RE: [ActiveDir] Object level restore

[Wilkinson, Stephen (DrKW)]

Title: Message

FYI this KB 296257 has been considerably updated,  and I have a statement of support based on its contents from Microsoft EMEA PSS.   This is as far as MS will go, and is all I can expect as I would not expect them to support changes to the AD which bypass their integrity rules.. it is a shame that there is not a tool out there which does use the Microsoft "provided programmatic interfaces for online object restoration that can be leveraged by ISVs to provide online restore capabilities" and which has the obvious benefits that Aelita's ER Disk can give an organisation   It is now a simple risk\benefit call   Hope this helps   Stephen Stephen Wilkinson Tel         +44(0)207 4759276 Mobile    +44(0)7973 143970 E-Mail: [EMAIL PROTECTED]   From: Stuart Kwan [mailto:[EMAIL PROTECTED] Sent: 23 June 2003 23:21 To: [EMAIL PROTECTED] Based on your feedback and the feedback of others, we have revised the title of the KB article (http://support.microsoft.com/default.aspx?scid=kb;en-us;296257), and are looking at further clarifications we can make in the text.  Stay tuned.   On the certification issue - I will respond to the list on that topic, but unfortunately will need a couple of weeks before I can properly do so.  Sorry about the delay, hope you can bear with me on that one.   Wrt. to your point on working with vendors and helping them show initiative - Microsoft is committed to supporting our vendor community.  They do a superb job for us supporting our mutual customers.  However, there are certain ways of extending the system that we cannot endorse.  When those things come up we will apply the necessary vigor to provide a replacement; indeed, we did with Windows Server 2003 and the Tombstone Reanimation capability.   Cheers, Stuart   [This posting is provided "AS IS" with no warranties, and confers no rights.]   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Tuesday, June 17, 2003 12:40 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Object level restore   Stuart & Guido thanks for the reply,   I feel this thread has caused some confusion to all involved (possibly from my comments), and my goal is to only get a clear answer that both MS, Aelita, HP, and all others feel is completely accurate.    It is always good to get Microsoft's HPAQ official/unofficial perspective on these matters.  Just to reiterate, Microsoft has no position on the current recovery products other than they are not supportable because they aren't using a common interface/API, but like Guido pointed out, you will certify these products when they meet Microsoft Application design criteria.  What wasn't clear from your (Stuart's) response was what Guido asserted in his, that applications that meet Microsoft certification are tested to work with the AD product as designed.  From your (Stuart's) response, I would say in the case of AD recovery, probably not.     So in the spirit of clarity I want to phrase the question I asked a different way, Are there any recorded cases at Microsoft thus far of organizations using object level recovery products like ER Disk for Active Directory causing corruption to the extent that it required an entire forest recovery to correct the problem?  I hope you can see that I am trying to clarify three things.  1.  Clear up any FUD around the use of such a product to maintain quick restore capabilities.  2.  Associate the assumed risk to something equivalent currently in Windows products and if you don't plan accordingly like Guido points out, you could have problems with Local Group recovery.  (Like you always tell people to modify the registry, but always give a warning that modifications could also cause corruption/bad things.)  3.  Maintain that Applications that meet Microsoft certification requirements means that they are safe to use on Microsoft Operating systems.    My motivation for doing this is somewhat self-serving, but I think others are in the same boat as well.  In the event of a catastrophic currently I can go to my boss and say the following.  Boss, we been backing up the AD using Backup Exec, and object level restore product A.  To restore the objects that are deleted / corrupt will take 4 hours using an authoritative restore method, the probability of success is 99% and is Microsoft supported.  To restore the deleted corruption using the object level restore product A, will take 30 minutes, the probability of success is 99.0% and is not supported by Microsoft, but is supported by the vendor.  If either method fails and corrupts the directory, we will have to do a forest level recovery.  Which restore method should we do?  Depending on the severity of the outage, we have options.    Stuart, I do understand that you are responsible for engineering a product that an increasing number of organizations are using as security backbone, and I appreciate your dedication to clarify Microsoft's position and the hard work you and your team has put in on the AD portion of Windows.  I hope you didn't take offense to my comments, in hindsight they could be taken as a little sharp.  I hope you understand and appreciate that I am a project leader of a very large Active Directory deployment and I am trying to standardize our organization on using AD as a infrastructure security backbone.  I am in the process of converting our deployment into a operation, and that means we need methods to protect the directory from possible accidental deletes, corruption of attribute data, poor administration practices, compromise, and a host of other issues.  I see Active Directory as a platform for development.  We need good products to aid in our deployment and management of the Active Directory.  I have come to rely on some third-party products to offer solutions that offer more extended functions than what is in the current Microsoft product.    The statement in the KB article did not to me seem very supportive of Object Level Restores in general, you might consider revising the title or wording to reflect a more neutral stance if that is the position you are promoting.  In addition you might have a reference to applications that are certified to work with both Microsoft and Active Directory, like the HCL.   I feel Microsoft needs to work closer with the organizations that develop these types of products and show them support for their initiative to provide solutions that Microsoft currently doesn't.  The cost of operating a large AD is rising because of limitations in Active Directory.  With shrinking IT staffs, we need all the help we can get, cause we don't have the time to always program solutions or do long drawn-out recoveries.  With this in mind, we can't afford to be worrying that Microsoft will poo poo certain approaches or not adequately acknowledge them either.    Stuart, you have done the best you can to explain the yours and Microsoft's position on the matter.  I appreciate you being candid in your response.   Thanks,   Todd Myrick   P.S. Guido did a killer job at the DEC this year explaining object level restores.           -----Original Message----- From: Stuart Kwan [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 17, 2003 11:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Aelita's ER Disk may render AD not supported When we built and tested Active Directory we did so using an explicit set of design assumptions and constraints.  Software that writes directly to the ESE database and bypasses AD logic does not observe these constraints.  I cannot predict nor control what products of this nature may do to the state of an Active Directory forest.  I cannot say with any level of confidence say that these products "work".  Nor can I say what might "go wrong" if you use them.  I simply don't know, they aren't within the scope of the intended usage of the system.    The best I can say is if you use methods like this, you might find yourself in a state that can only be recovered from using a forest recovery-type recovery operation - one that rewinds your state to a known good state.   Understand that I am ultimately responsible for the engineering of a product that an increasing number of organizations, large and small, use as their main and sometimes sole security backbone.  The failure of this system for any extended period of time could be truly catastrophic for many of these organizations.  In my judgment as an engineer and in the spirit of Trustworthy Computing, the KB article reflects Microsoft's position on software that uses methods, and what measures a customer might have to take if they use such software.   [This posting is provided "AS IS" with no warranties, and confers no rights.]     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Monday, June 16, 2003 12:25 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Aelita's ER Disk may render AD not supported   Stuart,   What changed in the article?  All I see is a reference to the fact that Microsoft has provided an API for vendors to use in 2003, and that it is still potentially bad to do object level restores in Windows 2000 directories.  In addition, responding to this thread titled Aelita's ER Disk may render AD not supported, could also be taken as Aelita's product is not supported or worse that you don't recommend using it.  If it is the latter, why does Microsoft offer Microsoft Certification of Applications if they only plan to discredit the vendor publicly?    I realize that you have to walk a fine line of what is politically correct / legal to say, what I believe we are concerned with here on this list is what makes sense operationally in Active Directory.  Baring an act of God or poorly managed Active Directory, do object level Active Directory recovery products work, and is this recovery operation on par (Meaning having the same inherited risks as) with modifying the registry, or going into Exchange 5.5's directory in RAW mode and making modifications?   If the operation is not on par with the illustrations I listed, what exactly goes wrong when using them.   Todd Myrick     -----Original Message----- From: Stuart Kwan [mailto:[EMAIL PROTECTED] Sent: Monday, June 16, 2003 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Aelita's ER Disk may render AD not supported Please note that KB article Q296257 was updated on Friday 06/13.   http://support.microsoft.com/default.aspx?scid=kb;en-us;296257   Cheers, Stuart   [This posting is provided "AS IS" with no warranties, and confers no rights.]   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilkinson, Stephen (DrKW) Sent: Tuesday, May 20, 2003 6:17 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Aelita's ER Disk may render AD not supported   Anyone who has purchased Aelita's ER Disk may want to check with their Microsoft representative as to whether they will support their AD if ER Disk for Active Directory is used..  As we have received the following response from Microsoft "Please refer to Microsoft Knowledge Base Article - 296257 which outlines 'On-Line Restoration of Active Directory Is Not Supported in Windows 2000'. "Selective on-line restoration is the process of returning one or more specified objects to their state as of a specific time in the past without having to place Active Directory into an off-line repair mode. Because of the potential for irreparable data damage or loss, Microsoft cannot recommend or support ISV products that perform on-line restoration of data by directly accessing the ESE database." The only supported online restore capability today is if ISV's use the tombstone reanimation feature in Windows Server 2003 (not available in Win2k)." I am awaiting a response from Aelita Stephen Wilkinson E-Mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ----------------------------------------------------------------------