Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Active Directory Disaster Recovery Part 2 of 2

Kimberry
_______
Associates
www.kimberry.co.uk
SVR331
Active Directory
Disaster Recovery Part
2 of 2
John Craddock
Principal Systems Consultant
v-jcradd@microsoft.com
johncra@kimberry.co.uk
Sally Storey
Senior Consultant
sallysto@kimberry.co.uk
Welcome Back to Part 2
Kimberry
_______
Associates
www.kimberry.co.uk
 Infrastructure Components
 File Replication and SYSVOL
 Backing up the Directory
Restoring the Directory
Authoritative Restores
Recovering a Forest
3
Legal Stuff
Kimberry
_______
Associates
www.kimberry.co.uk
Every effort has been made to make this seminar as complete
and as accurate as possible but no warranty or fitness is implied.
The presenters, authors, publisher and distributor assume no
responsibility for errors or omissions, or for damages resulting
from the use of the information contained herein.
Names identifying the directory and associated objects are fictitious
and are not intended to represent any organizations or people
All trademarks are acknowledged and are the
property of their respective owners
© All materials are copyright Kimberry Associates
4
Restore through Reinstallation
Kimberry
_______
Associates
www.kimberry.co.uk
Clean up the AD
Remove references to the failed DC
Action depends on the name of the new server
Make sure the hardware is OK and install a new
copy of the OS
Promote into the domain
Allow replication to populate the AD
Network traffic may be excessive, especially if you
want the new DC to be a GC
5
Server Name
Kimberry
_______
Associates
www.kimberry.co.uk
Always remove the NtdsDSA settings object for
the failed servers
Use ntdsutil (simplified with SP1)
See “How To: Remove Data in Active Directory After an
Unsuccessful Domain Controller Demotion” (Q216498)
If the new server will have a new name
Remove the old server objects from sites and services
and the domain controllers OU
6
Kimberry
_______
Associates
www.kimberry.co.uk
Restore From Backup
Take Care
Kimberry
_______
Associates
www.kimberry.co.uk
Equivalent of a D4
authoritative
restore
Only use this option if you are recovering
all DCs in a domain
8
Unless you Like
Morphed Folders
9
Kimberry
_______
Associates
www.kimberry.co.uk
GC Caveats
Kimberry
_______
Associates
www.kimberry.co.uk
example.com
Global catalogs will have
newer data about child
child.example.com
Restored back in time
If restoring a domain from an older backup, you
may need to reinitialise the GCs in other
domains
10
Deleted Objects
Kimberry
_______
Associates
www.kimberry.co.uk
The isDeleted attribute is set TRUE
Changes the RDN of the object to include the
objects GUID
Add characters that could never be set by an LDAP
call
Strips all but the preserved attributes
Moves the object to the Deleted Objects
container
11
Tombstone Period
Kimberry
_______
Associates
www.kimberry.co.uk
The object remains in the deleted objects
container for the tombstone period
Default 60 days (SP1 = 180 days)
The Garbage Collector removes any
deleted objects for which the tombstone
period has expired
Runs every 12 hours (default setting)
12
Re-Animating Objects
Kimberry
_______
Associates
www.kimberry.co.uk
Server 2003 provides a re-animation API
SP1 re-animation includes sIDHistory
Stripped attributes are not restored
To re-animate
Set the LDAP control flags to show deleted objects
In one operation on the deleted object
Set the isDeleted attribute to NULL
Set the DN appropriately for the container in which to
re-animate the object
13
Recovering Deleted /
Changed Objects
Kimberry
_______
Associates
www.kimberry.co.uk
After the System State has been restored,
objects within the directory can be marked as
authoritative (increases version number)
“Guarantees” that the restored object will replicate out
from the restored DC
The whole of the directory with the exception of
the schema can be made authoritative
Not recommended
Mark only the objects that must be
authoritatively restored
14
Performing an
Authoritative Restore
Kimberry
_______
Associates
www.kimberry.co.uk
Restore mode
Run ntdsutil
Mark required
objects
authoritative
Does not need to be restored from backup
Any DC can be made authoritative provided
it holds the appropriate objects
Restart
New DSA GUID
Replicate changes since backup
Accept if higher version numbers
Replicate authoritative objects
15
Authoritatively Restoring an OU
Kimberry
_______
Associates
www.kimberry.co.uk
TheBoys
Mark as authoritative
Julian
Dick
George
16
Increments version
number on all
contained objects
and attributes
Authoritative Restore
Kimberry
_______
Associates
www.kimberry.co.uk
DC1
DC2
DC3
Restore mode
Backup prior to
deletion restored
VN=50
VN=91


George
G1
VN=50
VN=91


George
Moved to deleted objects container
17
G1
VN=50
VN=100,090 George
G1
Caveats to
Authoritative Restores
Kimberry
_______
Associates
www.kimberry.co.uk
An authoritative restore that involves computer
and trust objects may invalidate their accounts
The passwords are periodically reset
(default 30-days)
A history of two passwords is kept
You may experience problems if restoring older
backups
18
More Caveats
Kimberry
_______
Associates
www.kimberry.co.uk
Authoritatively restoring users and groups may
result in inconsistent group membership
The behaviour depends on the forest functionality
level when the group was created and/or when the
user was added to the group
The behaviour affects all multi-valued linked attributes
19
Multi-Valued Linked Attributes
Kimberry
_______
Associates
www.kimberry.co.uk
Groups store their membership list in their
member attribute
The member attribute is a multi-valued linked attribute
This discussion affect the restoration of all
multi-valued linked attributes
Each pair of linked attributes is identified by the
schema defined linkID property
Forward links are even (n) and the associated back link is odd
(n+1)
20
Link Table (Simplified)
Kimberry
_______
Associates
www.kimberry.co.uk
G1
member
john;sally
G2
member
sally
G3
member
sally;john
John
Link Table
Forward
Back
G1
G2
G3
G3
G1
John
Sally
Sally
John
Sally
MemberOf
Sally
MemberOf
Entries are created in a link table when a group
is created/modified through origination or
replication
21
The link tables are constructed on each DC
Replicating Group Membership
Kimberry
_______
Associates
www.kimberry.co.uk
In a Windows 2000 forest group the member
attribute is replicated in it’s entirety
Replication metadata is attached to the
member attribute
In a Windows 2003 forest or Windows 2003
Interim forest the linked-values are replicated
Referred to as linked-value replication
Replication metadata is attached to the
member attribute
22
Sally
Attribute Clean-up
No version
number increase
member
John Sally


John

MemberOf

 
member
John Sally

MemberOf
John
MemberOf
If either the linked source or destination objects
are deleted the associated linked attribute value
is deleted
Deleting a user removes that user from the member
attributes of all linked groups
Deleting a group removes that group from the
calculated memberOf attributes of all linked users
Add a User from Another Domain
example.com
Vladimir
DC1
add
DC2
Replicate
Vladimir
Vladimir
Child DC1
Vladimir
child.example.com
Deleting the User
Kimberry
_______
Associates
www.kimberry.co.uk
Infrastructure
Master
example.com
DC1
DC2


No Replication
Group VN does
not change

Vladimir


Vladimir
Deleted by IM

25
Child DC1
Deleted on GC replication
Automatically cleaned
Vladimir child.example.com
Phantoms
Kimberry
_______
Associates
www.kimberry.co.uk
If a user from a different domain is added to a
group, a link is created
If the DC on which the group is created is a GC, the
forward link references the user in the GC
If the DC is not a GC then a phantom record is created
If the user is deleted, the group’s member
attribute will be updated when the reference is
deleted
The GC replicates the deletion
The Infrastructure Master deletes the phantom
26
Restoring Groups and Users
Kimberry
_______
Associates
www.kimberry.co.uk
If groups and users are authoritatively restored
on one DC
There is no guarantee that the users will replicate in
advance of the group
If a group is replicated in advance of a user who
is a member of the group
The receiving DC has no record of the user and
deletes it from the group
27
Authoritative Restore 2000
Kimberry
_______
Associates
www.kimberry.co.uk
DC1
DC2
DC3
George marked
as authoritative
VN=50
G1
VN=50
Replication
VN=100,000+ George
VN=100,000+ George
Group membership not restored
28
G1
VN=50
Replication
VN=100,000+ George
G1
Restoring the Link
Kimberry
_______
Associates
www.kimberry.co.uk
Running in a 2000 forest means that the group
membership will not replicate
This also applies to group membership that was
created prior to moving to 2003 forest functionality
No linked-value replication metadata
29
Solutions for pre 2003 Forest Mode
Group Membership
Solution 1:
Authoritatively restore users
Add dummy user to group and allow to replicate
Does not guarantee authority
Solution 2:
Authoritatively restore users
Allow to replicate
Authoritatively restore groups
2003 SP1 Authoritative
Restore Enhancements
Kimberry
_______
Associates
www.kimberry.co.uk
Ntdsutil automatically generates an ldif file
identifying all of the links for authoritatively
restored objects
After the restore, wait for the objects to be
replicated throughout the domain
Restore the links by using ldifde to import the ldif
file onto a GC in the domain
ldifde –i –k –f links.ldf
31
Know Your Environment
Kimberry
_______
Associates
www.kimberry.co.uk
None of the solutions (including 2003 forest
mode) restore domain local group memberships
defined in other domains
You can authoritatively restore each domain and
allow ntdsutil to create the appropriate ldif files
Know your group memberships
Dump information to reference files
Know how to restore the membership via scripts
32
Our Environment: 2000 Forest
Kimberry
_______
Associates
www.kimberry.co.uk
TheBoys
member
memberOf
G1
Reports
Julian
member
memberOf
G2
Anne
Reports
Manager
Dick
memberOf
Timmy
Reports
George
Added in 2000 mode, points at back link
33
Manager
DC1
DC2
DC3
Raised to 2003
Kimberry
_______
Associates
www.kimberry.co.uk
TheBoys
member
memberOf
G1
memberOf
G2
Anne
Reports
Manager
Dick
member
memberOf
Timmy
Reports
George
Added in 2000 mode, points at back link
Added in 2003 mode, points at back link
34
Manager
Julian
member
G3
Reports
DC1
DC2
DC3
The Boys Get Deleted
Kimberry
_______
Associates
www.kimberry.co.uk
member
Manager
G1
Anne
member
Manager
G2
Timmy
member
G3
35
DC1
DC2
DC3
The Boys are Authoritatively Restored
TheBoys
member
memberOf
G1
Manager
Julian
member
memberOf
G2
Anne
Reports
Dick
member
G3
Reports
memberOf
Manager
Timmy
Reports
George
Added in 2000 mode, points at back link
Added in 2003 mode, points at back link
DC3
_______
What Replicates to DC1 & DC2?Kimberry
Associates
www.kimberry.co.uk
TheBoys
member
memberOf
G1
memberOf
G2
Anne
Reports
Manager
Dick
member
memberOf
Timmy
Reports
George
Missing all links created in 2000 forest
37
Manager
Julian
member
G3
Reports
DC1
DC2
LDIF File produced by
NTDSUTIL
Kimberry
_______
Associates
www.kimberry.co.uk
dn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com
changetype: modify
delete: member
member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com
dn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com
changetype: modify
add: member
member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com
dn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com
changetype: modify
delete: member
member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com
dn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com
changetype: modify
add: member
member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com
38
You Must Must Must…
Kimberry
_______
Associates
www.kimberry.co.uk
Have a tried and tested DR Plan
It’s too late to workout how to fix it when things have
gone wrong
Planned response to failure
prevents an event turning into a
DISASTER
39
Kimberry
_______
Associates
www.kimberry.co.uk
So Now we Know the
Components Lets Put them All
Together to Recover a Forest
Not a Good Day…
Kimberry
_______
Associates
www.kimberry.co.uk
Loss of forest, through
Rogue script, malicious operator, virus…
Who was in control of your Schema and Enterprise
Administrators groups?
You must know your forest
Server roles
All infrastructure role placements
Server based applications
Impacts on AD and Registry
41
Time Warp
Kimberry
_______
Associates
www.kimberry.co.uk
You will be restoring your forest to a time when
you know it was good
This will lose all changes since the last backups
Will impact applications that are dependant on forest
preps
Server based applications may be affected by restoring an
earlier registry
May impact Access Control Lists on resources
42
Maintaining Integrity
Kimberry
_______
Associates
www.kimberry.co.uk
Restore only one DC per domain
Locate your backups and test their
integrity
You should be backing up two DC per
domain and “know” the backups are
good
Promote the other servers into
the domain
Even if you have backups for them
This will involve more time, but
reduces the risk of introducing
corrupt data
43
Latest
backups
Restore the Root
Kimberry
_______
Associates
www.kimberry.co.uk
Restore
Good backup
(sysvol primary)
Check data integrity
If GC
disable
Elevate
RID pool /
clean ACLs
Seize all
FSMOs
Enable as GC
DNS
Remove all references
to other servers
Delete metadata
For all other DCs
in the domain
Perform thorough
health check &
backup
Before you start, shutdown all other servers and
isolate the DC to be restored from the network
There is a danger that live servers could replicate and
corrupt data
44
Restoring Other Domains
Kimberry
_______
Associates
www.kimberry.co.uk
Proceed using the same technique for all the
other domains
Make sure DCs have access to forest DNS
Force synchronization between domains
Start promoting other DCs
Once the forest infrastructure is established and its
integrity verified
If necessary, use an unattend file with dcpromo to
force the initial replication partner
Use Windows 2003 install from media (IFM)
Always test the IFM seed before use in production
45
Post Restore
Kimberry
_______
Associates
www.kimberry.co.uk
Redistribute FSMO roles
Establish correct DNS infrastructure
Review all processes and procedures
Decide you will never let this happen again!
46
And There is More…
Kimberry
_______
Associates
www.kimberry.co.uk
Order on the web www.kimberry.co.uk
Discount code KB1764 (15% discount)
47
Resources
Kimberry
_______
Associates
www.kimberry.co.uk
Forest Recovery Whitepaper:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
3EDA5A79-C99B-4DF9-823C-933FEBA08CFE
Windows Server 2003 Operation Guide:
http://www.microsoft.com/technet/itsolutions/cits/mo/winsrvmg/adpog/
adpog1.mspx
Windows Server 2003 SP1 authoritative restore help:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/
Operations/690730c7-83ce-4475-b9b4-46f76c9c7c90.mspx
How to force demote a DC:
http://support.microsoft.com/default.aspx?scid=kb;en-us;332199
Group Policy Administration using GPMC:
http://download.microsoft.com/download/a/9/c/a9c0f2b8-4803-4d63-8c323040d76aa98d/GPMC_Administering.doc
48
Kimberry
_______
Associates
www.kimberry.co.uk
Thanks for coming to the seminar
Hope to see you again
49
Resources
Technical Chats and Webcasts
http://www.microsoft.com/communities/chats/default.mspx
http://www.microsoft.com/usa/webcasts/default.asp
Microsoft Learning and Certification
http://www.microsoft.com/learning/default.mspx
MSDN & TechNet
http://microsoft.com/msdn
http://microsoft.com/technet
Virtual Labs
http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
Newsgroups
http://communities2.microsoft.com/
communities/newsgroups/en-us/default.aspx
Technical Community Sites
http://www.microsoft.com/communities/default.mspx
User Groups
http://www.microsoft.com/communities/usergroups/default.mspx
Live from Tech·Ed Webcast
Series has Been
Brought to You by:
www.microsoft.com/hpc
Fill out a session
evaluation on
CommNet and
Win an XBOX 360!
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Related documents
5S * Foundation to Lean - dpzietlow & associates llc
5S * Foundation to Lean - dpzietlow & associates llc
Green River Community College Business Law BA 205
Green River Community College Business Law BA 205
Awaiting Commission Approval August 2014
Awaiting Commission Approval August 2014
Application Checklist - Tropical Realty Referrals
Application Checklist - Tropical Realty Referrals
Associates of Liberal Arts, General 12/2014
Associates of Liberal Arts, General 12/2014
Commonly-Used-Advertising-Techniques
Commonly-Used-Advertising-Techniques
Download