Active Directory Disaster Recovery -- Table of Contents -- Active Directory Disaster Recovery -- Credits -- About the Author -- About the Reviewers -- Preface -- What This Book Covers -- What you need for this book -- Conventions -- Reader Feedback -- Customer Support -- Errata -- Questions -- 1. An Overview of Active Directory Disaster Recovery -- What is Disaster Recovery? -- Why is Disaster Recovery Needed? -- Conventions Used in This Book -- Disaster Recovery for Active Directory -- Disaster Types and Scenarios Covered by This Book -- Recovery of Deleted Objects -- Single DC Hardware Failure -- Single DC AD Corruption -- Site AD Corruption -- Corporate (Complete) AD Corruption -- Complete Site Hardware Failure -- Corporate (Complete) Hardware Failure -- Summary -- 2. Active Directory Design Principles -- Active Directory Elements -- The Active Directory Forest -- The Active Directory Tree -- Organizational Units and Leaf Objects -- Active Directory Sites -- Group Policy Objects -- Domain Design: Single Forest, Single Domain, and Star Shaped -- Domain Design: Single Forest, Single Domain, Empty Root, Star Shaped -- Domain Design: Multi-Domain Forest -- Domain Design: Multi-Forest -- LRS - Lag Replication Site -- Design Your Active Directory -- Checklist When Designing a New AD -- Checklist When Finalizing the Design or When Migrating to an AD -- Naming Standards -- Username and Service Account Naming -- Group Policy Naming -- Design with Scalability in Mind -- Flexible Single Master Operation Roles (FSMO) -- Relative ID Master (RID Master) -- Infrastructure Manager -- PDC Emulator -- Schema Master -- Domain Naming Master -- Migration from Other Authentication Services -- Keeping Up-To-Date and Safe -- Documentation -- Backups -- Summary -- 3. Design and Implement a Disaster Recovery Plan for Your Organization.

Analyze the Risks, Threats, and the Ways to Mitigate -- The Two-Part, 10 Step Implementation Guide -- General Steps -- Active Directory oriented Steps -- Part One: The Steps for General Implementation -- Calculate and Analyze -- Create a Business Continuity Plan -- Present it to the Management (Part 1 and 2) -- Define Roles and Responsibilities -- Train the Staff for DR -- Steps that Need to be Completed During Testing: -- Test Your DRP Frequently -- Part Two: Implementing a Disaster Recovery Plan for AD -- Writing is Not All -- Ensure that Everyone is Aware of Locations of the DRP -- Define the Order of Restoration for Different Systems (Root First in Hub Site, then Add One Server etc.) -- Go back to "Presentation to Management" -- Summary -- 4. Strengthening AD to Increase Resilience -- Baseline Security -- Domain Policy -- Domain Controller Security Policy -- Securing Your DNS Configuration -- Secure Updates -- Split Zone DNS -- Active Directory Integrated Zones -- Configuring DNS for Failover -- DHCP within AD -- Tight User Controls and Delegation -- Proper User Delegation -- Group Full control -- Group with Less Control -- Group to Allow Password Resets -- Central Logging -- Proper Change Management -- Virtualization and Lag Sites -- Resource Assignment -- Backups and Snapshots -- Deployment -- Sites and Services Explained -- Creating Sites, Subnets, and Site Links -- Setting Replication Schedules and Costs -- Cost -- Scheduling -- Site Scheduling -- Link Scheduling -- Lag Sites and Warm Sites -- Configuring a Lag Site -- Creating, Configuring and Using a Warm Site -- Summary -- 5. Active Directory Failure On a Single Domain Controller -- Problems and Symptoms -- Symptoms -- Causes -- Solution Process -- Solution Details -- Verification of Corruption -- Tools for Verification -- ReplMon -- DCDiag -- NetDiag and DNSDiag -- Sonar.

Options to Recover and Stop the Spread of Corruption -- Non-Authoritative and Authoritative Restore -- Option One: Restoring AD from a Backup -- No Physical Access to the Machine -- Restoring from a Backup -- Option Two: Replication -- Option Three: Rebuild DC with Install from Media -- Summary -- 6. Recovery of a Single Failed Domain Controller -- Problems and Symptoms -- Causes -- Solution Process -- Solution Details -- Cleaning of Active Directory before Recovery Starts -- Active Directory Deletion of Old Domain Controller Records -- Introducing ntdsutil.exe -- Removal Procedure -- DNS and Graphical Actions Needed to Complete the Process -- Recovery of the Failed DC -- Summary -- 7. Recovery of Lost or Deleted Users and Objects -- Problems and Symptoms -- Causes -- Solution Process -- Phantom Objects -- Tombstones -- Increase the Tombstone Lifetime -- Lingering Objects -- Prerequisites -- Scenario -- Method One: Recovery of Deleted or Lost Objects with Enhanced NTDSutil -- Method Two: Recovery of Deleted or Lost Objects with Double Restore -- Method Three: Recovery of Deleted or Lost Objects Done Manually -- GPO Recovery -- Backing Up Using the GPMC -- Restore Using the GPMC -- If You do not have the GPMC... -- Summary -- 8. Complete Active Directory Failure -- Scenario -- Causes -- Recovery Process -- Part One: Restore the First DC of Your Root or Primary Domain -- Step One: Restoring the AD Data -- Step Two: Recovering DNS Services -- Step Three: Changing Global Catalog Flags -- Step Four: Raise the RID Pool Value by 100,000 -- Step Five: Seize All FSMO Roles -- Step Six: Clean Up the Metadata of All Old DCs -- Step Seven: Reset the Computer Account and krbtgt Password -- Step 8: Reset the Trust Passwords -- Part Two: Restore the First DC in Each of the Remaining Domains -- Part Three: Enable the DC in the Root Domain to be a Global Catalog.

Part Four: Recover Additional DCs in the Forest by Installing Active Directory -- Post Recovery Steps -- Summary -- 9. Site AD Infrastructure Failure (Hardware) -- Scenario -- Causes -- Recovery Process -- Considerations: Different Hardware and Bare Metal -- Considerations: Software -- Restore Process -- Step One: System and System State -- Step Two: Restoring -- Step Three: Additional DCs -- Step Four: Trusts -- Step Five: Replicate -- Virtual Environments -- Summary -- 10. Common Recovery Tools Explained -- Software for Your DCs and Administration -- Windows Support Tools -- Windows Resource Kit Tools -- Adminpack for Windows XP/Vista Clients -- Diagnosing and Troubleshooting Tools -- DcDiag -- NetDiag -- Monitoring with Sonar and Ultrasound -- Introducing Sonar -- Introducing Ultrasound -- Details -- Alert History -- Summary and Advanced Tabs -- Summary -- A. Sample Business Continuity Plan -- Nailcorp Business Continuity Plan -- PURPOSE -- Description of the Service -- SCOPE -- Responsibilities and Roles -- OBJECTIVES -- What we are trying to achieve with this document is: -- COMMUNICATIONS -- CALL TREE -- Disaster declaration criteria for Active Directory service -- Functional restoration -- Recovery site(s) -- Necessary alternative site materials -- TECHNICAL RECOVERY STEPS TO RECOVER A FAILED DC -- 1. Functional Restoration of a Domain Controller -- 1.1. Single DC Failure - DC Recovery with same name -- 1.1.1. Seize FSMO roles -- 1.1.2. Clean Active Directory of old records -- 1.1.3. Install new DC Hardware and OS -- 1.1.4. Promote DC and verify replication -- 1.1.4.1 Recover DC if no network connection is available. -- 1.1.5. Delegate FSMO Roles -- APPENDICES -- Active Directory Service and support personnel -- Support documentation for the application/service attached to this plan -- Shared Contacts -- Damage Assessment Forms -- GLOSSARY.

B. Bibliography -- Chapter 1 -- Chapter 2 -- Chapter 3 -- Chapter 4 -- Chapter 5 -- Chapter 6 -- Chapter 7 -- Chapter 8 -- Chapter 9 -- Chapter 10 -- Appendix -- Index.