RE: [ActiveDir] Protecting Active Directory
:o) I agree and understand your statements concerning not being able to easily restore the out of domain memberships. However, you know the limitations of the GCs and the additional overhead incurred for using them and why we don't. Again though, we really protect against the mass deletes. There are only three people who can even delete a group in our company, outside of us the people who "own" the groups can change the description of the group and modify the membership. In order for them to delete a group, they have to generate an actual help desk ticket and send it across.I guess though, to play devils advocate to my own self, there could be a typo or a help desk person could be called instead of someone using a web page and they could mishear what is being said. Good points! That pushes me even more to having something like an AD/AM around with the info - so many things to do if I can find time and get a chance. I guess I could use a SQL server but I really like using LDAP queries - especially if the choice is LDAP Queries or SQL Queries. :o) Thanks on the cool group-structure comment. We have some in our company who do not feel our group structure is cool but then they don't actually understand the whole concept behind the groups and such and how they truly work. joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Thursday, March 04, 2004 2:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory ha, I knew that would be your answer ;-)) and I can partly understand your strategy = the owner of the group should know what's in it, so if there is a problem with the memberships it's his and not yours. But this is really only acceptable for a small issue, where you loose a couple of memberships - not when you use a couple of hundred of users incl. their memberships. Sure losing a DLG membership has the same result in losing resource access than a GG does - however, DLGs in multi-forest environments are simply harder to recover the "native" way (i.e. be authoritatively restoring your accidentally deleted users from one domain), as that restored DC doesn't know of the DLG memberships outside of it's own domain, which will then be lost for good (much easier to recover memberships ins GGs and UGs as the DC/GC will "know" of the memberships after the recovery). Your DLG memberships won't comebackuntil re-added by your group-owners, who will be happy to manage re-adding hundreds of users into various groups via the UI they use... :-( Obviously your impact will be less than for other companies, as you have a really cool group-structure however .But no matter how careful you are, Murphy is watching you. And things will happen. And you have to be prepared... The AD/AM idea isn't bad, but I'm just implementing the same based on SQL and it's almost done - a nice tool that gives you exactly what you're describing. And will help to recover those lost group-memberhips and it will allow you to see which group your users or other objects are in within the forest - in any domain.Stay tuned. However, it will still require a normal authoritative restore of the actual objects that were deleted - thus it's not as powerful as some of the online-recovery methods available out there. So I encurage anyone responsible for back-up of their AD also to look at these tools. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Donnerstag, 4. März 2004 16:18To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Using the DLG's doesn't kill us any more than if we used GG's. Same loss of resource access. As for the accidents, the guys with the big guns don't use the GUI for most anything, they use very targeted scripts that do very specific things. We don't, for instance have any mass delete anything scripts. All one off delete. The groups are supposed to have well known membership to the admins running them, they are supposed to be auditing the groups on a very regular basis as to who should be in them. So loss of a group should simply be recreate the group, reassign to the proper ACE in the proper file structure (we don't do one group secures a zillion different things or at least heavily discourage it), readd the correct people. I do have some ideas floating in the back of my mind about pulling all groups, computers, users off into a single AD/AM instance so we can track things there. Don't sync the deletes other than marking a field in AD/AM when the delete or occurred. This is more for being able to do quick checks for things in the directory (everything would be tuple indexed) but could also help if someone smoked a group that they shouldn't have as we would have the last known mem
RE: [ActiveDir] Protecting Active Directory
Title: Message I think I see what you're getting at. I did read that whitepaper and it is interesting. What I'm trying to get at is that for the scenario of admin fat fingering a group, recreating the group membership is, IMHO preferred over the hassle of a restore. Script, etc is fine for figuring out group membership enough to recreate it. If the group itself gets whacked, that's when I see this type ofsolution adding value. You bring up a good point that if the group encompasses the entire forest and membership gets hosed, that a restore may be the best way but there are things to be aware of. I don't think this is a worthwhile approach if it's only one group in most situations. I think recreating it from a point in time (based on the reference information stored in a flat file, database, etc) would be a fine approach. It's not until we get into multiple simultaneousmistakes that it would make sense to me to have a solution such as what you propose. I'm considering this as a good idea for a large, multi-domain forest with decentralized administration when multiple mistakes are made. I just can't see the time and effort of restoring a group for one mistake making sense. Am I missing anything in the conversation here? For some reason I feel like there is something I'm missing, but it's not obvious to me at this point in time ;-) -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 5:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Al, I think it's appropriate to explain a little more, to avoid further confusion, as accidentally deleting + recoverying object and loosing group memberships are NOT separate problems (especially in multi-domain forests or even in Windows 2000 single-domain forests). Theissuesare indeed very much related to each other: tracking membership of a group to be able to undo a change "in case one of it's members gets whacked" is generally a good idea, no matter if a user has been deleted or if simply an administrator made a mistake while editing group-memberships. When tracked (e.g. via daily reports or dumps of the group-memberships - or by having a good group-concept where all owners "know" the members), the owner of a group should be able to get a group back to the state it should be. however, when you delete an object (e.g. a user, computer, contact or a group itself), these objects naturally replicate as tombstones to other DCs and GCs in the forest. When this happens, the memberships of these objects in any group in the forest is "cleaned"automatically - not only in the same domain where the objects reside, but also in all of the other domains in the forest. I.e. the objects are also removed from Universal (UG) and Domain Local Groups (DLG) of any domain in the forest. So what's the big deal? Well, if you restore a DC from a system-state backup (on tape or file) and then authoritatively restore the objects in their domain or even if you restore the whole domain authoritatively (which not recommended anyways, unless you really have to), the objects will never "repopulate" into the UGs and DLGs of the other domains in the forest. Good to know: if you restore a GC, it will at least know of the UGs of the other domains incl. their memberships (as these are a still stored in the AD database file saved at the time of taking the system-state backup), which you could leverage to repopulate the UGs in the respective Domains. However, if you've not previously dumped your DLGs in the other domains, how will you be able to recover their memberships? They are not stored on the GC you've recoverd, and they were "cleaned" when the tombstone was able to replicate to the other DCs/GCs in forest...And don't forget, that depending on your group-modell, you could also have various nested groups which are nothing else but members of other groups - these nestings will also get lost if a group gets deleted. More about these issues (and others) is described in the afforementioned whitepaper - incl. details on the differences between 2000 and 2003 rgd. the recoverychallenge.Here are some ideas to master the recovery challenge and be on the safe side (besides relying on the group-owners to recover memberships themselves): hot-site approach: as mentioned in another part of this thread, you could use DCs in a hot-site (we call it LAG-site, as it's replication will be set to "lag" behind the other DCs). These will hopefully not have replicated the tombstones at the time you notice the deletion of the objects - you could then first use the appropriate DCs the hot-s
RE: [ActiveDir] Protecting Active Directory
Title: Message the point you're missing is that I'm not talking about groups being deleted and thus memberships being lost. I'm talking about any object that could be a group member (e.g. users, contacts, computers and other groups) being deleted and this causing the lost memberships for the respective object. And it only takes one object to delete a whole lot of critical users contained herein: one OU. It's easy enough - mistakes can happen and do happen (via UI and CLI). Believe me, I woulnd't be so deep into this subject if I hadn't gone through hell for one of my customers, getting them back on track after they accidentally delted a whole OU - it was a nightmare recovering all cross-domain links and for 3 days this had a big impact on their operations, fileshare access and especially on the messaging (E2K) wich is built around UGs all over the forest... From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Freitag, 5. März 2004 15:20To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Protecting Active Directory I think I see what you're getting at. I did read that whitepaper and it is interesting. What I'm trying to get at is that for the scenario of admin fat fingering a group, recreating the group membership is, IMHO preferred over the hassle of a restore. Script, etc is fine for figuring out group membership enough to recreate it. If the group itself gets whacked, that's when I see this type ofsolution adding value. You bring up a good point that if the group encompasses the entire forest and membership gets hosed, that a restore may be the best way but there are things to be aware of. I don't think this is a worthwhile approach if it's only one group in most situations. I think recreating it from a point in time (based on the reference information stored in a flat file, database, etc) would be a fine approach. It's not until we get into multiple simultaneousmistakes that it would make sense to me to have a solution such as what you propose. I'm considering this as a good idea for a large, multi-domain forest with decentralized administration when multiple mistakes are made. I just can't see the time and effort of restoring a group for one mistake making sense. Am I missing anything in the conversation here? For some reason I feel like there is something I'm missing, but it's not obvious to me at this point in time ;-) -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 5:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Al, I think it's appropriate to explain a little more, to avoid further confusion, as accidentally deleting + recoverying object and loosing group memberships are NOT separate problems (especially in multi-domain forests or even in Windows 2000 single-domain forests). Theissuesare indeed very much related to each other: tracking membership of a group to be able to undo a change "in case one of it's members gets whacked" is generally a good idea, no matter if a user has been deleted or if simply an administrator made a mistake while editing group-memberships. When tracked (e.g. via daily reports or dumps of the group-memberships - or by having a good group-concept where all owners "know" the members), the owner of a group should be able to get a group back to the state it should be. however, when you delete an object (e.g. a user, computer, contact or a group itself), these objects naturally replicate as tombstones to other DCs and GCs in the forest. When this happens, the memberships of these objects in any group in the forest is "cleaned"automatically - not only in the same domain where the objects reside, but also in all of the other domains in the forest. I.e. the objects are also removed from Universal (UG) and Domain Local Groups (DLG) of any domain in the forest. So what's the big deal? Well, if you restore a DC from a system-state backup (on tape or file) and then authoritatively restore the objects in their domain or even if you restore the whole domain authoritatively (which not recommended anyways, unless you really have to), the objects will never "repopulate" into the UGs and DLGs of the other domains in the forest. Good to know: if you restore a GC, it will at least know of the UGs of the other domains incl. their memberships (as these are a still stored in the AD database file saved at the time of taking the system-state backup), which you could leverage to repopulate the UGs in the respective Domains. However, if you've not previously dumped your DLGs in the other domains, how will you be able to recover their memberships? They are not stored on the GC you've recoverd, and they were "cleaned" when the
RE: [ActiveDir] Protecting Active Directory
Title: Message Thanks Guido. That makes a whole lot more sense then. Looking forward to seeing the results of the work in action. Al -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 10:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory the point you're missing is that I'm not talking about groups being deleted and thus memberships being lost. I'm talking about any object that could be a group member (e.g. users, contacts, computers and other groups) being deleted and this causing the lost memberships for the respective object. And it only takes one object to delete a whole lot of critical users contained herein: one OU. It's easy enough - mistakes can happen and do happen (via UI and CLI). Believe me, I woulnd't be so deep into this subject if I hadn't gone through hell for one of my customers, getting them back on track after they accidentally delted a whole OU - it was a nightmare recovering all cross-domain links and for 3 days this had a big impact on their operations, fileshare access and especially on the messaging (E2K) wich is built around UGs all over the forest... From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Freitag, 5. März 2004 15:20To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Protecting Active Directory I think I see what you're getting at. I did read that whitepaper and it is interesting. What I'm trying to get at is that for the scenario of admin fat fingering a group, recreating the group membership is, IMHO preferred over the hassle of a restore. Script, etc is fine for figuring out group membership enough to recreate it. If the group itself gets whacked, that's when I see this type ofsolution adding value. You bring up a good point that if the group encompasses the entire forest and membership gets hosed, that a restore may be the best way but there are things to be aware of. I don't think this is a worthwhile approach if it's only one group in most situations. I think recreating it from a point in time (based on the reference information stored in a flat file, database, etc) would be a fine approach. It's not until we get into multiple simultaneousmistakes that it would make sense to me to have a solution such as what you propose. I'm considering this as a good idea for a large, multi-domain forest with decentralized administration when multiple mistakes are made. I just can't see the time and effort of restoring a group for one mistake making sense. Am I missing anything in the conversation here? For some reason I feel like there is something I'm missing, but it's not obvious to me at this point in time ;-) -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 5:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Al, I think it's appropriate to explain a little more, to avoid further confusion, as accidentally deleting + recoverying object and loosing group memberships are NOT separate problems (especially in multi-domain forests or even in Windows 2000 single-domain forests). Theissuesare indeed very much related to each other: tracking membership of a group to be able to undo a change "in case one of it's members gets whacked" is generally a good idea, no matter if a user has been deleted or if simply an administrator made a mistake while editing group-memberships. When tracked (e.g. via daily reports or dumps of the group-memberships - or by having a good group-concept where all owners "know" the members), the owner of a group should be able to get a group back to the state it should be. however, when you delete an object (e.g. a user, computer, contact or a group itself), these objects naturally replicate as tombstones to other DCs and GCs in the forest. When this happens, the memberships of these objects in any group in the forest is "cleaned"automatically - not only in the same domain where the objects reside, but also in all of the other domains in the forest. I.e. the objects are also removed from Universal (UG) and Domain Local Groups (DLG) of any domain in the forest. So what's the big deal? Well, if you restore a DC from a system-state backup (on tape or file) and then authoritatively restore the objects in their domain or even if you restore the whole domain authoritatively (which not recommended anyways, unless you really have to), the objects will never "repopulate" into the UGs and DLGs of the other domains in the forest. Good to know: if you
RE: [ActiveDir] Protecting Active Directory
BTW, even though I'm a big fan of the hot-site concept for
many reasons (also to safely perform schema changes), you'll still need to take
care of the link-issue after objects have accidentally been deleted in AD, as
the DCs outside of the hotsite will have received the tombstones and will thus
have "cleaned" their groups (as an example).
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Sent: Mittwoch, 3. März 2004
21:47To: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] Protecting Active Directory
We got the following from Microsoft
Consulting about a year ago and implemented it last summer to address the
accidentally deleted objects. We've had the 'opportunity' to use the
process twice. It worked fine on both occassions. In our
environment, we have four differnet domains in the forest and have a hot site
for two of the domains at two different sites. We have replication set to
occur for only one hour a day starting at 11:00 pm. Some of the utilities
like FRSDiag report problems with this setup but otherwise it works fine.
It does require an extra piece of hardware per domain mark hocraffer Rockwell Collins Active Directory Hot Site Scenario
Purpose
This document provides information around the concept
of an Active Directory "hot site" and its configuration
Overview
While there are recovery procedures in place for
cases where one or more directory objects have been accidentally deleted
(namely, authoritative restore) or where hardware failure (for example, disk
corruption) causes a domain controller (DC) to fail, this paper is describes a
process to deal with a situation where an Active Directory site is "lagged" from
the rest of the replication topology to create a scenario where a restore
procedure will not have to be used.
Hot Site Design
The Active Directory Hot site is an Active Directory
site that contains at least one DC from every domain in the forest.
Replication to this site is delayed for twenty-four hours.
If any changes are made incorrectly on any DC in the
forest outside of the Hot site, then Ntdsutil.exe can be used to change the
version on any object making the object authoritative. Now the object in
question is replicated out from the Hot site to the entire forest preventing the
need for a full fledged restore.
This Hot Site design is not a replacement for
a good tape backup. However it is a viable solution for a quick on-line
restore process in the case of a corruption taking down every domain controller.
The replication time can be configured to a time frame that meets your customer
needs. This should be mapped to the customer's response time.
Keep in mind that the higher the replication interval
is, any changes made in that interval time will be lost. This will also hold
true for tape backups as well.
This configuration is only as valid as the
integrity of the hot site itself. If the corruption has replicated to the
Hot Site it is invalid. Also, there is a very small chance a client may
try to authenticate to the DC in the Hot Site and get out-of-date information.
The clients should be configured to authenticate to a DC in its own site,
if not - one closer and/or one of lower cost. The Hot Site is, by design,
a high-cost alternative to help preclude a client authenticating to it. If
there are no other DC is available...the hopefully the Hot Site DC will serve its
purpose and allow authentication.
Hot Site Configuration
The Domain controllers serving in the Hot Site
can be a low end Server or a PC because it will only be storing the AD
database which only requires to have diskspace. Since no users will be
logging into this site memory is not a serious concern.
To configure the hot site:
·Put the domain controllers into their own site. Make sure the site
only covers the IP addresses (or subnet) of the domain controllers to ensure no
client will ever boot up with an IP address included in that site.
·Increase the weight priority of the SRV records for those
DC's. ·
Disable auto site coverage using the reg
key. This key will need to be added to each DC in the Hot Site.
Note: Pause Netlogon service on all DCs
in the Hotsite could also be used.
"joe"
[EMAIL PROTECTED] Sent by: [EMAIL PROTECTED]
03/03/2004 09:40 AM
Please respond
to[EMAIL PROTECTED]
To
[EMAIL PROTECTED]
cc
Subject
RE: [ActiveDir]
Protecting Active Directory
Yes, excellent point. We haven't started worrying about that
granularity yet. If something is deleted, we figured the person with the power
to delete it intended it. Have a nice day. There are only three people who can
really do any h
RE: [ActiveDir] Protecting Active Directory
Using the DLG's doesn't kill us any more than if we used GG's. Same loss of resource access. As for the accidents, the guys with the big guns don't use the GUI for most anything, they use very targeted scripts that do very specific things. We don't, for instance have any mass delete anything scripts. All one off delete. The groups are supposed to have well known membership to the admins running them, they are supposed to be auditing the groups on a very regular basis as to who should be in them. So loss of a group should simply be recreate the group, reassign to the proper ACE in the proper file structure (we don't do one group secures a zillion different things or at least heavily discourage it), readd the correct people. I do have some ideas floating in the back of my mind about pulling all groups, computers, users off into a single AD/AM instance so we can track things there. Don't sync the deletes other than marking a field in AD/AM when the delete or occurred. This is more for being able to do quick checks for things in the directory (everything would be tuple indexed) but could also help if someone smoked a group that they shouldn't have as we would have the last known membership for sure. I would also like to get some form of change log management in there as well but that project is way pie in the sky at the moment. Trying to get K3 deployed at the moment and the final pieces of E2K deployed. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Thursday, March 04, 2004 2:36 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory actually, you need to consider this issue more than others Joe, as you're building all group-memberships on Domain Local Groups (in a multi-domain environment) which will kill you, if you do accidentally delete the wrong objects.Obviously youcould still restore all domains - but that's pretty nasty. And accidents don't only happen to lower privileged admins - it could be one of you three... /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Mittwoch, 3. März 2004 16:40To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Yes, excellent point. We haven't started worrying about that granularity yet. If something is deleted, we figured the person with the power to delete it intended it. Have a nice day.There are only three people who can really do any huge mass deletes across the board and we all sit within smacking distance of each other so we are careful as we have sensitive ears and don't want to be cuffed. I do think we need some sort of solution for this eventually though. But it is more to reduce nuisance factor for silly OU admins than anything else. Right now mostly still just worrying about the old South East Michigan was swallowed by a volcano that came out of nowhere... How do we make sure we can recover. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Wednesday, March 03, 2004 3:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory will only be good for restoring the DC hardware, but depending on your setup won't be sufficient to fully recover accidentally deleted objects. I've worked with Aelita on this whitepaper to discuss the potential issues: http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active_Directory_Recovery.pdf /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 3. März 2004 02:11To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory 1. Multiple DCs in diseparate locations. 2. Virtual DC for each domain that is shut down nightly and the disk file for each iscopied to some other location. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Tuesday, March 02, 2004 3:49 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Protecting Active DirectoryImportance: High What is the best way to backup your domain controller so you can restore it in a disaster situation.
RE: [ActiveDir] Protecting Active Directory
ha, I knew that would be your answer ;-)) and I can partly understand your strategy = the owner of the group should know what's in it, so if there is a problem with the memberships it's his and not yours. But this is really only acceptable for a small issue, where you loose a couple of memberships - not when you use a couple of hundred of users incl. their memberships. Sure losing a DLG membership has the same result in losing resource access than a GG does - however, DLGs in multi-forest environments are simply harder to recover the "native" way (i.e. be authoritatively restoring your accidentally deleted users from one domain), as that restored DC doesn't know of the DLG memberships outside of it's own domain, which will then be lost for good (much easier to recover memberships ins GGs and UGs as the DC/GC will "know" of the memberships after the recovery). Your DLG memberships won't comebackuntil re-added by your group-owners, who will be happy to manage re-adding hundreds of users into various groups via the UI they use... :-( Obviously your impact will be less than for other companies, as you have a really cool group-structure however .But no matter how careful you are, Murphy is watching you. And things will happen. And you have to be prepared... The AD/AM idea isn't bad, but I'm just implementing the same based on SQL and it's almost done - a nice tool that gives you exactly what you're describing. And will help to recover those lost group-memberhips and it will allow you to see which group your users or other objects are in within the forest - in any domain.Stay tuned. However, it will still require a normal authoritative restore of the actual objects that were deleted - thus it's not as powerful as some of the online-recovery methods available out there. So I encurage anyone responsible for back-up of their AD also to look at these tools. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Donnerstag, 4. März 2004 16:18To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Using the DLG's doesn't kill us any more than if we used GG's. Same loss of resource access. As for the accidents, the guys with the big guns don't use the GUI for most anything, they use very targeted scripts that do very specific things. We don't, for instance have any mass delete anything scripts. All one off delete. The groups are supposed to have well known membership to the admins running them, they are supposed to be auditing the groups on a very regular basis as to who should be in them. So loss of a group should simply be recreate the group, reassign to the proper ACE in the proper file structure (we don't do one group secures a zillion different things or at least heavily discourage it), readd the correct people. I do have some ideas floating in the back of my mind about pulling all groups, computers, users off into a single AD/AM instance so we can track things there. Don't sync the deletes other than marking a field in AD/AM when the delete or occurred. This is more for being able to do quick checks for things in the directory (everything would be tuple indexed) but could also help if someone smoked a group that they shouldn't have as we would have the last known membership for sure. I would also like to get some form of change log management in there as well but that project is way pie in the sky at the moment. Trying to get K3 deployed at the moment and the final pieces of E2K deployed. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Thursday, March 04, 2004 2:36 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory actually, you need to consider this issue more than others Joe, as you're building all group-memberships on Domain Local Groups (in a multi-domain environment) which will kill you, if you do accidentally delete the wrong objects.Obviously youcould still restore all domains - but that's pretty nasty. And accidents don't only happen to lower privileged admins - it could be one of you three... /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Mittwoch, 3. März 2004 16:40To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Yes, excellent point. We haven't started worrying about that granularity yet. If something is deleted, we figured the person with the power to delete it intended it. Have a nice day.There are only three people who can really do any huge mass deletes across the board and we all sit within smacking distance of each other so we are careful as we have sensitive ears and don't want to be cuffed. I do think we need some sort of solution for this eventually though. But it is more to reduce nuisance
RE: [ActiveDir] Protecting Active Directory
I think there's two approaches here but correct me if I misunderstood to flow. One concept is to restore the actual object in case of accidental deletion, intentional deletion, corruption, etc. The other is to track the membership in case one of it's members gets whacked. That about what you're saying? To me, these are two very important, but separate scenarios. One solution already in place is a tracking mechanism that exports group information on a daily basis. That's the custom version of what I have now, but it's nowhere near as efficient as a SQL/AD/AM solution would be in a multi-domain environment. It only allows us to put the group membership back, but has nothing to do with the group object itself. If we lost that, we lost the sID etc that would make it useful outside of a restore. In case of administrative error, we can look back at the reference (keep a week's worth for now) and put it back the way it should be without having to go to tape. If you're going to the trouble of creating this homegrown system wouldn't it make sense to make it part of the lifecycle management system? There's certainly a market for that in the states with the current round of laws about data and process. Just a thought, but having a system that audits (for lack of a better term) user/group lifecycles and resource allocation would be an interesting thing to have. Kind of another tier in the management of the system (a meta-directory type solution or other?) Al From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Thursday, March 04, 2004 2:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory ha, I knew that would be your answer ;-)) and I can partly understand your strategy = the owner of the group should know what's in it, so if there is a problem with the memberships it's his and not yours. But this is really only acceptable for a small issue, where you loose a couple of memberships - not when you use a couple of hundred of users incl. their memberships. Sure losing a DLG membership has the same result in losing resource access than a GG does - however, DLGs in multi-forest environments are simply harder to recover the "native" way (i.e. be authoritatively restoring your accidentally deleted users from one domain), as that restored DC doesn't know of the DLG memberships outside of it's own domain, which will then be lost for good (much easier to recover memberships ins GGs and UGs as the DC/GC will "know" of the memberships after the recovery). Your DLG memberships won't comebackuntil re-added by your group-owners, who will be happy to manage re-adding hundreds of users into various groups via the UI they use... :-( Obviously your impact will be less than for other companies, as you have a really cool group-structure however .But no matter how careful you are, Murphy is watching you. And things will happen. And you have to be prepared... The AD/AM idea isn't bad, but I'm just implementing the same based on SQL and it's almost done - a nice tool that gives you exactly what you're describing. And will help to recover those lost group-memberhips and it will allow you to see which group your users or other objects are in within the forest - in any domain.Stay tuned. However, it will still require a normal authoritative restore of the actual objects that were deleted - thus it's not as powerful as some of the online-recovery methods available out there. So I encurage anyone responsible for back-up of their AD also to look at these tools. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Donnerstag, 4. März 2004 16:18To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Using the DLG's doesn't kill us any more than if we used GG's. Same loss of resource access. As for the accidents, the guys with the big guns don't use the GUI for most anything, they use very targeted scripts that do very specific things. We don't, for instance have any mass delete anything scripts. All one off delete. The groups are supposed to have well known membership to the admins running them, they are supposed to be auditing the groups on a very regular basis as to who should be in them. So loss of a group should simply be recreate the group, reassign to the proper ACE in the proper file structure (we don't do one group secures a zillion different things or at least heavily discourage it), readd the correct people. I do have some ideas floating in the back of my mind about pulling all groups, computers, users off into a single AD/AM instance so we can track things there. Don't sync the deletes other than marking a field in AD/AM when the delete or occurred. This is more for being able to do quick checks for things in the directory (everything would be tuple indexed) but could also help if someone smoked a group that they shouldn't have as we
RE: [ActiveDir] Protecting Active Directory
will only be good for restoring the DC hardware, but depending on your setup won't be sufficient to fully recover accidentally deleted objects. I've worked with Aelita on this whitepaper to discuss the potential issues: http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active_Directory_Recovery.pdf /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 3. März 2004 02:11To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory 1. Multiple DCs in diseparate locations. 2. Virtual DC for each domain that is shut down nightly and the disk file for each iscopied to some other location. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Tuesday, March 02, 2004 3:49 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Protecting Active DirectoryImportance: High What is the best way to backup your domain controller so you can restore it in a disaster situation.
RE: [ActiveDir] Protecting Active Directory
Yes, excellent point. We haven't started worrying about that granularity yet. If something is deleted, we figured the person with the power to delete it intended it. Have a nice day.There are only three people who can really do any huge mass deletes across the board and we all sit within smacking distance of each other so we are careful as we have sensitive ears and don't want to be cuffed. I do think we need some sort of solution for this eventually though. But it is more to reduce nuisance factor for silly OU admins than anything else. Right now mostly still just worrying about the old South East Michigan was swallowed by a volcano that came out of nowhere... How do we make sure we can recover. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Wednesday, March 03, 2004 3:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory will only be good for restoring the DC hardware, but depending on your setup won't be sufficient to fully recover accidentally deleted objects. I've worked with Aelita on this whitepaper to discuss the potential issues: http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active_Directory_Recovery.pdf /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 3. März 2004 02:11To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory 1. Multiple DCs in diseparate locations. 2. Virtual DC for each domain that is shut down nightly and the disk file for each iscopied to some other location. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Tuesday, March 02, 2004 3:49 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Protecting Active DirectoryImportance: High What is the best way to backup your domain controller so you can restore it in a disaster situation.
RE: [ActiveDir] Protecting Active Directory
We got the following from Microsoft Consulting about a year ago and implemented it last summer to address the accidentally deleted objects. We've had the 'opportunity' to use the process twice. It worked fine on both occassions. In our environment, we have four differnet domains in the forest and have a hot site for two of the domains at two different sites. We have replication set to occur for only one hour a day starting at 11:00 pm. Some of the utilities like FRSDiag report problems with this setup but otherwise it works fine. It does require an extra piece of hardware per domain mark hocraffer Rockwell Collins Active Directory Hot Site Scenario Purpose This document provides information around the concept of an Active Directory hot site and its configuration Overview While there are recovery procedures in place for cases where one or more directory objects have been accidentally deleted (namely, authoritative restore) or where hardware failure (for example, disk corruption) causes a domain controller (DC) to fail, this paper is describes a process to deal with a situation where an Active Directory site is lagged from the rest of the replication topology to create a scenario where a restore procedure will not have to be used. Hot Site Design The Active Directory Hot site is an Active Directory site that contains at least one DC from every domain in the forest. Replication to this site is delayed for twenty-four hours. If any changes are made incorrectly on any DC in the forest outside of the Hot site, then Ntdsutil.exe can be used to change the version on any object making the object authoritative. Now the object in question is replicated out from the Hot site to the entire forest preventing the need for a full fledged restore. This Hot Site design is not a replacement for a good tape backup. However it is a viable solution for a quick on-line restore process in the case of a corruption taking down every domain controller. The replication time can be configured to a time frame that meets your customer needs. This should be mapped to the customers response time. Keep in mind that the higher the replication interval is, any changes made in that interval time will be lost. This will also hold true for tape backups as well. This configuration is only as valid as the integrity of the hot site itself. If the corruption has replicated to the Hot Site it is invalid. Also, there is a very small chance a client may try to authenticate to the DC in the Hot Site and get out-of-date information. The clients should be configured to authenticate to a DC in its own site, if not one closer and/or one of lower cost. The Hot Site is, by design, a high-cost alternative to help preclude a client authenticating to it. If there are no other DC is availablethe hopefully the Hot Site DC will serve its purpose and allow authentication. Hot Site Configuration The Domain controllers serving in the Hot Site can be a low end Server or a PC because it will only be storing the AD database which only requires to have diskspace. Since no users will be logging into this site memory is not a serious concern. To configure the hot site: ·Put the domain controllers into their own site. Make sure the site only covers the IP addresses (or subnet) of the domain controllers to ensure no client will ever boot up with an IP address included in that site. ·Increase the weight priority of the SRV records for those DC's. ·Disable auto site coverage using the reg key. This key will need to be added to each DC in the Hot Site. Note: Pause Netlogon service on all DCs in the Hotsite could also be used. joe [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/03/2004 09:40 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: [ActiveDir] Protecting Active Directory Yes, excellent point. We haven't started worrying about that granularity yet. If something is deleted, we figured the person with the power to delete it intended it. Have a nice day. There are only three people who can really do any huge mass deletes across the board and we all sit within smacking distance of each other so we are careful as we have sensitive ears and don't want to be cuffed. I do think we need some sort of solution for this eventually though. But it is more to reduce nuisance factor for silly OU admins than anything else. Right now mostly still just worrying about the old South East Michigan was swallowed by a volcano that came out of nowhere... How do we make sure we can recover. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, March 03, 2004 3:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Protecting Active Directory will only be good for restoring the DC hardware, but depending on your setup won't
RE: [ActiveDir] Protecting Active Directory
actually, you need to consider this issue more than others Joe, as you're building all group-memberships on Domain Local Groups (in a multi-domain environment) which will kill you, if you do accidentally delete the wrong objects.Obviously youcould still restore all domains - but that's pretty nasty. And accidents don't only happen to lower privileged admins - it could be one of you three... /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Mittwoch, 3. März 2004 16:40To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Yes, excellent point. We haven't started worrying about that granularity yet. If something is deleted, we figured the person with the power to delete it intended it. Have a nice day.There are only three people who can really do any huge mass deletes across the board and we all sit within smacking distance of each other so we are careful as we have sensitive ears and don't want to be cuffed. I do think we need some sort of solution for this eventually though. But it is more to reduce nuisance factor for silly OU admins than anything else. Right now mostly still just worrying about the old South East Michigan was swallowed by a volcano that came out of nowhere... How do we make sure we can recover. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Wednesday, March 03, 2004 3:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory will only be good for restoring the DC hardware, but depending on your setup won't be sufficient to fully recover accidentally deleted objects. I've worked with Aelita on this whitepaper to discuss the potential issues: http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active_Directory_Recovery.pdf /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 3. März 2004 02:11To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory 1. Multiple DCs in diseparate locations. 2. Virtual DC for each domain that is shut down nightly and the disk file for each iscopied to some other location. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Tuesday, March 02, 2004 3:49 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Protecting Active DirectoryImportance: High What is the best way to backup your domain controller so you can restore it in a disaster situation.
RE: [ActiveDir] Protecting Active Directory
Title: Message The best way is to have more than one domain controller. Once you've got that redundancy, I run a system state backup on 2-3 geographically dispersed DC's using NTBackup (one of which holds the FSMO roles for the domain) and then rip that file to tape as part of the regular backup rotation. And read, then reread, then live by this info: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Philadelphia, Lynden - Revios Toronto [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 3:49 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Protecting Active DirectoryImportance: High What is the best way to backup your domain controller so you can restore it in a disaster situation.
RE: [ActiveDir] Protecting Active Directory
I like veritas backup exec. I dont know anything about the disaster recovery agent though. -Original Message- From: Philadelphia, Lynden - Revios Toronto [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 3:49 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Protecting Active Directory Importance: High What is the best way to backup your domain controller so you can restore it in a disaster situation.
RE: [ActiveDir] Protecting Active Directory
Title: Message What if your DCs are DNS servers, doing a system state backup and restore doesn't restore the DNS functionality and zones, etc. How do you handle this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, March 02, 2004 3:05 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Protecting Active Directory The best way is to have more than one domain controller. Once you've got that redundancy, I run a system state backup on 2-3 geographically dispersed DC's using NTBackup (one of which holds the FSMO roles for the domain) and then rip that file to tape as part of the regular backup rotation. And read, then reread, then live by this info: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Philadelphia, Lynden - Revios Toronto [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 3:49 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Protecting Active DirectoryImportance: High What is the best way to backup your domain controller so you can restore it in a disaster situation. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Protecting Active Directory
1. Multiple DCs in diseparate locations. 2. Virtual DC for each domain that is shut down nightly and the disk file for each iscopied to some other location. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Tuesday, March 02, 2004 3:49 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Protecting Active DirectoryImportance: High What is the best way to backup your domain controller so you can restore it in a disaster situation.
