Windows Hardware Developer Central) website, an excellent document on Performance Tuning Guidelines for Windows Server 2008 R2.  It is worthy of a read as it details lots of changes in functionality that can affect performance.

The paper was last updated on the May 16th 2011 and details:

Choosing and Tuning Server Hardware
Performance Tuning for the Networking Subsystem
Performance Tuning for the Storage Subsystem
Performance Tuning for Web Servers
Performance Tuning for File Servers
Performance Tuning for Active Directory Servers
Performance Tuning for Remote Desktop Session Host (formerly Terminal Server)Performance Tuning for Remote Desktop Gateway
Performance Tuning for Virtualization Servers
Performance Tuning for File Server Workload (NetBench)
Performance Tuning for File Server Workload (SPECsfs2008)
Performance Tuning for Network Workload (NTttcp)
Performance Tuning for Remote Desktop Services Knowledge Worker Workload
Performance Tuning for SAP Sales and Distribution Two-Tier Workload
Performance Tuning for TCP-E Workload

October 2012 Update: 

Updated Server Core Installation Option, Correct Memory Sizing for Child Partitions, and Correct Memory Sizing for Root Partition.

September 2012 Update:

Further updates to the Performance Tuning guidance for the TPC-E Workload section

May 2011 Update:

“Performance Tuning for Web Servers” – Updated guidance to reflect that Http.sys manages connections automatically.

“Performance Tuning for File Servers” – Fixed typos in NFS Server tuning parameter registry keys.

“Performance Tuning for Virtualization Servers” – Added information about Dynamic Memory tuning.

“Performance Tuning for TPC-E Workload” – Clarified tuning guidance.

“Resources” – Updated references.

October 15th Update:

Throughout the paper – Clarified some explanations; clarified energy consumption vs. power consumption.

“Interrupt Affinity” – Added recommendation to use device-specific mechanism for binding interrupts, if supported by the driver model.

“Network-Related Performance Counters” – Added IPv6 and TCPv6.

“Performance Tuning for the Storage Subsystem” – Various minor updates throughout.

“Performance Tuning for File Servers” –Added guidance for NtfsDisableLastAccessUpdate; added “Tuning Parameters for NFS Server”, “File Server Tuning Example”, and “File Client Tuning Example”.

“Performance Tuning for Remote Desktop Session Host” – Added references to two new white papers on capacity planning.

“Monitoring and Data Collection” (multiple sections) – Updated the list of counters to monitor.

“Performance Tuning for File Server Workload (SPECsfs2008)” – New section.

“Performance Tuning for SAP Sales and Distribution Two-Tier Workload” – Substantial updates to the whole section.

“Performance Tuning for TPC-E Workload” – New section.

“Resources” – A few additions and updates.

 

If you are looking to understand what the security policies in Windows 7 and 2008 R2 mean and how they can impact your environment, then this guide is a must read.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

The document is covers the following categories in some depth:

Account Policies

This section discusses the Group Policy settings that are applied at the domain level: password policies, account lockout policies, and Kerberos protocol authentication policies.

Advanced Security Audit Policy

This section discusses the use of advanced audit policy settings, which are now integrated with Group Policy to monitor and enforce your security measures. It describes the various settings, and it provides examples of how audit information is modified when the settings are changed.

User Rights

This section discusses the various logon rights and privileges that are provided by the Windows 7 and Windows Server 2008 R2 operating systems, and it provides guidance about which accounts should be assigned these rights.

Security Options

This section provides guidance about security settings for digital data signatures, Administrator and Guest account names, drive access, driver installation behaviour, and logon prompts.

Event Log

This section provides guidance about how to configure the settings that relate to the various event logs on computers running Windows Server 2008 R2 or Windows 7.

System Services

Windows Server 2008 R2 and Windows 7 include a variety of system services. Many of these services are configured to run by default, but others are not present unless you install specific components. This section describes the various services included with the operating systems so that you can best decide which ones to leave enabled and which ones can be safely disabled.

Software Restriction Policies

This section provides a brief overview of the Software Restriction Policy feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

Application Control Policies

This section provides a brief overview of the AppLocker™ feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

External Storage Devices

This section describes Group Policy settings that can be used to limit, prevent, or allow the use of external storage devices in networked computers.

Additional Resources

This section provides links to additional information sources about Windows security topics from Microsoft that you may find useful.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

Are you looking to plan, pilot or deploy Windows and Office?

The Microsoft Springboard team from Redmond will be in the UK en route to TechEd Europe (Berlin) on Monday 1st November, they will be delivering a five hour workshop on:

Office 2010 IT investments.

Key deployment strategies for Windows 7 and the Microsoft Desktop Optimization Pack.

Opportunities for training and certification in these key products.

Why Windows 7 has received rave reviews from IT organisations and is setting records as the fastest selling operating system in history.

Tools, tips and tricks you need now to jumpstart the successful deployment and management of your Windows desktop environment today.

If you are interested in attending, then register today for the workshop and the opportunity to come and network with members of the US based Windows and Office Product Teams, as well as local Microsoft Technology Evangelists.

If you are the an IT professional who is looking for information on how to plan, implement and maintain Microsoft Office 2010 installations then this publication will help. 

Microsoft have made available this download which provides how-to information on the recommended steps to execute specific deployment tasks, such as customising the installation; installing the Microsoft Office 2010 system on users’ computers; implementing the deployment in multiple languages and migrating to the new file format.

Download

Stability and reliability update for Windows 7 and Windows Server 2008 R2.

Having just blogged about  a Windows Server 2008 R2 and Windows 7 Application compatibility update , I discover additional updates for stability and reliability.  These updates do not appear to be accumulative.

This one is dated April 2010 and I assume these updates are the Windows Server and client equivalent of the Exchange Rollup updates.

http://support.microsoft.com/kb/980408

Issues resolved:

  • Windows Explorer crashes and then restarts when you access a third-party Control Panel item.
  • You cannot connect to an instance of SQL Server Analysis Services from an application in Windows 7 or in Windows Server 2008 R2 after you install Office Live Add-in 1.4 or Windows Live ID Sign-in Assistant 6.5.
  • Windows Explorer may stop responding for 30 seconds when a file or a directory is created or renamed after certain applications are installed.
  • The Welcome screen may be displayed for 30 seconds when you try to log on to a computer if you set the desktop background to a solid color.
  • You are not warned when you delete more than 1000 files at the same time. Then, the files are deleted permanently and are not moved to the Recycle Bin.
  • This one is dated January 2010 

    http://support.microsoft.com/kb/977074

    Issues resolved:

    • Keyboard function keys or keyboard shortcuts, such as mute or calculator, may not work correctly.

    • The notification icon for an application may be moved or lost when the executable application is updated.

    • On a computer that is running Windows 7, you configure the Screen Saver Settings to display the logon screen on resume. Additionally, you configure the computer to go to sleep. However, the computer may not go to sleep after the screen saver starts. Instead, a black screen is displayed. This problem causes the operating system to stop responding. You must restart the computer by holding down the power button.

    This one is dated October 2009

    http://support.microsoft.com/kb/974431

    Issues resolved:

    • When you view a PDF file that was created by using a 2007 Microsoft Office system document, the PDF file is displayed on the screen correctly. However, when the document is printed, some characters are missing. This problem occurs in fonts such as Calibri, Cambria, Courier New, or Gabriola in which character combinations such as “fi,” “ti,” “fl,” and other combinations are frequently presented as ligatures.

    • In certain scenarios, an Emergency Alert System (EAS) message does not automatically tune to the appropriate channel in Windows Media Center.

    • You connect a secondary monitor to a computer that is running Windows 7. When the computer resumes from hibernation, a black screen is displayed.

    • In certain scenarios, the Windows 7 Customer Experience Improvement Program (CEIP) diagnostic information settings are configured incorrectly for Windows Explorer. Only those users who are enrolled in the Windows 7 CEIP will be affected by this part of the update. This update limits the diagnostic information that can be collected by the CEIP.
     
    • You put an x86-based computer that does not have Physical Address Extension (PAE) enabled into hibernation. However, the computer does not enter hibernation correctly. When you try to resume the computer from hibernation, a black screen is displayed. This issue does not affect x64-based or Itanium-based computers, or computers that have the Data Execution Prevention (DEP) feature enabled.

    • A problem in Windows 7 affects the playback of certain media files in Windows Media Player when Windows Media Player is started from Windows Internet Explorer. Only those users whose media associations were changed incorrectly will be affected by this part of the update.

    • On a computer that is running Windows 7, you use Internet Explorer to open the certificate enrollment Web page and to install an end entity certificate. However, the installation fails. This issue occurs if the certificate chain for the new certificate cannot be built, or if the root certification authority (CA) has not first been installed in the Trusted Roots on the computer.