Restore von Active Directory mit einer von HP entwickelten Lsung - PDF document

Restore von Active Directory mit einer von HP entwickelten Lösung (Recovering from Active Directory Disasters) Guido Grillenmeier Senior Consultant Technology Solutions Group Hewlett-Packard Agenda • What is a Disaster? • Authoritative Restore • How Group-Memberships are stored • Understanding Handling of Object-Links • Recovering from a Disaster • Changes in Windows Server 2003 with respect to Object-Link replication • The HP solution: ADRAT

Active Directory is very fault-tolerant against HW failures � a dead DC is NOT a disaster ! Disaster Scenarios: Active Directory • Accidental deletion of objects by an administrator (most likely cause!) • Malicious deletion of objects by an intruder • Virus-Attack, deleting objects in AD • Corruptions of objects/attributes • Corrupt schema – could require forest recovery! Hewlett-Packard - AD Disaster Recovery Page 3 Corrupt Schema – AD Forest Recovery " Roadmap " for AD Forest Recovery: 1. Determine Forest Structure and available backups 2. Identify single DC for each domain with valid backup 3. Shutdown all DCs in the forest 4. First recover DC of Forest Root Domain � will ensure recovery of trust hierarchy and critical DNS resource records 5. Then recover one DC of each child domain � ensure recovery of parent domains prior to their child-domains to maintain trust-hierarchy 6 Cleanup and Re-Promote all other DCs in the forest

A good Active Directory backup includes: 1. System-State Backup of at least two DCs of each domain in an AD forest � don't require a backup of all DCs of a domain (may be different for Branch Offices with slow links) 2. If SYSVOL is not stored in default location, it may have to be backed up separately (depends on backup software used) Separate backup of GPOs is a good idea to simplify restores 3. of accidentally deleted GPOs � can leverage Windows Server 2003 GPMC to do so, but this will NOT store the Site/Domain/OU links of the GPOs! � also still need to backup any related external files of a GPO (e.g. logon scripts) 4. Ensure physical security of backup tapes! Hewlett-Packard - AD Disaster Recovery Page 5 Agenda • What is a Disaster? • Authoritative Restore • How Group-Memberships are stored • Understanding Handling of Object-Links • Recovering from a Disaster • Changes in Windows Server 2003 with respect to Object-Link replication • The HP Solution: ADRAT

Deleted objects can be restored by performing an authoritative restore of the AD database 1. Boot DC to Directory Services Restore Mode Active Directory 2. Restore System-State from Backup-Tape Run NTDSUTIL 3. � authoritative restore � restore subtree OU=myOU,DC=mycorp,DC=com � will update version nr. by 100,000 per day But there are some additional since time of backup challenges to recover � restored objects will 4. Reboot DC everything replicate to other DCs correctly... Hewlett-Packard - AD Disaster Recovery Page 7 How Group-Memberships are stored in AD The member-objects (e.g. Users) are stored as the DN in the member attribute of a Group. The Groups that a User belongs to are stored as the DN in the memberOf attribute of a User. User1 DN: CN= User1,OU= Users,DC= MyDom,DC= com CN= User1,OU= Users,DC= MyDom,DC= com memberOf: CN= Group1,OU= Groups,DC= MyDom,DC= com Group1 DN: CN= Group1,OU= Groups,DC= MyDom,DC= com CN= Group1,OU= Groups,DC= MyDom,DC= com member: CN= User1,OU= Users,DC= MyDom,DC= com

Active Directory stores group-memberships as Object- Links. Linked Objects member memberOf Forward - Link Back-Link ! • can be edited • is owned and by admin maintained by Links DC • is replicated to need special other DCs • is not replicated treatment during authoritative restore! to other DCs HP presentation template user tutorialHewlett-Packard - AD Page 9 Disaster Recovery Other important Object-Links Forward - Link Back-Link member Linked Objects memberOf manager directReports Linked Objects managedBy Linked Objects managedObjects Attributes with Object-Links are determined by their linkID

• What is a Disaster? • Authoritative Restore • How Group-Memberships are stored • Understanding Handling of Object-Links • Recovering from a Disaster • Changes in Windows Server 2003 with respect to Object-Link replication • The HP Solution: ADRAT HP presentation template user tutorialHewlett-Packard - AD Page 11 Disaster Recovery Sample Setup (Domain View) Multi-Domain AD Forest A\Usr1 B\UG1 A\Usr2 A\GG1 Domain A A Domain B B Domain A Domain Domain B Domain DC1.A DC2.A DC1.B

W ritable Naming Context (own domain) A\Usr1 A\Usr2 A\GG1 W R B\UG1 DC1.A R ead Only Naming Contexts B\UG1 (for GCs � Partial Replicas W of other domains) R A\Usr1 A\Usr1 A\Usr2 A\Usr2 DC1.B A\GG1 A\GG1 W R DC2.A HP presentation template user tutorialHewlett-Packard - AD Page 13 Disaster Recovery Sample Setup (incl. attributes) A\Usr1 User A\Usr1 is memberOf: A\GG1 B\UG1 member of groups A\Usr2 memberOf: A \GG1 and B \UG1 A\GG1 member: A\Usr1 W R B\UG1 DC1.A B\UG1 member: A\Usr1 member: A\Usr1 W R A\Usr1 A\Usr1 memberOf: B\UG1 memberOf: A\GG1 A\Usr2 A\Usr2 memberOf: DC1.B memberOf: A\GG1 A\GG1 member: (empty) member: A\Usr1 W DC2 A R

A\Usr1 adding User A\Usr2 to memberOf: A\GG1 B\UG1 A\Usr2 global group A \GG1 memberOf: A\GG1 FL BL A\GG1 member: A\Usr1 A\Usr2 W 10 9 R B\UG1 DC1.A B\UG1 member: A\Usr1 member: A\Usr1 W R A\Usr1 FL A\Usr1 memberOf: B\UG1 memberOf: A\GG1 A\Usr2 A\Usr2 memberOf: DC1.B A\GG1 memberOf: FL BL A\GG1 A\GG1 member: (empty) member: A\Usr1 A\Usr2 W 10 9 Forward-Link FL Link DC2.A R BL Back-Link Replication Version Nr. n Group updates � version-nr increases � replication takes place HP presentation template user tutorialHewlett-Packard - AD Page 15 Disaster Recovery Understanding Handling of Object-Links A\Usr1 adding User A\Usr2 to memberOf: A\GG1 B\UG1 A\Usr2 universal group B \UG1 20 memberOf: A\GG1 B\UG1 DC1.A backed up now! FL A\GG1 BL member: member: A\Usr1 A\Usr1 A\Usr2 W 10 R B\UG1 DC1.A B\UG1 member: A\Usr1 FL member: A\Usr1 A\Usr2 A\Usr2 14 15 14 15 W R A\Usr1 A\Usr1 memberOf: B\UG1 memberOf: A\GG1 FL BL A\Usr2 20 A\Usr2 20 memberOf: B\UG1 DC1.B memberOf: A\GG1 A\GG1 A\GG1 member: (empty) member: A\Usr1 A\Usr2 W 10 FL Forward-Link Link DC2 A R

A\Usr1 deleting User A\Usr2 memberOf: A\GG1 � B\UG1 A\Usr2 A\Usr2 on DC1.A 20 21 memberOf: A\GG1 B\UG1 A\GG1 member: A\Usr1 A\Usr2 W 10 10 R B\UG1 DC1.A B\UG1 member: A\Usr1 member: A\Usr1 A\Usr2 A\Usr2 15 15 15 W 15 R A\Usr1 A\Usr1 memberOf: B\UG1 � memberOf: A\GG1 � A\Usr2 A\Usr2 20 21 A\Usr2 A\Usr2 20 21 memberOf: B\UG1 DC1.B memberOf: A\GG1 A\GG1 A\GG1 member: (empty) member: A\Usr1 � A\Usr2 10 W 10 Tombstone DC2.A R Replication Version Nr. n Groups are „cleaned“, but version-nr. doesn't change... HP presentation template user tutorialHewlett-Packard - AD Page 17 Disaster Recovery Understanding Handling of Object-Links A\Usr1 auth. restore of User memberOf: A\GG1 � � B\UG1 A\Usr2 A\Usr2 A\Usr2 on DC1.A 100020 21 20 memberOf: A\GG1 B\UG1 FL BL A\GG1 A\GG1 member: A\Usr1 A\Usr2 W 10 10 BL R B\UG1 B\UG1 DC1.A B\UG1 member: A\Usr1 member: A\Usr1 FL A\Usr2 15 15 15 W R A\Usr1 A\Usr1 memberOf: B\UG1 � � memberOf: A\GG1 � � A\Usr2 A\Usr2 100020 21 A\Usr2 A\Usr2 100020 21 memberOf: (empty!) DC1.B memberOf: (empty!) A\GG1 A\GG1 member: (empty) member: A\Usr1 � W 10 Auth. Restored User DC2 A R

• What is a Disaster? • Authoritative Restore • How Group-Memberships are stored • Understanding Handling of Object-Links • Recovering from a Disaster • Changes in Windows Server 2003 with respect to Object-Link replication • The HP Solution: ADRAT HP presentation template user tutorialHewlett-Packard - AD Page 19 Disaster Recovery Recovering from a Disaster What did we learn? If objects with Back-Links are deleted, their Forward-Links are cleaned up automatically. During an Authoritative Restore, the Forward-Links are NOT recovered automatically. Forward - Link Back-Link Linked Objects member memberOf member Linked Objects memberOf manager directReports Linked Objects managedBy managedObjects Linked Objects

Part I What do we have to do? Leverage the Back-Link information restored on DC/GC, to recover the Forward-Links! E.g. for recovery of users: 1. Reboot DC1 to Directory Restore Mode 2. Restore AD database from backup to DC1 (should be a GC) 3. Perform Authoritative Restore of deleted objects via NTDSUTIL 4. Disable the NIC on DC1 (will disable replication of restored DC with other DCs in the AD forest – not required for 2003 with Link Value Replication ) 5. Reboot DC1 to normal AD mode Always perform authoritative restores on a GC! Hewlett-Packard - AD Disaster Recovery Page 21 Recovering from a Disaster Part I I 6. Dump membership Back-Link information from object's memberOf attribute into reference-files 7. Re-activate replication on DC by enabling the NIC on DC1 8. Compare the Back-Links from DC1 to another DC of the same domain (DC2) via the reference-files 9. Leveraging the information in the reference-files, re-add objects to the correct groups on DC2, thus increasing the version number of the member-attribute and causing replication of the group 10. Perform the above also for UGs from other domains (will need Enterprise Admin privileges)