The Evolution of Active Directory Recovery Ulf B. Simon-Weidner Senior Consultant, Author, Trainer, Speaker Computacenter, Germany SIA319

The Evolution of Active Directory RecoveryUlf B. Simon-WeidnerSenior Consultant, Author, Trainer, SpeakerComputacenter, Germany

SIA319

The Evolution of Windows – – The Evolution Active

Directory

Windows Server Evolution

Active Directory gone bad

DC RecoveryRecreate or Restore

Where's a backup?

Is it the same Hardware?

Domain RecoveryReplicated Error in the domain partition

No DCs in the Domain are functional / replicate

Forest RecoveryReplicated Error in the configuration partition

Faulty Schema-Update

Corrupted Data (malicious or accidental)

No DCs in the Forest are functional / replicate

Different Scenarios

Multi-Object RecoveryWrong Processes

Accidential Deletion

Bad Scripts / Tools

Object RecoveryWrong Processes

Accidential Deletion

Bad Scripts / Tools

Attribute RecoveryBad Scripts

Active Directory-Users and –Computers (WS2k3+): "Accidential editing" multiple Objects

Replication

My Users

My Groups

My Computers

My Users

My Groups

My Computers

Authoritative Restore

Non-Authoritative RestoreGetting a Domain Controller back via System State Restore

Authoritative RestoreUsing a Non-Authoritative Restored DC(which has not bee replicated)

Or DC which didn‘t receive the deletion yet

Mark Objects as newer

Replicate

Replication

My Users

My Groups

My Computers

My Users

My Groups

My Computers

*

***

Main Issue: Restoring Links

Users are members of Groups

There are other links, like Managers, Password Settings Objects, ...

To restore links:Only Forward-Links are writeable

Only FW-Links will be restored where the Target is available

Solution:Authoritative Restore at least twice or

Use LDIFs (Windows Server 2003+)

Recycle Bin

Behind the scenes: NTDS.dit

Data-Table

DNT PDNT Name Attribute isDeleted

12345 1010 company „company“, „DC“

12351 12345 Deleted Objects „container“

12360 12345 Users „user“, „container“

12865 12360 Consulting „consulting“, „group“

12890 12360 Ulf„ulf“, „B“, „Simon-Weidner“, „1-5-..“, „Consuling Services“

12891 12360 Joe„Joe“, „Ware“, „1-5-..“, „Consulting Services“

Link-Table

From To

12865 12890

12865 12891

Link-Table

From To

12865 12890

12865 1289112865 12891

Behind the scenes: NTDS.dit

Deletion: Object is moved into „Deleted Objects“-Container and marked as deleted.Links are removed on each DC.

Data-Table



12351 12345 Deleted Objects „container“




12891 12360 Joe\0ADEL:GUID„Joe“, „Ware“, „1-5-..“, „Consulting Services“

TRUE

Recycle Bin: Lifecycle

No Recycle bin feature

LiveObject

GarbageCollection

Delete

© Microsoft

Auth RestoreTombstone Lifetime

60/180 Days

with Recycle Bin enabled

LiveObject

TombstoneObject*

GarbageCollection

Delete

UndeleteTombstone

Lifetime60/180 Days

Deleted Object Lifetime

60/180 Days

Deleted Object

TombstoneObject

NTDS.dit: AD Recyclebin



12351 12345Deleted Objects

„container“





From To

12865 12890

12865 12891

Schema extended Forest-Level Enable Recycle-Bin

DNT PDNT Name Attribute isDeletedIs

Recycled



„container“





From ToDeactivate

d

12865 12890

12865 12891

Data-Table Link-Table

* *

DNT PDNT Name Attribute isDeletedIs

Recycled



„container“




12891 12360„Joe“, „Ware“, „1-5-..“, „Consulting Services“

NTDS.dit: AD Recyclebin




„container“




12891 12360Joe\0A

DEL:GUID„Joe“, „Ware“, „1-5-..“, „Consulting Services“

TRUE

From To

12865 12890

12865 12891

User Deleted Object (Duration: Deleted Objects-Lifetime)

From ToDeactivate

d

12865 12890

12865 12891 TRUE

Data-Table Link-Table

Undele

te

Restoring multiple Objects

Deleted Objects-ContainerEverything flat

DN changed, Attributes still exist, lastKnownParent is helping

Objects must be reanimated into existing containers

Top-Bottom

Evaluate lastKnownParent and lastKnownRDN

RDN > 128 chars truncated

CN=Deleted Objects

CN=Robert\0ADEL:…

OU=Finance

CN=Tom

CN=Sally

OU=Admins

CN=Mark

CN=Mark\0ADEL:…

CN=Tom\0ADEL:…

CN=Sally\0ADEL:…

OU=Admins\0ADEL:…

OU=Finance\0ADEL:...

OU=Finance

CN=Tom

CN=Sally

OU=Admins

CN=Mark

Dele

te© Microsoft

Issues and solution paths

Issue Operating System Level Solution Path

DC broken any Fresh install or rebuiltWS2k3+: Install from Media-Option

Domain broken any Recover >=1 DC and Rebuilt others

Forest broken any Each Domain:Recover >=1 DC and Rebuilt others

Object(s) fully deleted <=WS2k3R2 Autoritative Restore or „Do-It-Yourself“*

WSk2k8 Tombstone-Reanimation + Snapshot

>=WS2k8R2 Recycle Bin

Object(s) partly deleted <= WS2k3R2 Aut. Restore or „Do-It-Yourself“*

WS2k8+ Snapshot

Accidental Changes any Manual, Snapshot or „Do-It-Yourself“*

Object(s) fully deleted


AD Recycle bin

Requires Forestlevel Windows Server 2008 R2New in R2: Rollback to 2008 DL/FL when Recycle bin is not enabled

Optional Feature Recycle bin must be enabledonce on cannot be turned off

Now you are stuck with your forest level

Make sure that you have a solid state before

Enables to fully restore objectsTo the state when they were deleted

Additional Scripts and Data helps

New in Windows Server 2012

Active Directory Administrative CenterSupports Domain- and Forest level upgrade in the GUISupports enabling the Recycle bin in the GUISupports undeleting of single objects in the GUI

Undeleting multiple objects still requires PowerShell-Script

WS2k8+: Active Directory Snapshots

Create SnapshotNtdsutil.exe -> Snapshot -> Activate Instance NTDS -> Create

Mount Snapshot in File system

Snapshot as Read-Only Directory

Accessing the R/O Directory‘s Data

Ntdsutil.exe -> Snapshot-> List All / Mount

ID-> Mount {GUID}

Dsamain.exe –dbpath c:\$snap2007...\ntds.dit –ldapport 10000

Active Directory-Users & - Computers, LDP, ADSIEdit, dsquery, ... against Port 10000

Reanimating Tombstones

isDeleted

TRUE

rdn Cn=Ulf\A0DEL:GUID

name

phone

memberOf

email

SID S-1-5-21-xx-xx-..

isDeleted <not set>

rdn Cn=Ulf

name

phone

memberOf

email

SID S-1-5-21-xx-xx-..

isDeleted

<not set>

rdn Cn=Ulf

name Ulf B. Simon-Weidner

phone +49 (89) 555-1234

memberOf

???

email [email protected]

SID S-1-5-21-xx-xx-..e.g. ADRestore, admod, LDP

Manually, Script, LDIF,..

Virtual DCs, ready for today?

Spread DCs across VM-InfrastructuresDon’t roll back SnapshotsSynchronize the right time

“The most (forest/domain) recovery scenarios I’ve seen are caused by virtual environments!”Lingering Objects or USN-Rollbacks are caused many times from virtual environments!“Don’t use it? Wrong! Do it right!”

Virtualizing DCs: USN-Rollback2200USN 2210 2220 2230 2240 2250 2260 2270

1020USN 1030 1040 1050 1060 1070 1080 1090

DC01 (USN 2220) and DC02 (USN 1040) in sync – DC02 Snapshot created

DC01 (USN 2260) in sync with DC02 (USN 1080)

DC02 rolled back to Snapshot at USN 1040

Result:DC01 thinks he has all updates from DC02 since 1080, however DC02 is at 1040: changes between 1040 and 1080 not replicated to DC01

DC01

DC02 ?

Virtualizing DCs in Windows Server 2012

Domain controllers recognize when being rolled back

DCs take same action when supported System State Restore is done and reinitializes replication agreements

Requirements:VM Host must support „VM Generation Identifyer“ (e.g. Hyper-V 3.0)VM Guest (=DC) must support feature(Windows Server 2012)

best practices

Prevention of errors andPreparing for recovery

Preventing human errors

DELEGATE!!!If somehow possible delegate permissionsAvoid using Built-in Groups, especially Account OperatorsDelegate Domain Admins if possibleTools are helping

Preventing accidental deletions

In Windows Server 2008 (and R2):Protect OUs from accidental deletion (GUI)Migrated? Use PowerShell:

Can (and should) be done in W2k(3) „manually“:DENY Delete & Delete Subtree for Everyone on all Ous

Suggestion:Change default security descriptor of OUs to ensure that delegated admins and older tools “inherit” the default

get-ADOrganizationalUnit –filter * | set-ADOrganizationalUnit –protectedFromAccidentalDeletion $true

for /f "tokens=*" %i in ('dsquery ou -limit 0') do dsacls %i /d everyone:SDDT

Preperation: Backup

It is very important to backup the right dataSystemstate (at least)List of objects (distinguishedNames)GPOs (contents)GPO-Links

Optionally: maintain Versions of BackupOptionally: keep AD-Snapshots

Windows Backup

System State BackupData which is needed to restore the DC over existing OSWS2k8 only: System State needs to be done via commandline

Critical Volume BackupOn „Dedicated DCs“ usually just 15% moreBare Metal RestoreIf incremental backups are used, don’t forget to create full backups also regulary

Needs to be installed:

powershell.exe -command "&{import-module ServerManager; add-windowsfeature Backup}"

Lists of objects

GPO-Links and their options, of the domain and sites

ldifde -f c:\Backupdata\DomainGpoLinks.ldf -r "(gplink=*)" -l gplink,gpoptions ldifde -f c:\Backupdata\SiteGpoLinks.ldf -d cn=configuration,dc=… -r "(gplink=*)" -l gplink,gpoptions

All distinguished names (for authoritative restore):

dsquery * domainroot -scope subtree -attr modifytimestamp distinguishedname -limit 0 > c:\backupdata\objlist.txt

All GPOs (requires BackupAllGPOs.wsf and Lib_CommonGPMCFunctions.js from the GPMC-Scripts):

cscript e:\scripts\BackupAllGPOs.wsf c:\BackupData

Create Backup / Snapshots

Create the Backup in the script:wbadmin.exe START BACKUP -backupTarget:%TargetUNC% -allCritical -include:c:,e: -noVerify -vssFull -quiet

Create AD-Snapshots:

Ntdsutil.exe snapshot “Activate Instance NTDS” create quit quit

Maintain Versions

How many backups should be kept at the UNC?Set Backup2Keep=10

SETLOCAL ENABLEDELAYEDEXPANSIONset count=0for /f "tokens=*" %%i in ('dir /o:-d /b %TargetUNC%\WindowsImageBackup\%computername%\backup*.') do ( set /a count=!count! + 1 if !count! GTR %Backup2Keep% ( echo DELETE !Count!: %%i rd /s /q "%TargetUNC%\WindowsImageBackup\%computername%\%%i" ) else ( echo MAINTAIN !Count!: %%i ))

works against local or remote (UNC) repositories, even SMB-Filer ;)

consider

Additional Technologies

Snapshots as additions

Enable „Versions“

Can be used in Quests AD Recovery Manager

Should be „managed“:VSS only assures the „Volume“ of recent Snapshots to be keptThey grow over timeThe dit might be small

What we do:Configure how many snapshots are kept fullyCopy the DIT out of the snapshot to a repositoryConfigure how many DITs are keptDelete old snapshots / DITs

Issues and solution paths

Issue Operating System Level Solution Path

DC broken any Fresh install or rebuiltWS2k3+: Install from Media-Option

Domain broken any Recover >=1 DC and Rebuilt others

Forest broken any Each Domain:Recover >=1 DC and Rebuilt others

Object(s) fully deleted <=WS2k3R2 Autoritative Restore or „Do-It-Yourself“*

WSk2k8 Tombstone-Reanimation + Snapshot


Object(s) partly deleted <= WS2k3R2 Aut. Restore or „Do-It-Yourself“*

WS2k8+ Snapshot

Accidental Changes any Manual, Snapshot or „Do-It-Yourself“*

Object(s) fully deleted


Restore Deleted Objects (and their Links)

Find Deleted Objects

Recyclebin

Enable RecyclebinEnable-ADOptionalFeature ‘Recylce Bin Feature’ –Scope ForestOrConfigurationSet –target (Get-ADForest).Name

Get-ADObject –LDAPFilter ‘(&(name=Ulf*)(isDeleted=*))’ -IncludeDeletedObjects

… | Restore-ADObject

Restore Tree:Leverage script from http://blogs.msdn.com/adpowershell/archive/2009/06/01/inspecting-deleted-objects-before-restore.aspx

LDIFDE –r "(name=)" –m–f filename.ldf –p port LDIFDE –i –z –f input.ldf

Restoring Object Data

dn: CN=User,OU=Demo,DC=xyz,DC=comchangetype: modifyreplace: cncn: User_Marketing-

dn: CN=User,OU=Demo,DC=xyz,DC=comchangetype: modifyreplace: snsn: Marketing-

dn: CN=User,OU=Demo,DC=xyz,DC=comchangetype: modifyreplace: cc: DE-

dn: CN=User,OU=Demo,DC=xyz,DC=comchangetype: addcn: User_Marketingsn: Marketingc: DEl: Hometowntitle: Worker-Bee-

Different Scenarios

Specific attributes

Specific Objects

Objects underneath an specific OU

ldifde –d “ou=Demo,dc=…” –m –f filename.ldf –p port

ldifde –d “ou=Demo,dc=…” –r “(objectClass=User)” –f filename.ldf –p port

ldifde –d “ou=demo,dc=…” –l “physicalDeliveryOfficeName, telephoneNumber” filename.ldf –p port

Restoring Links

dsget user cn=Ulf,ou=Demo,dc=xyz,dc=com -s localhost:10002 -memberof | dsmod group -addmbr cn=Ulf,ou=Demo,dc=xyz,dc=com

Forward-Link in the Restored Object

Will be recovered if target is thereRead from Snapshot and update

Backlink in the Restored Object:

Update the object in the Backlink, e.g. update the group in memberOf with the object recovered

Multi-DomainRun this procedure against a GC (recovered or snapshot) in every domain

Ways to get data

Recycle Bin:Available if all DCs are WS2k8R2 or higher

Snapshots:Available if one DC (per Domain) is WS2k8+

W2k(3): Backups also create a consistent state of the DIT

WS2k3-DITS and higher can be mounted with dsamain (-allowUpgrade)

WS2k8 w/o DC (member or stand alone) can mount DITs: AD binaries or AD-LDS

Windows 7/8: AD-LDS for Win7 brings dsamain

Strategy for Versioning / Online Recovery

OS Source Get DataPrepare

Targetobject

Write Data Fix Links

WS2012 BackupSnapshot

Database mounting Recyclebin Script if diff.

VersionScript if diff.

Version

WS2k8R2(Versions)

BackupSnapshot

Database mounting Recyclebin Script if diff.

VersionScript if diff.

Version

WS2k8 BackupSnapshot

Database mounting

Tombstone reanimation Script Script

WS2k3(R2) Backup Database mounting

Tombstone reanimation Script Script

W2k Backup Offline DC (Tombstone reanimation) Script Script

One Policy forDCs_which_are_backed_upDCs_which_maintain_snapshots (create and manage)All_DCs to synchronize NTDS-Password

Deploy your Backup-Strategy

Create Policy whichCreate FoldersCopies Files neededCreates Scheduled Task

Group Policy Preferences in WS2k8R2:

Additional

Prepare RDP for Directory Services Restore Mode

RDP into Machine Change default boot option Boot RDP into DSRM

ntdsutil "set dsrm password“ "sync from domain account xyz“ q q

Sync DSRM Password:Deactivated Domain AccountRegulary set PasswordSchedule the following Commandline on all DCs (via GPO)

bcdedit /copy {current} /dbcdedit /set {%i} safeboot dsrepair

Get your data up-to-date after the restore

Windows Server 2008+: Auditing of object changesauditpol /get /category:“DS Access“auditpol /set /subcategory:“Directory Service Changes“

Documented Changes are helping

Maybe a ntds.dit of the faulty state, use the AD Snapshot Browser

Link-Value Replication also helps (if the Domain is at Windows Server 2003 and the group was editied afterwards)

Windows Server 2008+: Auditing of object changesauditpol /get /category:“DS Access“auditpol /set /subcategory:“Directory Service Changes“

Extending the Management Interfaces

Active Directory Administrative CenterRegistering legacy-tabs for objects is possible

Extending the Context-Menu is not possible

Active Directory Users and ComputersBoth options are still possible

Consider DC-Cloning for Recoveryin Windows Server 2012

Additional DCs deployed using Cloning

First DC recovered from Backup

DC01

DC01

First DC recovered from Backup

Additional DCs deployed using Cloning

customer

Store-Infrastructure as a Managed Service

Think beyond

One company manages 5000 separate, single domain forests via slow lines

Data needs to stay on decentral premises

Minimum Infrastructure / Storage, regular backup to large

1 DC + Clients, quite at physical risk to be stolen

Single-DC-Restore

Task: How to restore an AD without using large Backups?

Known AD- and OU-Structure which is installed automaticallyCreate a dump of all Users and Groups with min. Information (import would create them)Create a dump of all Users and Groups with all Information (import will modify attributes)Create a list of all computersCreate a list of all Users/Groups and their SIDs

Single-DC-Restore

To restore:During installation of AD, Server recognizes he's being rebuildCreates minimum Users and Groups from scriptModifies all writeable attributes from Users and Groups (incl. Links)Add new SIDs to list of Users/Groups + Old SIDReacl: change all Permissions Old-SID New SIDRejoin Computers to domain (netdom + reacl)

The Evolution of Active Directory Recovery

Operating System AD Recovery Feature

Windows 2000 Authoritative Restore

System State Backup and Restore

Metadata-Cleanup (ntdsutil)

Windows Server 2003 Link-Value Replication

Group Policy Management Console

Individual Backup/Restore of GPOs

Windows Server 2003 SP1 Maintain SID-History in Tombstone

Increase Tombstone Lifetime (180 days)

LDIF-Files in Ntdsutil to restore links

Install from Media

Windows Server 2003 R2 w/o SP2: Tombstone-Lifetime accidenally 60d again

Windows Server 2008 Active Directory Snapshots

Windows Server Backup (Sysstate via CMD)

Synchronize DSRM-Password

Metadata-Cleanup (AD Users and Computers)

Active Directory Change Auditing

Windows Server 2008 R2 Active Directory Recycle Bin

Windows Server Backup (Sysstate via GUI)

Related Content

Breakout Sessions: SIA313 (2:45 S220A), Review Sessions you missed online

Hands-on Labs: SIA11-HOL, SIA21-HOL, WSV44-HOL

Related Certification Exam: (70-410 + 70-411 + 70-412) or 70-416

(available later this year)

Find Me Later: Q&A after the session, www.msmvps.com/UlfBSimonWeidner

http://www.msmvps.com/UlfBSimonWeidner

SIA, WSV, and VIR Track Resources

Talk to our Experts at the TLC

#TE(sessioncode)

DOWNLOAD Windows Server 2012 Release Candidate

microsoft.com/windowsserverHands-On Labs

DOWNLOAD Windows Azure

Windowsazure.com/teched

http://www.microsoft.com/sqlserverlabs




Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

http://northamerica.msteched.com/

http://www.microsoft.com/learning



http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

MS Tag

Scan the Tagto evaluate thissession now onmyTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be

a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.

Documents

The Evolution of Active Directory Recovery Ulf B. Simon-Weidner Senior Consultant, Author, Trainer, Speaker Computacenter, Germany SIA319