Solved

Recovering from damage to Active Directory

Posted on 2014-12-16
3
121 Views
Last Modified: 2014-12-30
This is purely hypothetical, thankfully I'm not actually in this situation right now but I'm wondering how you would deal with it if it ever did come up.

Lets say I've got a small network of (~20-30 users) and they have four physical servers:

2x Domain controllers
1x File Server
1x Exchange Server

All four of these servers are running Server 2012 R2, and each one has a 2TB external hard disk attached that is using the built-in Windows Server Backup to make nightly backups which are running successfully.

Now, the worst happens - a sysadmin deletes something critical out of Active Directory Users and Computers, seriously screwing up the network. Lets say they "accidentally" deleted an entire OU.

How do you recover from this situation, given that you have two domain controllers and something fairly sophisticated like Exchange Server that heavily relies on Active Directory?

Can you just restore one of the domain controller's to yesterday's backup? Or will the second DC immediately replicate it's changes over and clobber it if you do? Must you restore BOTH DCs simultaneously? Would restoring cause major problems with Exchange?

What are the steps you would go through to get the lost OU back?
0
Comment
Question by:Frosty555
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
Sabi Goraya earned 500 total points
ID: 40503933
you friend in this case is an authoritative restore.
Which prevents the second domain controller to not over write the old restored data.
http://www.msserverpro.com/restoring-ad-ds-objects-using-authoritative-restore-windows-server-2012-r2/ 


Server 2012 also has a Active directory recycle bin which can help recover from accidental deletions and is a good idea to enable it
http://blogs.technet.com/b/canitpro/archive/2014/05/01/step-by-step-enabling-active-directory-recycle-bin-in-windows-server-2012.aspx
0
 
LVL 3

Expert Comment

by:carlrjr
ID: 40503946
Active Directory has changed mostly for the better since I managed a 2003 child domain.  You are indeed correct, there is more to AD recovery than a simple restore.

The first PDF listed at the link below contains what I believe is a relatively concise, yet thorough explanation of the care and feeding of 2012 Active Directory. A procedure for restoring starts on page 19.

http://www.edeconsulting.be/activedirectorypublications.asp
0
 
LVL 4

Expert Comment

by:Sabi Goraya
ID: 40503954
The recent feature of recycle bin is a good one and i have seen it in action .
Very helpful to recover from minor accidental deletions or in case user changing their mind.

When **** hits the fan i believe hands on experience is what helps.
I personally practice similar scenarios by creating a home Lab using VMWare workstation and mess it up and try fixing it.


PS: Very good document , i will keep it safe in my archives and hope i don't have to ever use it.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question