_______KimberryAssociates SVR331 Active Directory Disaster Recovery Part 2 of 2 John Craddock...

______________KimberryKimberryAssociatesAssociates

www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk

SVR331 Active Directory Disaster Recovery Part 2 of 2

SVR331 Active Directory Disaster Recovery Part 2 of 2John CraddockJohn CraddockPrincipal Systems Consultant Principal Systems Consultant [email protected] [email protected] [email protected]@kimberry.co.uk

Sally StoreySally StoreySenior Consultant Senior Consultant [email protected]@kimberry.co.uk

3



Welcome Back to Part 2Welcome Back to Part 2

Infrastructure ComponentsInfrastructure Components

File Replication and SYSVOLFile Replication and SYSVOL

Backing up the DirectoryBacking up the Directory

Restoring the DirectoryRestoring the Directory

Authoritative RestoresAuthoritative Restores

Recovering a ForestRecovering a Forest

And of course

And of course lots of demos

lots of demos

4



Legal StuffLegal Stuff

Every effort has been made to make this seminar as complete Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. and as accurate as possible but no warranty or fitness is implied.

The presenters, authors, publisher and distributor assume no The presenters, authors, publisher and distributor assume no responsibility for errors or omissions, or for damages resulting responsibility for errors or omissions, or for damages resulting

from the use of the information contained herein. from the use of the information contained herein.

Names identifying the directory and associated objects are fictitious Names identifying the directory and associated objects are fictitious and are not intended to represent any organizations or people and are not intended to represent any organizations or people

All trademarks are acknowledged and are the All trademarks are acknowledged and are the property of their respective ownersproperty of their respective owners

© All materials are copyright Kimberry Associates© All materials are copyright Kimberry Associates

5



Restore through ReinstallationRestore through Reinstallation

Clean up the ADClean up the ADRemove references to the failed DCRemove references to the failed DC

Action depends on the name of the new serverAction depends on the name of the new server

Make sure the hardware is OK and install a Make sure the hardware is OK and install a new copy of the OSnew copy of the OS

Promote into the domainPromote into the domain

Allow replication to populate the ADAllow replication to populate the ADNetwork traffic may be excessive, especially if Network traffic may be excessive, especially if you want the new DC to be a GC you want the new DC to be a GC

6



Server NameServer Name

Always remove the NtdsDSA settings Always remove the NtdsDSA settings object for the failed serversobject for the failed servers

Use ntdsutil (simplified with SP1)Use ntdsutil (simplified with SP1)See “How To: Remove Data in Active Directory After See “How To: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion” an Unsuccessful Domain Controller Demotion” (Q216498)(Q216498)

If the new server will have a new nameIf the new server will have a new nameRemove the old server objects from sites and Remove the old server objects from sites and services and the domain controllers OUservices and the domain controllers OU



Restore From BackupRestore From Backup

8



Take CareTake Care

Only use this option if you are recoveringOnly use this option if you are recoveringall DCs in a domainall DCs in a domain

Equivalent of a D4 Equivalent of a D4 authoritative authoritative

restorerestore

9



Unless you Like Unless you Like Morphed FoldersMorphed Folders

10



GC Caveats GC Caveats

If restoring a domain from an older backup, If restoring a domain from an older backup, you may need to reinitialise the GCs in you may need to reinitialise the GCs in other domainsother domains

example.comexample.com

child.example.comchild.example.comRestored back in time

Global catalogs will have newer data about child

11



Deleted ObjectsDeleted Objects

The The isDeletedisDeleted attribute is set TRUE attribute is set TRUE

Changes the RDN of the object to include Changes the RDN of the object to include the objects GUID the objects GUID

Add characters that could never be set by an Add characters that could never be set by an LDAP callLDAP call

Strips all but the preserved attributesStrips all but the preserved attributes

Moves the object to the Deleted Objects Moves the object to the Deleted Objects containercontainer

12



Tombstone PeriodTombstone Period

The object remains in the deleted objects The object remains in the deleted objects container for the tombstone periodcontainer for the tombstone period

Default 60 days (SP1 = 180 days)Default 60 days (SP1 = 180 days)

The Garbage Collector removes any The Garbage Collector removes any deleted objects for which the tombstone deleted objects for which the tombstone period has expiredperiod has expired

Runs every 12 hours (default setting)Runs every 12 hours (default setting)

13



Re-Animating ObjectsRe-Animating Objects

Server 2003 provides a re-animation APIServer 2003 provides a re-animation APISP1 re-animation includes sIDHistorySP1 re-animation includes sIDHistory

Stripped attributes are not restoredStripped attributes are not restored

To re-animateTo re-animateSet the LDAP control flags to show deleted Set the LDAP control flags to show deleted objectsobjects

In one operation on the deleted objectIn one operation on the deleted objectSet the isDeleted attribute to NULLSet the isDeleted attribute to NULL

Set the DN appropriately for the container in which to Set the DN appropriately for the container in which to re-animate the objectre-animate the object

14



Recovering Deleted /Recovering Deleted /Changed ObjectsChanged Objects

After the System State has been restored, After the System State has been restored, objects within the directory can be marked objects within the directory can be marked as authoritative (increases version as authoritative (increases version number)number)

““Guarantees” that the restored object will Guarantees” that the restored object will replicate out from the restored DC replicate out from the restored DC

The whole of the directory with the The whole of the directory with the exception of the schema can be made exception of the schema can be made authoritativeauthoritative

Not recommendedNot recommended

Mark only the objects that must be Mark only the objects that must be authoritatively restoredauthoritatively restored

15



Replicate changes since backupReplicate changes since backup

Run ntdsutilMark required

objectsauthoritative

Restore modeRestore mode

Accept if higher version numbersAccept if higher version numbers

Restart

Replicate authoritative objectsReplicate authoritative objects

New DSA GUIDNew DSA GUID

Does not need to be restored from backupDoes not need to be restored from backupAny DC can be made authoritative providedAny DC can be made authoritative provided

it holds the appropriate objectsit holds the appropriate objects

Performing an Performing an Authoritative RestoreAuthoritative Restore

16



Authoritatively Restoring an OUAuthoritatively Restoring an OU

Julian

TheBoys

Dick

George

Mark as authoritative

Increments versionnumber on all

contained objects and attributes

17



Authoritative RestoreAuthoritative Restore

DC1 DC3DC2

Restore modeBackup prior to deletion restored

VN=50

VN=91

VN=50

VN=91

VN=50

VN=100,090

Moved to deleted objects container

George George George

G1 G1 G1

18



Caveats to Caveats to Authoritative RestoresAuthoritative Restores

An authoritative restore that involves An authoritative restore that involves computer and trust objects may invalidate computer and trust objects may invalidate their accountstheir accounts

The passwords are periodically reset The passwords are periodically reset (default 30-days)(default 30-days)

A history of two passwords is keptA history of two passwords is kept

You may experience problems if restoring You may experience problems if restoring older backupsolder backups

19



More CaveatsMore Caveats

Authoritatively restoring users and groups Authoritatively restoring users and groups may result in inconsistent group may result in inconsistent group membershipmembership

The behaviour depends on the forest The behaviour depends on the forest functionality level when the group was created functionality level when the group was created and/or when the user was added to the groupand/or when the user was added to the group

The behaviour affects all multi-valued linked The behaviour affects all multi-valued linked attributesattributes

20



Multi-Valued Linked AttributesMulti-Valued Linked Attributes

Groups store their membership list in their Groups store their membership list in their membermember attribute attribute

The The membermember attribute is a multi-valued linked attribute is a multi-valued linked attributeattribute

This discussion affect the restoration of all This discussion affect the restoration of all multi-valued linked attributesmulti-valued linked attributes

Each pair of linked attributes is identified by the Each pair of linked attributes is identified by the schema defined linkID propertyschema defined linkID property

Forward links are even (n) and the associated back Forward links are even (n) and the associated back link is odd (n+1)link is odd (n+1)

21



Link Table (Simplified)Link Table (Simplified)

Entries are created in a link table when a Entries are created in a link table when a group is created/modified through group is created/modified through origination or replicationorigination or replication

The link tables are constructed on each DCThe link tables are constructed on each DC

JohnG1

ForwardForward BackBackMemberOf

Sally

MemberOf

member

G2member

G3member

john

G1 John

sallySallyG2

sally

SallyG3

;john

G3 John

;sally

G1 Sally

Link Table

22



Replicating Group MembershipReplicating Group Membership

In a Windows 2000 forest group the In a Windows 2000 forest group the member attribute is replicated in it’s member attribute is replicated in it’s entiretyentirety

Replication metadata is attached to the Replication metadata is attached to the membermember attribute attribute

In a Windows 2003 forest or Windows 2003 In a Windows 2003 forest or Windows 2003 Interim forest the linked-values are Interim forest the linked-values are replicatedreplicated

Referred to as linked-value replicationReferred to as linked-value replication

Replication metadata is attached to the Replication metadata is attached to the membermember attribute attribute

Attribute Clean-upAttribute Clean-up

If either the linked source or destination If either the linked source or destination objects are deleted the associated linked objects are deleted the associated linked attribute value is deletedattribute value is deleted

Deleting a user removes that user from the Deleting a user removes that user from the membermember attributes of all linked groups attributes of all linked groups

Deleting a group removes that group from the Deleting a group removes that group from the calculated calculated memberOfmemberOf attributes of all linked attributes of all linked usersusers

memberJohn

MemberOf

John Sallymember

John

MemberOf

John Sally

Sally

MemberOf

No version No version

number number increaseincrease

example.com

child.example.com

DC1 DC2

Vladimir

Vladimir

Replicate

Vladimir

Vladimir

Child DC1

add

Add a User from Another Add a User from Another DomainDomain

25



InfrastructureMaster

Deleting the UserDeleting the User

example.com

child.example.com

Vladimir

Vladimir

VladimirNo ReplicationGroup VN does

not change

Deleted by IM

Automatically cleaned

Deleted on GC replication

Replication

DC1 DC2

Child DC1

26



PhantomsPhantoms

If a user from a different domain is added If a user from a different domain is added to a group, a link is createdto a group, a link is created

If the DC on which the group is created is a GC, If the DC on which the group is created is a GC, the forward link references the user in the GCthe forward link references the user in the GC

If the DC is not a GC then a phantom record is If the DC is not a GC then a phantom record is createdcreated

If the user is deleted, the group’s member If the user is deleted, the group’s member attribute will be updated when the attribute will be updated when the reference is deletedreference is deleted

The GC replicates the deletionThe GC replicates the deletion

The Infrastructure Master deletes the phantom The Infrastructure Master deletes the phantom

27



Restoring Groups and UsersRestoring Groups and Users

If groups and users are authoritatively If groups and users are authoritatively restored on one DCrestored on one DC

There is no guarantee that the users will There is no guarantee that the users will replicate in advance of the groupreplicate in advance of the group

If a group is replicated in advance of a user If a group is replicated in advance of a user who is a member of the groupwho is a member of the group

The receiving DC has no record of the user and The receiving DC has no record of the user and deletes it from the groupdeletes it from the group

28



Authoritative Restore 2000Authoritative Restore 2000

DC1 DC3DC2

George markedas authoritative

VN=50 VN=50 VN=50

VN=100,000+George

G1 G1 G1

Group membership not restored

VN=100,000+George

Replication

VN=100,000+George

Replication

29



Restoring the LinkRestoring the Link

Running in a 2000 forest means that the Running in a 2000 forest means that the group membership will not replicategroup membership will not replicate

This also applies to group membership that was This also applies to group membership that was created prior to moving to 2003 forest created prior to moving to 2003 forest functionalityfunctionality

No linked-value replication metadata No linked-value replication metadata

Solutions for pre 2003 Forest Solutions for pre 2003 Forest Mode Group MembershipMode Group Membership

Solution 1:Solution 1:Authoritatively restore users Authoritatively restore users

Add dummy user to group and allow to Add dummy user to group and allow to replicatereplicate

Does not guarantee authorityDoes not guarantee authority

Solution 2:Solution 2:Authoritatively restore users Authoritatively restore users

Allow to replicateAllow to replicate

Authoritatively restore groupsAuthoritatively restore groups

31



2003 SP1 Authoritative 2003 SP1 Authoritative Restore EnhancementsRestore Enhancements

Ntdsutil automatically generates an ldif file Ntdsutil automatically generates an ldif file identifying all of the links for identifying all of the links for authoritatively restored objectsauthoritatively restored objects

After the restore, wait for the objects to be After the restore, wait for the objects to be replicated throughout the domainreplicated throughout the domain

Restore the links by using ldifde to import Restore the links by using ldifde to import the ldif file onto a GC in the domainthe ldif file onto a GC in the domain

ldifde –i –k –f links.ldfldifde –i –k –f links.ldf

32



Know Your EnvironmentKnow Your Environment

None of the solutions (including 2003 None of the solutions (including 2003 forest mode) restore domain local group forest mode) restore domain local group memberships defined in other domains memberships defined in other domains

You can authoritatively restore each You can authoritatively restore each domain and allow ntdsutil to create the domain and allow ntdsutil to create the appropriate ldif files appropriate ldif files

Know your group membershipsKnow your group membershipsDump information to reference filesDump information to reference files

Know how to restore the membership via Know how to restore the membership via scriptsscripts

33



Our Environment: 2000 ForestOur Environment: 2000 Forest

member memberOf ManagerReports

Julian AnneG1

TheBoys


Dick TimmyG2

memberOf Reports

George

DC1 DC2 DC3

Added in 2000 mode, points at back link

34



Raised to 2003Raised to 2003


Julian AnneG1

TheBoys


Dick TimmyG2

memberOf Reports

GeorgeG3

member DC1 DC2 DC3



35



The Boys Get DeletedThe Boys Get Deleted

member Manager

AnneG1

member Manager

TimmyG2

G3

member DC1 DC2 DC3

The Boys are Authoritatively The Boys are Authoritatively RestoredRestored


Julian AnneG1

TheBoys


Dick TimmyG2

memberOf Reports

GeorgeG3

member DC3



37




Julian AnneG1

TheBoys


Dick TimmyG2

memberOf Reports

GeorgeG3

member DC1 DC2

Missing all links created in 2000 forest

What Replicates to DC1 & DC2?What Replicates to DC1 & DC2?

38



LDIF File produced byLDIF File produced byNTDSUTILNTDSUTIL

dn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comdn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comchangetype: modifychangetype: modifydelete: memberdelete: membermember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=commember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com--

dn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comdn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comchangetype: modifychangetype: modifyadd: memberadd: membermember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=commember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com--

dn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comdn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comchangetype: modifychangetype: modifydelete: memberdelete: membermember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=commember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com--

dn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comdn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comchangetype: modifychangetype: modifyadd: memberadd: membermember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=commember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com

39



You Must Must Must…You Must Must Must…

Have a tried and tested DR PlanHave a tried and tested DR PlanIt’s too late to workout how to fix it when things It’s too late to workout how to fix it when things have gone wronghave gone wrong

Planned response to failurePlanned response to failure prevents an event turning into a prevents an event turning into a

DISASTERDISASTER



So Now we Know the Components Lets Put them All Together to Recover a Forest

So Now we Know the Components Lets Put them All Together to Recover a Forest

41



Not a Good Day…Not a Good Day…

Loss of forest, throughLoss of forest, throughRogue script, malicious operator, virus…Rogue script, malicious operator, virus…

Who was in control of your Schema and Enterprise Who was in control of your Schema and Enterprise Administrators groups?Administrators groups?

You must know your forestYou must know your forestServer rolesServer roles

All infrastructure role placementsAll infrastructure role placements

Server based applicationsServer based applicationsImpacts on AD and RegistryImpacts on AD and Registry

42



Time Warp Time Warp

You will be restoring your forest to a time You will be restoring your forest to a time when you know it was goodwhen you know it was good

This will lose all changes since the last backupsThis will lose all changes since the last backups

Will impact applications that are dependant on Will impact applications that are dependant on forest preps forest preps

Server based applications may be affected by Server based applications may be affected by restoring an earlier registryrestoring an earlier registry

May impact Access Control Lists on May impact Access Control Lists on resourcesresources

43



Latestbackups

Maintaining IntegrityMaintaining Integrity

Restore only one DC per Restore only one DC per domaindomain

Locate your backups and test Locate your backups and test their integritytheir integrity

You should be backing up two DC You should be backing up two DC per domain and “know” the per domain and “know” the backups are goodbackups are good

Promote the other servers Promote the other servers into the domaininto the domain

Even if you have backups for Even if you have backups for themthem

This will involve more time, but This will involve more time, but reduces the risk of introducing reduces the risk of introducing corrupt datacorrupt data

44



Restore the RootRestore the Root

Before you start, shutdown all other Before you start, shutdown all other servers and isolate the DC to be restored servers and isolate the DC to be restored from the networkfrom the network

There is a danger that live servers could There is a danger that live servers could replicate and corrupt datareplicate and corrupt data

RestoreGood backup

(sysvol primary)Check data integrity

DNSRemove all references

to other servers

If GCdisable

Delete metadataFor all other DCs

in the domain

Enable as GC Perform thoroughhealth check &

backup

ElevateRID pool /clean ACLs

Seize allFSMOs

45



Restoring Other DomainsRestoring Other Domains

Proceed using the same technique for all Proceed using the same technique for all the other domainsthe other domains

Make sure DCs have access to forest DNSMake sure DCs have access to forest DNS

Force synchronization between domainsForce synchronization between domains

Start promoting other DCsStart promoting other DCsOnce the forest infrastructure is established Once the forest infrastructure is established and its integrity verifiedand its integrity verified

If necessary, use an unattend file with dcpromo If necessary, use an unattend file with dcpromo to force the initial replication partnerto force the initial replication partner

Use Windows 2003 install from media (IFM)Use Windows 2003 install from media (IFM)Always test the IFM seed before use in production Always test the IFM seed before use in production

46



Post RestorePost Restore

Redistribute FSMO roles Redistribute FSMO roles

Establish correct DNS infrastructureEstablish correct DNS infrastructure

Review all processes and proceduresReview all processes and procedures

Decide you will never let this happen Decide you will never let this happen again!again!

47



And There is More…And There is More…

Order on the web www.kimberry.co.uk Order on the web www.kimberry.co.uk Discount code KB1764 (15% discount)Discount code KB1764 (15% discount)

48



ResourcesResourcesForest Recovery Whitepaper:http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE

Windows Server 2003 Operation Guide:http://www.microsoft.com/technet/itsolutions/cits/mo/winsrvmg/adpog/adpog1.mspx

Windows Server 2003 SP1 authoritative restore help:http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/690730c7-83ce-4475-b9b4-46f76c9c7c90.mspx

How to force demote a DC:http://support.microsoft.com/default.aspx?scid=kb;en-us;332199

Group Policy Administration using GPMC:http://download.microsoft.com/download/a/9/c/a9c0f2b8-4803-4d63-8c32-3040d76aa98d/GPMC_Administering.doc

49



Thanks for coming to the seminarHope to see you again

ResourcesResourcesTechnical Chats and Webcastshttp://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp

Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx

MSDN & TechNet http://microsoft.com/msdnhttp://microsoft.com/technet

Virtual Labshttp://www.microsoft.com/technet/traincert/virtuallab/rms.mspx

Newsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx

Technical Community Siteshttp://www.microsoft.com/communities/default.mspx

User Groupshttp://www.microsoft.com/communities/usergroups/default.mspx

http://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx



http://www.microsoft.com/communities/default.mspx

http://www.microsoft.com/communities/default.mspx

http://www.microsoft.com/communities/usergroups/default.mspx

http://www.microsoft.com/communities/usergroups/default.mspx

Live from Tech·Ed Webcast Live from Tech·Ed Webcast Series has Been Series has Been

Brought to You by:Brought to You by:

www.microsoft.com/hpc www.microsoft.com/hpc

Fill out a session Fill out a session evaluation on evaluation on

CommNet andCommNet and Win an XBOX Win an XBOX

360!360!

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Date post:	12-Jan-2016
Category:	Documents
Upload:	geraldine-bridges
View:	221 times
Download:	0 times

_______KimberryAssociates SVR331 Active Directory Disaster Recovery Part 2 of 2 John Craddock...

Documents