How to Protect Active Directory

As I am sure you are aware for any Microsoft based system, Active Directory is at the heart of it, if this gets corrupted or you accidentally delete an object you need to get it back, or have a real issue on your hand.

Active Directory is a replicated directory, and any Windows Server you make a domain controller will have a copy of the directory or a portion of it. Not wanting to get into the ins and outs of Active Directory design, the easiest way to ensure you have your AD infrastructure Protected is to promote a Windows Server to a Domain Controller and if one server goes down and your clients directory requests will be handled by the other Domain Controller.

Now that’s all fine if a server fails, but what happens if you delete an object in AD or have some sort of corruption in AD and this change gets replicated to all your other Domain Controllers, you need to get this object back so what are your options

The actual Active Directory files/database is Stored in the %SYSTEM ROOT%\NDTS folder, Active Directory also uses sysvol folder to replicate changes. The Active Directory Database is called ntds.dit and along with this file there are these other files, which are all created when you promote a server to a Domain Controller.

1. edb.log : When a transaction performed to the AD database, like writing some data, the changes will be stored to this file and then will be sent/committed to the database. So the system performance depends on how this data from edb.log file will be written to ntds.dit
2. res1.log : Used to reserve 10Mb of space in the case the drive AD is located on runs lows on space AD will allows have some space to complete its processes, and therefore stop any corruption from running out of disk space.
3. res2.log : Same as res1.log. It is also 10MB in size and purpose is the same as above.
4. edb.chk : This file records the transactions committed to AD. During shutdown a shutdown statement is written to this file. If it is not found when the system rebooted, the ad database tries to check with edb.log for the updated information.

This option first appeared in Windows 2003, and when you delete an object in AD it doesn’t get immediately deleted, it only becomes a deleted object or also known as a tombstone. AD doesn’t keep these tombstones around for ever and and the default is 60 days. You can use various tools to recover these tombstones, but the advantage is that is you want to ,Reanimate, the tombstone you do not have to take the Domain Controller offline.

Active Directory Recycle Bin
By default this option is disabled and for it to be enabled you need to:
Run Adprep to update your Active Directory schema with the necessary Active Directory Recycle Bin attributes.
Make sure that all domain controllers in your Active Directory forest are running Windows Server 2008R2.
Raise the functional level of your Active Directory forest to Windows Server 2008R2.
So if you have any 2003 servers hanging about this isn’t going to work for you.

If you are using on Windows 2008R2 you need to use PowerShell to recover from the recycle bin, but the good news is that in Windows 2012 you now get a GUI, but you still need to remember to enable it, for it to be any use to you.

AD Snapshots
Starting with Windows 2008 you could take a snapshot of the volume the AD Files were sitting on, this means that if you take a snapshot and then delete an object, that object will still be available in the snapshot. You can then mount the snapshots, without the need to start the server in Directory Services Restore Mode and be able to see how Active Directory looked when the snapshot was taken.

The last way to protect AD, is to it up using whatever program you have chosen to protect your environment. This is usually completed by ensuring you have included the system state in your Backup Selection.

The System state always contains the following
System Registry
COM + Database
Certificate Services
Active Directory
IIS Metabase
In the event of a failure follow your backup providers documentation on how to do a restore.

It is probably worth covering a bit about restoring AD, because it is a distributed database you need to be careful about how you restore the AD info.
There are two types of restore:
1. Authoritative restore
2. Non Authoritative restore

1. Authoritative restore
If you are doing an Authoritative restore, you are pretty much saying I’ve deleted something and I want it back. I don’t care if you think this object is deleted I am restoring this object back
2. Non Authoritative restore
Generally if you are restoring a DC this will restore AD just on this server, and then it will ask to be updated with all the changes since the backup.

I hope this gives you an overview/idea of what you can do to protect AD in your environment and what you can do to get the objects back. I haven’t gone into the specifics around how to restore the objects but gives you a starting point.

Let me know what you want in more detail, I plan to add details/videos of how to do the these restores in time.

Leave a Reply

%d bloggers like this: