Active Directory Disaster Recovery E-Book

Table of Contents

Copyright © 2008 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, Packt Publishing, nor its dealers or distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: June 2008

Production Reference: 1130608

Published by Packt Publishing Ltd.

32 Lincoln Road

Olton

Birmingham, B27 6PA, UK.

ISBN 978-1-847193-27-8

www.packtpub.com

Cover Image by Vinay Nihalani (<[email protected]> )

Author

Florian Rommel

Reviewers

James Eaton-Lee

Nathan Yocom

Senior Acquisition Editor

Douglas Paterson

Development Editor

Nikhil Bangera

Technical Editor

Ajay Shanker

Copy Editor

Sumathi Sridhar

Editorial Team Leader

Mithil Kulkarni

Project Manager

Abhijeet Deobhakta

Indexer

Rekha Nair

Proofreader

Dirk Manuel

Production Coordinators

Aparna Bhagat

Shantanu Zagade

Cover Work

Shantanu Zagade

Florian Rommel was born and raised in his native Germany until the age of 15, when he moved with this family to Central America and then the US. He has worked in the IT industry for more than 15 years and has gained a wealth of experience in many different IT environments. He also has a long and personal interest in Information Security.

His certifications include CISSP, SANS GIAC:GCUX, MCSE, MCSA , MCDBA, and several others. Together with his extensive experience, he is a qualified and recognized expert in the area of Information Security. After writing several Disaster Recovery guides for Windows 2003 and Active Directory environments in large blue chip and manufacturing companies, he now brings you this unique publication, which he hopes will become a key title in the collection of many Windows Server Administrators.

Florian is currently working in the IT Management department at a large global manufacturing corporation in Finland where he has lived for the past ten years. His responsibility includes the Active Directory and the global security infrastructure.

James Eaton-Lee works as a Consultant specializing in Infrastructure Security. He has worked with clients ranging from small businesses with a handful of employees to multinational banks. He has a varied background, including experience working with IT in ISPs, manufacturing firms, and call centers. James has been involved in the integration of a range of systems, from analogue and VOIP telephony systems to NT and AD domains in mission-critical environments with thousands of hosts, as well as UNIX & LINUX servers in a variety of roles. James is a strong advocate of the use of appropriate technology, and the need to make technology more approachable and flexible for businesses of all sizes, especially in the SME marketplace in which technology is often forgotten or avoided. James has been a strong believer in the relevancy and merit of Open Source and Free Software for a number of years and — wherever appropriate — uses it for himself and his clients, seamlessly integrating it with other technologies.

Nathan Yocom is an accomplished software engineer specializing in network security, identity, access control, and data integrity applications. With years of experience working at the system level, his involvement in the industry has ranged from creation of software such as the open source Windows authentication project pGina (http://www.pgina.org), to Bynari Inc's Linux/Outlook integration suite (http://www.bynari.net), to working on Centrify Corporation's ground breaking Active Directory integration and auditing products (http://www.centrify.com).

Nathan's publications have included several articles in trade journals such as SysAdmin Magazine, and co-authoring the Apress book "The Definitive Guide to Linux Network Programming" (ISBN: 1590593227). Additionally, Nathan served as technical reviewer for ExtremeTech's "RFID Toys: 11 Cool Projects for Home, Office and Entertainment" by Amal Graafstra, an early RFID proponent and pioneer.

When not hacking at code, Nathan enjoys spending time at home in the Seattle, WA area with his wife Katie, daughter Sydney, and son Ethan. He swears it does not rain in Seattle as much as people claim, but neither is it exactly Bermuda. Nathan can be contacted via email at: [email protected].

Murphy's Law states that anything that can go wrong will go wrong. In relation to Information Systems and Technology, this could mean an incident that completely destroys data, slows down productivity, or causes any other major interruption to your operations or your business. How bad can it get? — "Most large companies spend between 2% and 4% of their IT budget on disaster recovery planning; this is intended to avoid larger losses. Of companies that had a major loss of computerized data, 43% never reopen, 51% close within two years, and only 6% will survive long-term." Hoffer, Jim." Backing Up Business - Industry Trend or Event.

Active Directory (AD) is a great system but it is also very delicate. If you encounter a problem, you will need to know how to recover from it as quickly and completely as possible. You will need to know about Disaster Recovery and be prepared with a business continuity plan. If Active Directory is a part of the backbone of your network and infrastructure, the guide to bring it back online in case of an incident needs to be as clear and concise as possible. If it happens or if you want to avoid all of this happening, this is the book for you.

Recovering Active Directory from any kind of disaster is trickier than most people think. If you do not understand the processes associated with recovery, you can cause more damage than you fix.

This is why you need this book. This book has a unique approach - the first half of the book focuses on planning and shows you how to configure your AD to be resilient. The second half of the book is response-focused and is meant as a reference where we discuss different disaster scenarios and how to recover from them. We follow a Symptom-Cause- Recovery approach - so all you have to do is follow along and get back on track.

This book describes the most common disaster scenarios and how to properly recover your infrastructure from them. It contains commands and steps for each process, and also contains information on how to plan for disaster and how to leverage technologies in your favour in the event of a disaster.

You will encounter the following types of disaster or incident in this book, and learn how to recover from each of them.

This book is oriented towards Windows 2003 Server R2 and Active Directory used in that release. Notes identify where commands vary from older Windows 2003 versions, and provide the equivalent commands in these older versions. As Microsoft is phasing out Windows 2000, we are omitting it entirely. However, the disaster recovery guidelines outlined in this book are applicable to any Active Directory environment, because they haven't changed that much. Please note that in order to get the most out of this book you should be running Windows 2003.

In this book you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.

Any command-line input and output is written as follows:

New terms and important words are introduced in a bold-type font. Words that you see on the screen, in menus or dialog boxes for example, appear as follows: "clicking the Next button moves you to the next screen".

Feedback from our readers is always welcome. Let us know what you think about this book: what you like and what you may dislike. Reader feedback is important for us to develop titles that you really get the most out of.

To send us general feedback, simply drop an email to<[email protected]>, mentioning the book title in the subject of your message.

If there is a book that you need and would like to see us publish, please send us a note via the SUGGEST A TITLE form on www.packtpub.com or email your suggestion to<[email protected]>.

If there is a topic in which you have expertise and for which you are interested in either writing or contributing to a book, please see our author guide on www.packtpub.com/authors.

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

When Microsoft introduced Active Directory (AD) with Windows 2000, it was a huge step forward compared to the aged NT 4.0 domain model. AD has since evolved even more and emerged as almost the de-facto standard for corporate directory services.

Today, if an organization is running a Windows Server based infrastructure, then they are almost certainly running AD. There are still some organizations that have NT 4.0 DCs, though that is quickly changing.

AD is often used as THE authentication database even for non-Windows-based systems because of its stability and flexibility. There are many network-based applications relying on AD without its users being aware of it. For example, an HR application can use AD as a directory for personnel information such as name, phone number, email address, location in the company, and even the computer of the user. Yet the HR personnel may not be aware that the same information directory is used to fetch all the information for the global address book in the email system, and to authenticate the user when he or she logs on to his or her workstation.

Due to the strong integration between applications and AD, an event that could cause an outage could have quite a huge impact on systems, from sales to human resources, all the way to payroll and even logistics in manufacturing companies.

In most cases where AD is used for more than just authentication, it quickly becomes the IT infrastructures' lifeline, which, if interrupted or stopped, causes chain reactions of failures that can bring a company to a halt, and stop production, communications, and delivery of goods.

Of course, once you have an AD running, a logical step is to have Exchange as your email and collaboration system. If you have both systems, then you know how critical AD is for Exchange. Without an AD, the email and collaboration systems will not function. For many companies, being without email functionality for even a day can be catastrophic. If email is your main method of communication within the organization, then picture having your preferred method of communicating taken away for an entire day (or more) within your entire organization. This applies to receiving as well as sending, and access to your mailbox and related functions.

As you might have noted by now, a proper Disaster Recovery (DR) plan is a necessity, and a proper DR is just as critical. You need to cut the possible downtime of your mission-critical systems to a minimum.

A lot of people may ask themselves: "Why would we need a 'guide' for Disaster Recovery? If a Domain Controller (DC) has a critical failure, we just install another one". This might seem to work at first, and even for a longer period in small organizations, but in the long run, there would be problems, and a lot of error messages. Correct recovery is crucial to ensure a stable AD environment. The speed at which problems appear, grows exponentially if there are multiple locations of various sizes across different time zones and countries. For example, let's say a company called Nail Corporation (www.nailcorp.com) has its headquarters in Los Angeles, California, and branch offices with several hundred employees in Munich, and Germany, in addition to branch offices in Brazil and India.

NailCorp has one big AD domain and a data center in Brazil having a 512 kilobit link to the headquarters. Let's suppose that the data center in Brazil is partially destroyed due to an earthquake. Network connectivity is restored fairly quickly, but both DCs are physically broken and have therefore become non-functional. The company has around 10,000 employees and, according to Microsoft's AD Sizer software, the space requirement for each Global Catalog server is about 5GB.

As you have to start the rebuild process from scratch, and you have no other DC at the site, you have to replicate 5GB over a 512 kilobit link. Assuming that you get maximum connectivity speed, and no other traffic is flowing at the same time, which is nearly impossible because your users will inadvertently boot their machines and want to start working, you would need over a day to replicate the database. This will increase your restoration time even further-in this case, by at least a day.

In the event of a disastrous event for a company such as NailCorp, you would want to replicate and rebuild as fast as possible. During that time, since you have machines authenticating against the other domain controllers in your company — assuming your DNS service is globally configured to support failover — your replication will be much slower. In this case, you should have different plans in place than just installing another DC.

Another good example is an application that authenticates against a specific DC, or pulls specific information from one. If that DC breaks, the DC will have to be rebuilt with the same name. If you do not do this the right way, you may see strange things happening This is not very far fetched especially in, for example, a software development company.

The need for Disaster Recovery is ever-increasing, and there are several books that touch upon the subject. But none of them are dedicated to different scenarios, and certainly none of them explain the entire process.

Recovering AD from any kind of disaster is trickier then most people think. If you do not understand the processes associated with recovery, you can damage more than you fix.

In order to prevent any kind of major interruptions, and to speed up recovery in the event of an disaster, there are several things that can be done.

For example, AD relies extremely heavily on DNSes. So you need to make sure that if you use AD Integrated (ADI) DNS zones, you should have a standard backup DNS server that has a complete copy of your zones in a non-integrated form. This DNS server should be on an isolated network, and should contain only the records and zones relating to AD, and not all existing dynamic updates.

You should also have a Delayed Replication Site (DRS), also called a lag site . This is a standard part of your AD domain. This should have one or two DCs, maybe a DNS server, and even a standby Exchange server in case one is needed. However, the AD replication is set up with a high link cost in order to prevent replication for a longer time period. Or, you can make it a completely isolated site with a firewall and force a replicate once every one to three months only. This will allow you to have a stable infrastructure. This state may be three months old, but if anything happens you can have a running AD within a few hours, instead of days.

Virtualization can be a boon, especially in this case. Buying a server is fairly cheap nowadays, and as for a DRS, you only need a lot of memory in the machine. VMWare server (http://vmware.com/products/server/) and Microsoft Virtual Server (http://www.microsoft.com/windowsserversystem/virtualserver/) can be downloaded and used for free nowadays. Both of these systems allow the DRS to be run in a virtualized, isolated environment.

Having a DRS can reduce restore time tremendously because, even if there is a global failure, the old DCs can be removed and new ones installed to replicate the DRS.

To avoid repetition, acronyms have been used wherever possible in this book. The following is a list of acronyms, with their respective explanations, used in this book:

We have established that DR is an important part of a Business Continuity plan. But now, we can go further and say that, DR for AD is only a part of a Disaster Recovery plan, and not the whole plan by itself.

You are correct if you think that you should have different DR guides for different things. While writing good DR documentation, it is important to take the standpoint that the person who performs the recovery has little or no knowledge of the system. If you roll out your own hardened and customized version of Windows 2003, some things might differ during the installation and someone who has no clear guide will install a system that differs from your actual DC install guidelines. This can cause incompatibility or result in an improperly-functioning system, later on. This happens say, when you have specific policies that are applied to DCs, and during an install process, the selection of policies is called in a manner different from the dictats of the DC policy.

You might think that this situation will never arise, but hurricane Katrina in the U.S., and the tsunami that struck Thailand, India, and others, proves that it can. Situations may arise when a knowledgeable person is not around at the time of crisis, so the guide needs to be as clear as possible. It may also be possible that the person doing the actual recovery is an external IT consultant or junior IT staff member because the senior and trained staff are not available. In this case, the person handling the recovery may not at familiar with your environment all be.

AD is a great system, but it is also very complex. Performing correct DR is therefore crucial. If AD forms a part of, or is the backbone of, your network and IT infrastructure, a proper guide to bringing it back online in the event of an incident needs to be as clear and concise as possible.

The Business Continuity plan, and the DR guides, especially the AD DR guides, should be practiced and tested at regular intervals. This effectively means that once a year or so, you need to test that your guides are working and that they will actually bring your business back online. In order to test all kinds of scenarios, building a test environment — preferably virtualized because it gives you much more flexibility such as rollbacks and snapshots — is a necessity.

It may be difficult to convince the top management that your systems could actually fail, but replicating your systems, or even just a crucial portion of your server infrastructure, and testing that would definitely be acceptable to them.

Since this book is meant as a reference, and we discuss different scenarios here, an overview of these scenarios is necessary. The following types of disasters or incidents are covered in this book. Illustrations and flowcharts are provided to visualize the disasters more easily, wherever necessary.