DR for AD
Hi folks,
I work for a huge company and just curious and would like to ask for some advise, how do you all effectively manage/create your disaster recovery management for Active Directory? I just wanted to know what is the best/effective way other than relying on a third party tool such as recovery manager from Dell.
I work for a huge company and just curious and would like to ask for some advise, how do you all effectively manage/create your disaster recovery management for Active Directory? I just wanted to know what is the best/effective way other than relying on a third party tool such as recovery manager from Dell.
This is kind of a loaded question to be completely honest.
There are several types of failures that can take place in Active Directory. You need to have the proper knowledge/tools/backups available if this happens...
- DC failure at a single site
- NTDS.dit database corrupt
- Delete Objects from Active Directory
- Failed DNS
- Corrupt Sysvol Share
- Corrupt GPO's (individual ones)
You also have to look at your infrastructure as well and place DC's according to where applications require authentication.
For something like Exchange hosted in a site you require a DC/GC/DNS in order for this to operate properly. So in the event that you lose a DC in a site where you host Exchange you will not be able to leverage another sites DC to keep Exchange online. It requires at least one read/write DC/GC in a site.
So something like this where you have Exchange should have n+1 (2 or more) DC/GC's in the site.
For a small site that does not have many users or any dependent application for authentication you can simple point these users to multiple DC/DNS servers in different sites that are geographically close.
As for Sites that have multiple DC's what i like to do is if you have a site that has 2 DC's I configure all of my clients and severs to point to these 2 DC's (primary and secondary DNS). I then add a 3rd DNS server (advance settings on the NIC properties DNS Tab) from another Site. So that in the event that both DC's are un responsive users will still be able to authenticate and query DNS from another geographically close site.
You have to also be Cognizant of where you FSMO role holder is placed and what site. Typically for best practices i like to put the FSMO role holder in the Site that is MOST geographically central to all other AD sites. I also make sure that this DC has the most resources as well, to ensure that it can handle all of the extra processing that is required.
Best practices for recovering Domain Controllers are below...
Always keep up-to-date System State Backups of ALL Dc's
Only Restore From a System State Backup if all DC's are compromised (authoritative restore)
If you have a single failure DC, do not try and restore from System State it is better to remove gracefully if you can, then perform metadata cleanup
If you have more than 2 DC's in a Site make sure that you have a 3rd DNS server in the NIC properties as 3rd in the list, this will allow clients to authenticate if both DC's in the same site fail
Always allow Sites and Services to create Automatic Connections (this will allow automatic re-creation of new site connections)
If you have deleted objects from Active Directory YOU DO NOT HAVE TO use the recycle bin feature or restore from backup, you can use LDP.exe to recover deleted objects from the 'IsDeleted" hidden folder
Another good Idea is to have a "DR" type site where you have a DC present that had a longer (inter-site) replicaiton period, I say this because if you ever delete something from AD or your entire domain gets compromized you have a DR DC that has not had these changes replicated yet so it is still in a health state, I have used this approch before and it is save me HOURS of rebuilding an entire domain
Another note is make sure that you have redundant networks in place as well. Active Directory redundancy is usless if you do not have redundant networks.
Will.
There are several types of failures that can take place in Active Directory. You need to have the proper knowledge/tools/backups available if this happens...
- DC failure at a single site
- NTDS.dit database corrupt
- Delete Objects from Active Directory
- Failed DNS
- Corrupt Sysvol Share
- Corrupt GPO's (individual ones)
You also have to look at your infrastructure as well and place DC's according to where applications require authentication.
For something like Exchange hosted in a site you require a DC/GC/DNS in order for this to operate properly. So in the event that you lose a DC in a site where you host Exchange you will not be able to leverage another sites DC to keep Exchange online. It requires at least one read/write DC/GC in a site.
So something like this where you have Exchange should have n+1 (2 or more) DC/GC's in the site.
For a small site that does not have many users or any dependent application for authentication you can simple point these users to multiple DC/DNS servers in different sites that are geographically close.
As for Sites that have multiple DC's what i like to do is if you have a site that has 2 DC's I configure all of my clients and severs to point to these 2 DC's (primary and secondary DNS). I then add a 3rd DNS server (advance settings on the NIC properties DNS Tab) from another Site. So that in the event that both DC's are un responsive users will still be able to authenticate and query DNS from another geographically close site.
You have to also be Cognizant of where you FSMO role holder is placed and what site. Typically for best practices i like to put the FSMO role holder in the Site that is MOST geographically central to all other AD sites. I also make sure that this DC has the most resources as well, to ensure that it can handle all of the extra processing that is required.
Best practices for recovering Domain Controllers are below...
Always keep up-to-date System State Backups of ALL Dc's
Only Restore From a System State Backup if all DC's are compromised (authoritative restore)
If you have a single failure DC, do not try and restore from System State it is better to remove gracefully if you can, then perform metadata cleanup
If you have more than 2 DC's in a Site make sure that you have a 3rd DNS server in the NIC properties as 3rd in the list, this will allow clients to authenticate if both DC's in the same site fail
Always allow Sites and Services to create Automatic Connections (this will allow automatic re-creation of new site connections)
If you have deleted objects from Active Directory YOU DO NOT HAVE TO use the recycle bin feature or restore from backup, you can use LDP.exe to recover deleted objects from the 'IsDeleted" hidden folder
Another good Idea is to have a "DR" type site where you have a DC present that had a longer (inter-site) replicaiton period, I say this because if you ever delete something from AD or your entire domain gets compromized you have a DR DC that has not had these changes replicated yet so it is still in a health state, I have used this approch before and it is save me HOURS of rebuilding an entire domain
Another note is make sure that you have redundant networks in place as well. Active Directory redundancy is usless if you do not have redundant networks.
Will.
ASKER
Hi Will, Thank you for the input! Appreciate all the info. Just curious....the "DR" type site you have, how often that is updated/managed as far as the AD/DCs part.
I am just curious how that "DR" type scenario will best work for an environment like we have (we have close to 300 DCs that is placed globally).
I am just curious how that "DR" type scenario will best work for an environment like we have (we have close to 300 DCs that is placed globally).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yep we have 300 DCs situated all over the world. And yes, it is alot of management. We are currently dependent on Forest Recovery for DR but just wondering what is the best approach for DR just in case the product becomes faulty (which had happened when we did some exercises in lower environments).
1. Have multiple Domain Controllers, preferably some in different locations.
2. Have regular backups of the DCs so you can restore to revert back in certain situations.
3. Also, enable the Recycle bin feature, so that you can easily undelete objects in AD.