ad disaster recovery

7/24/2019 AD Disaster Recovery

http://slidepdf.com/reader/full/ad-disaster-recovery 1/32

Active Directory DisasterActive Directory Disaster

RecoveryRecovery

Paul SimmonsPaul SimmonsSupport Engineer Support Engineer Directory ServicesDirectory Services

Microsoft CorporationMicrosoft Corporation



2

DefinitionDefinition

Resolving problems on MicrosoftResolving problems on Microsoft ® ® WindowsWindows ® ® domain controllers tat affect client! domain!domain controllers tat affect client! domain!or forest operationor forest operation " "

#n te least amount of time#n te least amount of time

Wit te least amount of painWit te least amount of pain

Wit te best possible resultsWit te best possible results



3

Preventive MaintenancePreventive Maintenance

$se good ardware and test it regularly$se good ardware and test it regularly

%est deployments in a lab before deployment%est deployments in a lab before deployment

Practice recovery scenarios in a labPractice recovery scenarios in a lab Remove single points of failureRemove single points of failure

&ever ave only one domain controller in a&ever ave only one domain controller in a

domaindomain 'ac( up before and after every ma)or state'ac( up before and after every ma)or state

cangecange



4

Recovery *ptionsRecovery *ptions

RebuildRebuild Winnt+,! Dcpromo! and Re-replicateWinnt+,! Dcpromo! and Re-replicate

.nown recovery time and results.nown recovery time and results RestoreRestore

Windows 'ac(up /&tbac(up0e1e2 to restore to aWindows 'ac(up /&tbac(up0e1e2 to restore to a(nown good state(nown good state

Re-replicateRe-replicate Repair Repair

Esentutl repair of database is a last resortEsentutl repair of database is a last resort

$se integrity cec( to see if database is damaged$se integrity cec( to see if database is damaged



5

Recovery %oolsRecovery %ools

&tbac(up " System State&tbac(up " System State

&tdsutil " Metadata Cleanup&tdsutil " Metadata Cleanup

Esentutl " Database 3alidation and Repair Esentutl " Database 3alidation and Repair Winnt+, " RebuildWinnt+, " Rebuild

Dcpromo " Re-promoteDcpromo " Re-promote

Component level recoveryComponent level recovery 4A5AM4A5AM

Dfsutil0e1eDfsutil0e1e



6

&tbac(up&tbac(up

4eatures64eatures6 'ac(s up Active Directory'ac(s up Active Directory ® ® in online modein online mode

Sceduled bac(upsSceduled bac(ups Wat to bac( upWat to bac( up

System state6 Active Directory! boot files! registry!System state6 Active Directory! boot files! registry!and moreand more

Resources6Resources6 7,89+:+6 ;<ow to 'ac( $p and Restore te7,89+:+6 ;<ow to 'ac( $p and Restore te

System State=System State=

7,++8,>6 ;4iles and 4olders &ot 'ac(ed $p $sing7,++8,>6 ;4iles and 4olders &ot 'ac(ed $p $sing

te &tbac(up0e1e %ool=te &tbac(up0e1e %ool=



'ac(up ?imitations'ac(up ?imitations

'ac(up life @ tombstonelifetime value'ac(up life @ tombstonelifetime value Default @ :9 days oldDefault @ :9 days old

Password cange interval @ +9 daysPassword cange interval @ +9 days Password istory @ , /current and previous2Password istory @ , /current and previous2

'ac(up useful life @ :9 days or two default'ac(up useful life @ :9 days or two defaultpassword cangespassword canges

*ld bac(ups can reintroduce tombstoned ob)ects*ld bac(ups can reintroduce tombstoned ob)ects Scema rollbac( is not supportedScema rollbac( is not supported



&tdsutil&tdsutil

Metadata cleanupMetadata cleanup Remove orpaned domain controllers or domainsRemove orpaned domain controllers or domains

#ntegrity cec( and repair #ntegrity cec( and repair Wrapper around EsentutlWrapper around Esentutl

%ells you if database is damaged%ells you if database is damaged

Autoritative restoreAutoritative restore Mar( selected ob)ects on domain controller asMar( selected ob)ects on domain controller as

autoritativeautoritative



&onautoritative Restore&onautoritative Restore

Wat is itWat is it Restore to (nown good point using &tbac(upRestore to (nown good point using &tbac(up Reboot into Active Directory mode to syncReboot into Active Directory mode to sync

cangescanges

Wen to useWen to use Recover from ardware failureRecover from ardware failure Return to (nown good state on single domainReturn to (nown good state on single domain

controllercontroller *ptions*ptions

Rebuild server from scratc0 Re-run Dcpromo0Rebuild server from scratc0 Re-run Dcpromo0 Restore macine to a (nown good point and syncRestore macine to a (nown good point and sync

deltas0deltas0



Autoritative RestoreAutoritative Restore

Wat is itWat is it Restore to (nown good point using &tbac(upRestore to (nown good point using &tbac(up Ma(e ob)ects on reference domain controller asMa(e ob)ects on reference domain controller as

;master copy= for Active Directory;master copy= for Active Directory

Wen to useWen to use Accidental deletion or modification of ob)ects orAccidental deletion or modification of ob)ects or

containers in te Active Directorycontainers in te Active Directory Corruption of ob)ectsBattributes in te directoryCorruption of ob)ectsBattributes in te directory

*ptions*ptions 4ind a good domain controller tat as te4ind a good domain controller tat as te

ob)ects and ma(e it autoritativeob)ects and ma(e it autoritative Restore from a bac(up tat contains te ob)ectsRestore from a bac(up tat contains te ob)ects

and ma(e it autoritativeand ma(e it autoritative



Autoritative RestoreAutoritative Restore

'oot into offline restore mode'oot into offline restore mode Press 4 during boot pasePress 4 during boot pase

?og on wit offline administrator account?og on wit offline administrator account

Mar( ob)ects in &tdsutil as autoritativeMar( ob)ects in &tdsutil as autoritative 4ind macine wit ob)ects or restore tem4ind macine wit ob)ects or restore tem

Restore subtree or entire database /rare2Restore subtree or entire database /rare2

'est practice'est practice $se most specific distinguised name pat$se most specific distinguised name pat

needed for recoveryneeded for recovery

Restore Active Directory over %erminal ServicesRestore Active Directory over %erminal Services " "

7,:7,:



Winnt+, and DcpromoWinnt+, and Dcpromo

Wat is itWat is it Reinstall of *SReinstall of *S

Run DcpromoRun Dcpromo Wen to useWen to use

.nown recovery time and end result.nown recovery time and end result

&o applications or services to protect&o applications or services to protect

*ptions*ptions Maintain standby server tat can be sipped toMaintain standby server tat can be sipped to

remote siteremote site



ScenariosScenarios

<ardware failure<ardware failure

Deleted ob)ects in Active DirectoryDeleted ob)ects in Active Directory

4le1ible Single Master *peration /4SM*24le1ible Single Master *peration /4SM*2recoveryrecovery

Demo of autoritative restoreDemo of autoritative restore



<ardware 4ailure<ardware 4ailure

Scenario6Scenario6 Domain controller e1periences catastropicDomain controller e1periences catastropic

ardware failureardware failure

oal6oal6 Replace bad ardware or entire server andReplace bad ardware or entire server and

resume operationsresume operations

iven6iven6 3alid bac(up3alid bac(up

#dentical ardware#dentical ardware



<ardware 4ailure<ardware 4ailure /,2/,2

ProcessProcess Replace server or ardwareReplace server or ardware

Restore from tape bac(upRestore from tape bac(up Re-replicateRe-replicate

AlternativesAlternatives Winnt+, and DcpromoWinnt+, and Dcpromo



<ardware 4ailure<ardware 4ailure /+2/+2

Restore to dissimilar ardwareRestore to dissimilar ardware 7,:++,6 ;Disaster Recovery of Active Directory7,:++,6 ;Disaster Recovery of Active Directory

on Dissimilar <ardware=on Dissimilar <ardware=

ReFuirementsReFuirements Same number of drives and drive lettersSame number of drives and drive letters

Complete bac(up of system state and systemComplete bac(up of system state and system

drivedrive Same &#CS! video cards! <A?! (ernel! and numberSame &#CS! video cards! <A?! (ernel! and number

of processorsof processors

Remove teaming networ( cards on targetRemove teaming networ( cards on target

Same dis( drive controller and configurationSame dis( drive controller and configuration



Deleted *b)ects in Active DirectoryDeleted *b)ects in Active Directory

ScenarioScenario Critical ob)ects ave been deleted from ActiveCritical ob)ects ave been deleted from Active

DirectoryDirectory oaloal

%o recover te ob)ects witout re-creating tem%o recover te ob)ects witout re-creating tem

iveniven A valid bac(upA valid bac(up



Deleted *b)ects in Active DirectoryDeleted *b)ects in Active Directory /,2/,2

ResolutionG restore from tape andResolutionG restore from tape andautoritative restore in &tdsutil6autoritative restore in &tdsutil6

Restore recent bac(up containing deleted ob)ectsRestore recent bac(up containing deleted ob)ects Mar( deleted ob)ects as autoritative usingMar( deleted ob)ects as autoritative using

&tdsutil&tdsutil

Autoritative restore in &tdsutilAutoritative restore in &tdsutil

Alternative6Alternative6 4ind replica domain controller tat asnHt4ind replica domain controller tat asnHt

received te deletionsreceived te deletions

Mar( deleted distinguised name as autoritativeMar( deleted distinguised name as autoritative

/no restore reFuired2/no restore reFuired2



Deleted *b)ects in Active DirectoryDeleted *b)ects in Active Directory /+2/+2

ProtectionProtection Set replication scedule once every four days onSet replication scedule once every four days on

;bac(up domain controller=;bac(up domain controller=

Mar( ob)ects as autoritative wen deletionMar( ob)ects as autoritative wen deletiondetecteddetected



20

4SM* Recovery4SM* Recovery

4le1ible Single Master *perations /4SM*24le1ible Single Master *perations /4SM*2

7,,+>>6 ;4le1ible Single Master *peration7,,+>>6 ;4le1ible Single Master *peration

%ransfer and SeiIure Process=%ransfer and SeiIure Process= %ransfer roles%ransfer roles

PreferredPreferred

racefulraceful

SeiIure of rolesSeiIure of roles ?ast resort?ast resort

%at server cannot come bac( onlineJE3ER0%at server cannot come bac( onlineJE3ER0



21

&tdsutil 4SM* %ransfer $#&tdsutil 4SM* %ransfer $#



22

Demo6 $ser *b)ects CreatedDemo6 $ser *b)ects Created



23

Demo6 Repadmin BSowmetaDemo6 Repadmin BSowmeta



24

Demo6 System State 'ac(upDemo6 System State 'ac(up



25

Demo6 Deleted *b)ectsDemo6 Deleted *b)ects



26

Demo6 Restore System StateDemo6 Restore System State



27

Demo6 Advanced *ptionsDemo6 Advanced *ptions



28

Demo6 Autoritative RestoreDemo6 Autoritative Restore



29

Demo6 Autoritative RestoreDemo6 Autoritative Restore /,2/,2



30

Demo6 Repadmin BSowmeta witDemo6 Repadmin BSowmeta wit

#ncremented 3ersion &umbers#ncremented 3ersion &umbers



31

Additional References6Additional References6

Server recovery6Server recovery6ttp6BBwww0microsoft0comBwindows,999Btecinf ttp6BBwww0microsoft0comBwindows,999Btecinf oBadministrationBfileandprintBrecovery0aspoBadministrationBfileandprintBrecovery0asp

7,8KL86 ;<*W %*6 Perform an Autoritative7,8KL86 ;<*W %*6 Perform an AutoritativeRestore to a Domain Controller in WindowsRestore to a Domain Controller in Windows

,999=,999=

Microsoft Windows 2000 Server DistributedMicrosoft Windows 2000 Server DistributedSystems GuideSystems Guide! Capters L and K9! Capters L and K9

http://www.microsoft.com/windows2000/techinfo/administration/fileandprint/recovery.asp








32

%an( you for )oining us for todayHs Microsoft Support%an( you for )oining us for todayHs Microsoft Support

WebCast0WebCast0

4or information about all upcoming Support WebCasts4or information about all upcoming Support WebCastsand access to te arcived content /streaming mediaand access to te arcived content /streaming media

files! PowerPoint slides! and transcripts2! please visit6files! PowerPoint slides! and transcripts2! please visit6

ttp6BBsupport0microsoft0comBwebcastsBttp6BBsupport0microsoft0comBwebcastsB

We sincerely appreciate your feedbac(0 Please send anyWe sincerely appreciate your feedbac(0 Please send any

comments or suggestions regarding te Supportcomments or suggestions regarding te Support

WebCasts toWebCasts to feedbac(microsoft0comfeedbac(microsoft0com and includeand include

;;Support WebCasts= in te sub)ect line0Support WebCasts= in te sub)ect line0

http://support.microsoft.com/webcasts/


mailto:[email protected]




ad disaster recovery

Documents