Presentation is loading. Please wait.

Presentation is loading. Please wait.

_______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk SVR331 Active Directory Disaster Recovery Part 2 of 2 John Craddock Principal Systems Consultant.

Published byGeraldine Bridges Modified over 9 years ago

Similar presentations

Presentation on theme: "_______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk SVR331 Active Directory Disaster Recovery Part 2 of 2 John Craddock Principal Systems Consultant."— Presentation transcript:

1

2 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk SVR331 Active Directory Disaster Recovery Part 2 of 2 John Craddock Principal Systems Consultant v-jcradd@microsoft.com johncra@kimberry.co.uk Sally Storey Senior Consultant sallysto@kimberry.co.uk

3 3 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Welcome Back to Part 2 Infrastructure Components File Replication and SYSVOL Backing up the Directory Restoring the Directory Authoritative Restores Recovering a Forest And of course lots of demos

4 4 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Legal Stuff Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenters, authors, publisher and distributor assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. Names identifying the directory and associated objects are fictitious and are not intended to represent any organizations or people All trademarks are acknowledged and are the property of their respective owners © All materials are copyright Kimberry Associates

5 5 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Restore through Reinstallation Clean up the AD Remove references to the failed DC Action depends on the name of the new server Make sure the hardware is OK and install a new copy of the OS Promote into the domain Allow replication to populate the AD Network traffic may be excessive, especially if you want the new DC to be a GC

6 6 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Server Name Always remove the NtdsDSA settings object for the failed servers Use ntdsutil (simplified with SP1) See “How To: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion” (Q216498) If the new server will have a new name Remove the old server objects from sites and services and the domain controllers OU

7 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Restore From Backup

8 8 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Take Care Only use this option if you are recovering all DCs in a domain Equivalent of a D4 authoritative restore

9 9 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Unless you Like Morphed Folders

10 10 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk GC Caveats If restoring a domain from an older backup, you may need to reinitialise the GCs in other domains example.com child.example.com Restored back in time Global catalogs will have newer data about child

11 11 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Deleted Objects The isDeleted attribute is set TRUE Changes the RDN of the object to include the objects GUID Add characters that could never be set by an LDAP call Strips all but the preserved attributes Moves the object to the Deleted Objects container

12 12 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Tombstone Period The object remains in the deleted objects container for the tombstone period Default 60 days (SP1 = 180 days) The Garbage Collector removes any deleted objects for which the tombstone period has expired Runs every 12 hours (default setting)

13 13 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Re-Animating Objects Server 2003 provides a re-animation API SP1 re-animation includes sIDHistory Stripped attributes are not restored To re-animate Set the LDAP control flags to show deleted objects In one operation on the deleted object Set the isDeleted attribute to NULL Set the DN appropriately for the container in which to re-animate the object

14 14 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Recovering Deleted / Changed Objects After the System State has been restored, objects within the directory can be marked as authoritative (increases version number) “Guarantees” that the restored object will replicate out from the restored DC The whole of the directory with the exception of the schema can be made authoritative Not recommended Mark only the objects that must be authoritatively restored

15 15 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Replicate changes since backup Run ntdsutil Mark required objects authoritative Restore mode Accept if higher version numbers Restart Replicate authoritative objects New DSA GUID Does not need to be restored from backup Any DC can be made authoritative provided it holds the appropriate objects Performing an Authoritative Restore

16 16 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Authoritatively Restoring an OU Julian TheBoys Dick George Mark as authoritative Increments version number on all contained objects and attributes

17 17 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Authoritative Restore DC1DC3DC2 Restore mode Backup prior to deletion restored VN=50 VN=91 VN=50 VN=91 VN=50 VN=100,090     Moved to deleted objects container George G1

18 18 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Caveats to Authoritative Restores An authoritative restore that involves computer and trust objects may invalidate their accounts The passwords are periodically reset (default 30-days) A history of two passwords is kept You may experience problems if restoring older backups

19 19 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk More Caveats Authoritatively restoring users and groups may result in inconsistent group membership The behaviour depends on the forest functionality level when the group was created and/or when the user was added to the group The behaviour affects all multi-valued linked attributes

20 20 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Multi-Valued Linked Attributes Groups store their membership list in their member attribute The member attribute is a multi-valued linked attribute This discussion affect the restoration of all multi-valued linked attributes Each pair of linked attributes is identified by the schema defined linkID property Forward links are even (n) and the associated back link is odd (n+1)

21 21 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Link Table (Simplified) Entries are created in a link table when a group is created/modified through origination or replication The link tables are constructed on each DC John G1ForwardBack MemberOf Sally MemberOf member G2 member G3 member john G1 John sally SallyG2 sally SallyG3 ;john G3 John ;sally G1Sally Link Table

22 22 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Replicating Group Membership In a Windows 2000 forest group the member attribute is replicated in it’s entirety Replication metadata is attached to the member attribute In a Windows 2003 forest or Windows 2003 Interim forest the linked-values are replicated Referred to as linked-value replication Replication metadata is attached to the member attribute

23 Attribute Clean-up If either the linked source or destination objects are deleted the associated linked attribute value is deleted Deleting a user removes that user from the member attributes of all linked groups Deleting a group removes that group from the calculated memberOf attributes of all linked users member John MemberOf John Sally member John MemberOf John Sally      MemberOf   No version number increase

24 example.com child.example.com DC1DC2 Vladimir Replicate Vladimir Child DC1 add Add a User from Another Domain

25 25 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Infrastructure Master Deleting the User example.com child.example.com Vladimir No Replication Group VN does not change   Deleted by IM  Automatically cleaned Deleted on GC replication  Replication DC1DC2 Child DC1

26 26 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Phantoms If a user from a different domain is added to a group, a link is created If the DC on which the group is created is a GC, the forward link references the user in the GC If the DC is not a GC then a phantom record is created If the user is deleted, the group’s member attribute will be updated when the reference is deleted The GC replicates the deletion The Infrastructure Master deletes the phantom

27 27 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Restoring Groups and Users If groups and users are authoritatively restored on one DC There is no guarantee that the users will replicate in advance of the group If a group is replicated in advance of a user who is a member of the group The receiving DC has no record of the user and deletes it from the group

28 28 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Authoritative Restore 2000 DC1DC3DC2 George marked as authoritative VN=50 VN=100,000+ George G1 Group membership not restored VN=100,000+ George Replication VN=100,000+ George Replication

29 29 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Restoring the Link Running in a 2000 forest means that the group membership will not replicate This also applies to group membership that was created prior to moving to 2003 forest functionality No linked-value replication metadata

30 Solutions for pre 2003 Forest Mode Group Membership Solution 1: Authoritatively restore users Add dummy user to group and allow to replicate Does not guarantee authority Solution 2: Authoritatively restore users Allow to replicate Authoritatively restore groups

31 31 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk 2003 SP1 Authoritative Restore Enhancements Ntdsutil automatically generates an ldif file identifying all of the links for authoritatively restored objects After the restore, wait for the objects to be replicated throughout the domain Restore the links by using ldifde to import the ldif file onto a GC in the domain ldifde –i –k –f links.ldf

32 32 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Know Your Environment None of the solutions (including 2003 forest mode) restore domain local group memberships defined in other domains You can authoritatively restore each domain and allow ntdsutil to create the appropriate ldif files Know your group memberships Dump information to reference files Know how to restore the membership via scripts

33 33 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Our Environment: 2000 Forest membermemberOfManagerReports Julian Anne G1 TheBoys membermemberOfManagerReports Dick Timmy G2 memberOfReports George DC1DC2DC3 Added in 2000 mode, points at back link

34 34 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Raised to 2003 membermemberOfManagerReports Julian Anne G1 TheBoys membermemberOfManagerReports Dick Timmy G2 memberOfReports GeorgeG3 member DC1DC2DC3 Added in 2003 mode, points at back link Added in 2000 mode, points at back link

35 35 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk The Boys Get Deleted memberManager Anne G1 memberManager Timmy G2 G3 member DC1DC2DC3

36 The Boys are Authoritatively Restored membermemberOfManagerReports Julian Anne G1 TheBoys membermemberOfManagerReports Dick Timmy G2 memberOfReports GeorgeG3 member DC3 Added in 2003 mode, points at back link Added in 2000 mode, points at back link

37 37 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk membermemberOfManagerReports Julian Anne G1 TheBoys membermemberOfManagerReports Dick Timmy G2 memberOfReports GeorgeG3 member DC1DC2 Missing all links created in 2000 forest What Replicates to DC1 & DC2?

38 38 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk LDIF File produced by NTDSUTIL dn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com changetype: modify delete: member member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com - dn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com changetype: modify add: member member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com - dn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com changetype: modify delete: member member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com - dn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com changetype: modify add: member member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com

39 39 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk You Must Must Must… Have a tried and tested DR Plan It’s too late to workout how to fix it when things have gone wrong Planned response to failure prevents an event turning into a DISASTER

40 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk So Now we Know the Components Lets Put them All Together to Recover a Forest

41 41 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Not a Good Day… Loss of forest, through Rogue script, malicious operator, virus… Who was in control of your Schema and Enterprise Administrators groups? You must know your forest Server roles All infrastructure role placements Server based applications Impacts on AD and Registry

42 42 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Time Warp You will be restoring your forest to a time when you know it was good This will lose all changes since the last backups Will impact applications that are dependant on forest preps Server based applications may be affected by restoring an earlier registry May impact Access Control Lists on resources

43 43 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Latest backups Maintaining Integrity Restore only one DC per domain Locate your backups and test their integrity You should be backing up two DC per domain and “know” the backups are good Promote the other servers into the domain Even if you have backups for them This will involve more time, but reduces the risk of introducing corrupt data

44 44 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Restore the Root Before you start, shutdown all other servers and isolate the DC to be restored from the network There is a danger that live servers could replicate and corrupt data Restore Good backup (sysvol primary) Check data integrity DNS Remove all references to other servers If GC disable Delete metadata For all other DCs in the domain Enable as GC Perform thorough health check & backup Elevate RID pool / clean ACLs Seize all FSMOs

45 45 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Restoring Other Domains Proceed using the same technique for all the other domains Make sure DCs have access to forest DNS Force synchronization between domains Start promoting other DCs Once the forest infrastructure is established and its integrity verified If necessary, use an unattend file with dcpromo to force the initial replication partner Use Windows 2003 install from media (IFM) Always test the IFM seed before use in production

46 46 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Post Restore Redistribute FSMO roles Establish correct DNS infrastructure Review all processes and procedures Decide you will never let this happen again!

47 47 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk And There is More… Order on the web www.kimberry.co.uk Discount code KB1764 (15% discount)

48 48 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Resources Forest Recovery Whitepaper: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID= 3EDA5A79-C99B-4DF9-823C-933FEBA08CFE http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID= 3EDA5A79-C99B-4DF9-823C-933FEBA08CFE Windows Server 2003 Operation Guide: http://www.microsoft.com/technet/itsolutions/cits/mo/winsrvmg/adpog/ adpog1.mspx http://www.microsoft.com/technet/itsolutions/cits/mo/winsrvmg/adpog/ adpog1.mspx Windows Server 2003 SP1 authoritative restore help: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ Operations/690730c7-83ce-4475-b9b4-46f76c9c7c90.mspx http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ Operations/690730c7-83ce-4475-b9b4-46f76c9c7c90.mspx How to force demote a DC: http://support.microsoft.com/default.aspx?scid=kb;en-us;332199 http://support.microsoft.com/default.aspx?scid=kb;en-us;332199 Group Policy Administration using GPMC: http://download.microsoft.com/download/a/9/c/a9c0f2b8-4803-4d63-8c32- 3040d76aa98d/GPMC_Administering.doc http://download.microsoft.com/download/a/9/c/a9c0f2b8-4803-4d63-8c32- 3040d76aa98d/GPMC_Administering.doc

49 49 _______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk Thanks for coming to the seminar Hope to see you again

50 Resources Technical Chats and Webcasts http://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp Microsoft Learning and Certification http://www.microsoft.com/learning/default.mspx MSDN & TechNet http://microsoft.com/msdn http://microsoft.com/technet Virtual Labs http://www.microsoft.com/technet/traincert/virtuallab/rms.mspx Newsgroups http://communities2.microsoft.com/ communities/newsgroups/en-us/default.aspx Technical Community Sites http://www.microsoft.com/communities/default.mspx User Groups http://www.microsoft.com/communities/usergroups/default.mspx

51 Live from Tech·Ed Webcast Series has Been Brought to You by: www.microsoft.com/hpc

52 Fill out a session evaluation on CommNet and Win an XBOX 360!

53 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "_______KimberryAssociateswww.kimberry.co.ukwww.kimberry.co.uk SVR331 Active Directory Disaster Recovery Part 2 of 2 John Craddock Principal Systems Consultant."

Similar presentations

Name: Mornay Durant Title: Sales & Marketing Director Company: The IT Department.

Name: Mornay Durant Title: Sales & Marketing Director Company: The IT Department.
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Active Directory Disaster Recovery Paul Simmons Support Engineer Directory Services Microsoft Corporation.

Active Directory Disaster Recovery Paul Simmons Support Engineer Directory Services Microsoft Corporation.
8.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

8.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Administering Active Directory

Administering Active Directory
Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.

Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.
Understanding Active Directory

Understanding Active Directory
Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.

Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.

11 REVIEWING MICROSOFT ACTIVE DIRECTORY CONCEPTS Chapter 1.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.
Session 1.

Session 1.
Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.
Created by the Community for the Community BizTalk & Build.

Created by the Community for the Community BizTalk & Build.
ADM 493 Digging Deep into the Active Directory with LDP John Craddock Principal Consultant Sally Storey Consultant.

ADM 493 Digging Deep into the Active Directory with LDP John Craddock Principal Consultant Sally Storey Consultant.

Similar presentations

Ads by Google