540 likes | 780 Views
SVR331 Active Directory Disaster Recovery Part 2 of 2. John Craddock Principal Systems Consultant v-jcradd@microsoft.com johncra@kimberry.co.uk Sally Storey Senior Consultant sallysto@kimberry.co.uk. Welcome Back to Part 2. . Infrastructure Components File Replication and SYSVOL
E N D
SVR331 Active Directory Disaster Recovery Part 2 of 2 John CraddockPrincipal Systems Consultant v-jcradd@microsoft.com johncra@kimberry.co.ukSally StoreySenior Consultant sallysto@kimberry.co.uk
Welcome Back to Part 2 • Infrastructure Components • File Replication and SYSVOL • Backing up the Directory • Restoring the Directory • Authoritative Restores • Recovering a Forest And of course lots of demos
Legal Stuff Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenters, authors, publisher and distributor assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. Names identifying the directory and associated objects are fictitious and are not intended to represent any organizations or people All trademarks are acknowledged and are the property of their respective owners © All materials are copyright Kimberry Associates
Restore through Reinstallation • Clean up the AD • Remove references to the failed DC • Action depends on the name of the new server • Make sure the hardware is OK and install a new copy of the OS • Promote into the domain • Allow replication to populate the AD • Network traffic may be excessive, especially if you want the new DC to be a GC
Server Name • Always remove the NtdsDSA settings object for the failed servers • Use ntdsutil (simplified with SP1) • See “How To: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion” (Q216498) • If the new server will have a new name • Remove the old server objects from sites and services and the domain controllers OU
Take Care • Only use this option if you are recoveringall DCs in a domain Equivalent of a D4 authoritative restore
example.com child.example.com GC Caveats Global catalogs will have newer data about child • If restoring a domain from an older backup, you may need to reinitialise the GCs in other domains Restored back in time
Deleted Objects • The isDeleted attribute is set TRUE • Changes the RDN of the object to include the objects GUID • Add characters that could never be set by an LDAP call • Strips all but the preserved attributes • Moves the object to the Deleted Objects container
Tombstone Period • The object remains in the deleted objects container for the tombstone period • Default 60 days (SP1 = 180 days) • The Garbage Collector removes any deleted objects for which the tombstone period has expired • Runs every 12 hours (default setting)
Re-Animating Objects • Server 2003 provides a re-animation API • SP1 re-animation includes sIDHistory • Stripped attributes are not restored • To re-animate • Set the LDAP control flags to show deleted objects • In one operation on the deleted object • Set the isDeleted attribute to NULL • Set the DN appropriately for the container in which to re-animate the object
Recovering Deleted /Changed Objects • After the System State has been restored, objects within the directory can be marked as authoritative (increases version number) • “Guarantees” that the restored object will replicate out from the restored DC • The whole of the directory with the exception of the schema can be made authoritative • Not recommended • Mark only the objects that must be authoritatively restored
Performing an Authoritative Restore Restore mode Run ntdsutil Mark requiredobjects authoritative Does not need to be restored from backupAny DC can be made authoritative providedit holds the appropriate objects Restart New DSA GUID Replicate changes since backup Accept if higher version numbers Replicate authoritative objects
Authoritatively Restoring an OU TheBoys Mark as authoritative Julian Increments versionnumber on allcontained objects and attributes Dick George
Authoritative Restore DC1 DC2 DC3 Restore modeBackup prior to deletion restored G1 G1 G1 VN=50 VN=50 VN=50 VN=91 VN=91 George George George VN=100,090 Moved to deleted objects container
Caveats to Authoritative Restores • An authoritative restore that involves computer and trust objects may invalidate their accounts • The passwords are periodically reset (default 30-days) • A history of two passwords is kept • You may experience problems if restoring older backups
More Caveats • Authoritatively restoring users and groups may result in inconsistent group membership • The behaviour depends on the forest functionality level when the group was created and/or when the user was added to the group • The behaviour affects all multi-valued linked attributes
Multi-Valued Linked Attributes • Groups store their membership list in their member attribute • The member attribute is a multi-valued linked attribute • This discussion affect the restoration of all multi-valued linked attributes • Each pair of linked attributes is identified by the schema defined linkID property • Forward links are even (n) and the associated back link is odd (n+1)
john ;sally John G1 G2 Sally sally G3 Sally John G3 G1 Sally sally ;john Link Table (Simplified) G1 John • Entries are created in a link table when a group is created/modified through origination or replication • The link tables are constructed on each DC member Link Table MemberOf G2 member Sally G3 MemberOf member
Replicating Group Membership • In a Windows 2000 forest group the member attribute is replicated in it’s entirety • Replication metadata is attached to the member attribute • In a Windows 2003 forest or Windows 2003 Interim forest the linked-values are replicated • Referred to as linked-value replication • Replication metadata is attached to the member attribute
Sally Attribute Clean-up MemberOf No version number increase • If either the linked source or destination objects are deleted the associated linked attribute value is deleted • Deleting a user removes that user from the member attributes of all linked groups • Deleting a group removes that group from the calculated memberOf attributes of all linked users member member Sally Sally John John John John MemberOf MemberOf
Vladimir Replicate Vladimir Add a User from Another Domain example.com add DC1 DC2 Vladimir Child DC1 Vladimir child.example.com
InfrastructureMaster Deleted by IM Deleted on GC replication Automatically cleaned Deleting the User example.com DC1 DC2 No ReplicationGroup VN doesnot change Vladimir Vladimir Replication Child DC1 Vladimir child.example.com
Phantoms • If a user from a different domain is added to a group, a link is created • If the DC on which the group is created is a GC, the forward link references the user in the GC • If the DC is not a GC then a phantom record is created • If the user is deleted, the group’s member attribute will be updated when the reference is deleted • The GC replicates the deletion • The Infrastructure Master deletes the phantom
Restoring Groups and Users • If groups and users are authoritatively restored on one DC • There is no guarantee that the users will replicate in advance of the group • If a group is replicated in advance of a user who is a member of the group • The receiving DC has no record of the user and deletes it from the group
Replication Replication George George VN=100,000+ VN=100,000+ Authoritative Restore 2000 DC1 DC2 DC3 George markedas authoritative G1 G1 G1 VN=50 VN=50 VN=50 George VN=100,000+ Group membership not restored
Restoring the Link • Running in a 2000 forest means that the group membership will not replicate • This also applies to group membership that was created prior to moving to 2003 forest functionality • No linked-value replication metadata
Solutions for pre 2003 Forest Mode Group Membership • Solution 1: • Authoritatively restore users • Add dummy user to group and allow to replicate • Does not guarantee authority • Solution 2: • Authoritatively restore users • Allow to replicate • Authoritatively restore groups
2003 SP1 Authoritative Restore Enhancements • Ntdsutil automatically generates an ldif file identifying all of the links for authoritatively restored objects • After the restore, wait for the objects to be replicated throughout the domain • Restore the links by using ldifde to import the ldif file onto a GC in the domain • ldifde –i –k –f links.ldf
Know Your Environment • None of the solutions (including 2003 forest mode) restore domain local group memberships defined in other domains • You can authoritatively restore each domain and allow ntdsutil to create the appropriate ldif files • Know your group memberships • Dump information to reference files • Know how to restore the membership via scripts
Our Environment: 2000 Forest TheBoys member memberOf Reports Manager G1 Julian Anne member memberOf Reports Manager G2 Dick Timmy memberOf Reports DC1 DC2 DC3 George Added in 2000 mode, points at back link
Raised to 2003 TheBoys member memberOf Reports Manager G1 Julian Anne member memberOf Reports Manager G2 Dick Timmy member memberOf Reports DC1 DC2 DC3 G3 George Added in 2000 mode, points at back link Added in 2003 mode, points at back link
The Boys Get Deleted member Manager G1 Anne member Manager G2 Timmy member DC1 DC2 DC3 G3
The Boys are Authoritatively Restored TheBoys member memberOf Reports Manager G1 Julian Anne member memberOf Reports Manager G2 Dick Timmy member memberOf Reports DC3 G3 George Added in 2000 mode, points at back link Added in 2003 mode, points at back link
What Replicates to DC1 & DC2? TheBoys member memberOf Reports Manager G1 Julian Anne member memberOf Reports Manager G2 Dick Timmy member memberOf Reports DC1 DC2 G3 George Missing all links created in 2000 forest
LDIF File produced byNTDSUTIL dn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com changetype: modify delete: member member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com - dn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com changetype: modify add: member member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com - dn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com changetype: modify delete: member member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com - dn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=com changetype: modify add: member member: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com
You Must Must Must… • Have a tried and tested DR Plan • It’s too late to workout how to fix it when things have gone wrong Planned response to failure prevents an event turning into a DISASTER
So Now we Know the Components Lets Put them All Together to Recover a Forest
Not a Good Day… • Loss of forest, through • Rogue script, malicious operator, virus… • Who was in control of your Schema and Enterprise Administrators groups? • You must know your forest • Server roles • All infrastructure role placements • Server based applications • Impacts on AD and Registry
Time Warp • You will be restoring your forest to a time when you know it was good • This will lose all changes since the last backups • Will impact applications that are dependant on forest preps • Server based applications may be affected by restoring an earlier registry • May impact Access Control Lists on resources
Latestbackups Maintaining Integrity • Restore only one DC per domain • Locate your backups and test their integrity • You should be backing up two DC per domain and “know” the backups are good • Promote the other servers into the domain • Even if you have backups for them • This will involve more time, but reduces the risk of introducing corrupt data
DNSRemove all referencesto other servers Check data integrity ElevateRID pool / clean ACLs Delete metadata For all other DCsin the domain If GCdisable Perform thoroughhealth check & backup Seize allFSMOs Enable as GC Restore the Root RestoreGood backup(sysvol primary) • Before you start, shutdown all other servers and isolate the DC to be restored from the network • There is a danger that live servers could replicate and corrupt data
Restoring Other Domains • Proceed using the same technique for all the other domains • Make sure DCs have access to forest DNS • Force synchronization between domains • Start promoting other DCs • Once the forest infrastructure is established and its integrity verified • If necessary, use an unattend file with dcpromo to force the initial replication partner • Use Windows 2003 install from media (IFM) • Always test the IFM seed before use in production
Post Restore • Redistribute FSMO roles • Establish correct DNS infrastructure • Review all processes and procedures Decide you will never let this happen again!
Order on the web www.kimberry.co.uk Discount code KB1764 (15% discount) And There is More…
Thanks for coming to the seminar Hope to see you again