You are previewing Active Directory Disaster Recovery.
O'Reilly logo
Active Directory Disaster Recovery

Book Description

Expert guidance on planning and implementing Active Directory disaster recovery plans

  • Essential disaster recovery planning/response book

  • Configure and strengthen Active Directory to increase resilience

  • Practical diagnosis of failures

  • Design and implement an organizational Disaster Recovery plan

  • Symptom-Cause-Recovery approach

  • In Detail

    Murphy's law states that anything that can go wrong will go wrong. In relation to Information Systems and Technology this could mean an incident that completely destroys data, slows down productivity or causes any other major interruption of your operations or your business. How bad can it get?—"Most large companies spend between 2% and 4% of their IT budget on disaster recovery planning; this is intended to avoid larger losses. Of companies that had a major loss of computerized data, 43% never reopen, 51% close within two years, and only 6% will survive long-term." —Jim Hoffer, Backing Up Business – Industry Trend or Event.

    Active Directory (AD) is a great system but it is also very delicate. If you get a problem, you will need to know how to recover from this situation. You will need to know about Disaster Recovery and be prepared with a business continuity plan. If Active Directory is a part of the backbone of your network and infrastructure, the guide to bring it back online in case of an incident needs to be as clear and concise as possible. If all of this happens or if you want to avoid all of this happening, this is the book for you.

    Recovering Active Directory from any kind of disaster is trickier than most people think. If you do not understand the processes associated with recovery, you can cause more damage than you fix. This is why you need this book.

    This book has a unique approach—the first half focuses on planning and shows you how to configure your AD to be resilient; the second half is response focused and meant as a reference in which we discuss different disaster scenarios. We follow a Symptom-Cause-Recovery approach—so all you have to do is follow along and get back on track.

    This book describes the most common scenarios and how to properly recover your infrastructure from them. It contains commands and steps for each process and contains information on how to plan for disaster and how to leverage technologies in your favor in case of a disaster.

    Table of Contents

    1. Active Directory Disaster Recovery
      1. Table of Contents
      2. Active Directory Disaster Recovery
      3. Credits
      4. About the Author
      5. About the Reviewers
      6. Preface
        1. What This Book Covers
        2. What you need for this book
        3. Conventions
        4. Reader Feedback
        5. Customer Support
          1. Errata
          2. Questions
      7. 1. An Overview of Active Directory Disaster Recovery
        1. What is Disaster Recovery?
        2. Why is Disaster Recovery Needed?
        3. Conventions Used in This Book
        4. Disaster Recovery for Active Directory
        5. Disaster Types and Scenarios Covered by This Book
          1. Recovery of Deleted Objects
          2. Single DC Hardware Failure
          3. Single DC AD Corruption
          4. Site AD Corruption
          5. Corporate (Complete) AD Corruption
          6. Complete Site Hardware Failure
          7. Corporate (Complete) Hardware Failure
        6. Summary
      8. 2. Active Directory Design Principles
        1. Active Directory Elements
          1. The Active Directory Forest
          2. The Active Directory Tree
          3. Organizational Units and Leaf Objects
          4. Active Directory Sites
          5. Group Policy Objects
        2. Domain Design: Single Forest, Single Domain, and Star Shaped
        3. Domain Design: Single Forest, Single Domain, Empty Root, Star Shaped
        4. Domain Design: Multi-Domain Forest
        5. Domain Design: Multi-Forest
        6. LRS — Lag Replication Site
        7. Design Your Active Directory
                1. Checklist When Designing a New AD
                2. Checklist When Finalizing the Design or When Migrating to an AD
          1. Naming Standards
            1. Username and Service Account Naming
            2. Group Policy Naming
          2. Design with Scalability in Mind
          3. Flexible Single Master Operation Roles (FSMO)
                1. Relative ID Master (RID Master)
                2. Infrastructure Manager
                3. PDC Emulator
                4. Schema Master
                5. Domain Naming Master
          4. Migration from Other Authentication Services
        8. Keeping Up-To-Date and Safe
          1. Documentation
          2. Backups
        9. Summary
      9. 3. Design and Implement a Disaster Recovery Plan for Your Organization
        1. Analyze the Risks, Threats, and the Ways to Mitigate
        2. The Two-Part, 10 Step Implementation Guide
              1. General Steps
              2. Active Directory oriented Steps
          1. Part One: The Steps for General Implementation
            1. Calculate and Analyze
            2. Create a Business Continuity Plan
            3. Present it to the Management (Part 1 and 2)
            4. Define Roles and Responsibilities
            5. Train the Staff for DR
                1. Steps that Need to be Completed During Testing:
            6. Test Your DRP Frequently
          2. Part Two: Implementing a Disaster Recovery Plan for AD
            1. Writing is Not All
            2. Ensure that Everyone is Aware of Locations of the DRP
            3. Define the Order of Restoration for Different Systems (Root First in Hub Site, then Add One Server etc.)
            4. Go back to "Presentation to Management"
        3. Summary
      10. 4. Strengthening AD to Increase Resilience
        1. Baseline Security
          1. Domain Policy
          2. Domain Controller Security Policy
        2. Securing Your DNS Configuration
          1. Secure Updates
          2. Split Zone DNS
          3. Active Directory Integrated Zones
          4. Configuring DNS for Failover
          5. DHCP within AD
        3. Tight User Controls and Delegation
          1. Proper User Delegation
            1. Group Full control
            2. Group with Less Control
            3. Group to Allow Password Resets
        4. Central Logging
        5. Proper Change Management
        6. Virtualization and Lag Sites
          1. Resource Assignment
          2. Backups and Snapshots
          3. Deployment
          4. Sites and Services Explained
            1. Creating Sites, Subnets, and Site Links
            2. Setting Replication Schedules and Costs
            3. Cost
            4. Scheduling
            5. Site Scheduling
            6. Link Scheduling
          5. Lag Sites and Warm Sites
            1. Configuring a Lag Site
            2. Creating, Configuring and Using a Warm Site
        7. Summary
      11. 5. Active Directory Failure On a Single Domain Controller
        1. Problems and Symptoms
          1. Symptoms
        2. Causes
        3. Solution Process
        4. Solution Details
          1. Verification of Corruption
            1. Tools for Verification
              1. ReplMon
              2. DCDiag
              3. NetDiag and DNSDiag
          2. Sonar
          3. Options to Recover and Stop the Spread of Corruption
              1. Non-Authoritative and Authoritative Restore
            1. Option One: Restoring AD from a Backup
              1. No Physical Access to the Machine
              2. Restoring from a Backup
            2. Option Two: Replication
            3. Option Three: Rebuild DC with Install from Media
        5. Summary
      12. 6. Recovery of a Single Failed Domain Controller
        1. Problems and Symptoms
        2. Causes
        3. Solution Process
        4. Solution Details
          1. Cleaning of Active Directory before Recovery Starts
            1. Active Directory Deletion of Old Domain Controller Records
              1. Introducing ntdsutil.exe
              2. Removal Procedure
            2. DNS and Graphical Actions Needed to Complete the Process
            3. Recovery of the Failed DC
        5. Summary
      13. 7. Recovery of Lost or Deleted Users and Objects
        1. Problems and Symptoms
        2. Causes
        3. Solution Process
          1. Phantom Objects
          2. Tombstones
            1. Increase the Tombstone Lifetime
          3. Lingering Objects
          4. Prerequisites
              1. Scenario
          5. Method One: Recovery of Deleted or Lost Objects with Enhanced NTDSutil
          6. Method Two: Recovery of Deleted or Lost Objects with Double Restore
          7. Method Three: Recovery of Deleted or Lost Objects Done Manually
          8. GPO Recovery
            1. Backing Up Using the GPMC
            2. Restore Using the GPMC
            3. If You do not have the GPMC...
        4. Summary
      14. 8. Complete Active Directory Failure
        1. Scenario
        2. Causes
        3. Recovery Process
          1. Part One: Restore the First DC of Your Root or Primary Domain
            1. Step One: Restoring the AD Data
            2. Step Two: Recovering DNS Services
            3. Step Three: Changing Global Catalog Flags
            4. Step Four: Raise the RID Pool Value by 100,000
            5. Step Five: Seize All FSMO Roles
            6. Step Six: Clean Up the Metadata of All Old DCs
            7. Step Seven: Reset the Computer Account and krbtgt Password
            8. Step 8: Reset the Trust Passwords
          2. Part Two: Restore the First DC in Each of the Remaining Domains
          3. Part Three: Enable the DC in the Root Domain to be a Global Catalog
          4. Part Four: Recover Additional DCs in the Forest by Installing Active Directory
          5. Post Recovery Steps
        4. Summary
      15. 9. Site AD Infrastructure Failure (Hardware)
        1. Scenario
        2. Causes
        3. Recovery Process
          1. Considerations: Different Hardware and Bare Metal
          2. Considerations: Software
          3. Restore Process
            1. Step One: System and System State
            2. Step Two: Restoring
            3. Step Three: Additional DCs
            4. Step Four: Trusts
            5. Step Five: Replicate
          4. Virtual Environments
        4. Summary
      16. 10. Common Recovery Tools Explained
        1. Software for Your DCs and Administration
          1. Windows Support Tools
          2. Windows Resource Kit Tools
          3. Adminpack for Windows XP/Vista Clients
        2. Diagnosing and Troubleshooting Tools
          1. DcDiag
          2. NetDiag
        3. Monitoring with Sonar and Ultrasound
          1. Introducing Sonar
          2. Introducing Ultrasound
            1. Details
            2. Alert History
            3. Summary and Advanced Tabs
        4. Summary
      17. A. Sample Business Continuity Plan
        1. Nailcorp Business Continuity Plan
          1. PURPOSE
        2. Description of the Service
        3. SCOPE
        4. Responsibilities and Roles
        5. OBJECTIVES
          1. What we are trying to achieve with this document is:
        7. CALL TREE
        8. Disaster declaration criteria for Active Directory service
        9. Functional restoration
        10. Recovery site(s)
        11. Necessary alternative site materials
          1. 1. Functional Restoration of a Domain Controller
            1. 1.1. Single DC Failure - DC Recovery with same name
            2. 1.1.1. Seize FSMO roles
            3. 1.1.2. Clean Active Directory of old records
            4. 1.1.3. Install new DC Hardware and OS
            5. 1.1.4. Promote DC and verify replication
            6. Recover DC if no network connection is available.
            7. 1.1.5. Delegate FSMO Roles
        13. APPENDICES
          1. Active Directory Service and support personnel
          2. Support documentation for the application/service attached to this plan
          3. Shared Contacts
        14. Damage Assessment Forms
        15. GLOSSARY
      18. B. Bibliography
        1. Chapter 1
        2. Chapter 2
        3. Chapter 3
        4. Chapter 4
        5. Chapter 5
        6. Chapter 6
        7. Chapter 7
        8. Chapter 8
        9. Chapter 9
        10. Chapter 10
        11. Appendix
      19. Index