Announcement

Collapse
No announcement yet.

Active Directory - Disaster Recovery

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory - Disaster Recovery

    Hi All

    I am tasked with creating a DR solution for an organisation I am working for and could do with your help. I have done AD recovery solutions in the past for other companies but this one wants to do it a little different which is why I am hoping you guys might have some ideas.

    They have a production network with a DC housing all the FSMO roles and GC. Fairly straight forward. What they want is a warm DR setup effectively meaning all the servers are switched on and ready to go with the same names (on a seperate network)

    Currently the way this is done is that one of the mirrored disks from the production DC is pulled and replaced with a blank. The one that was pulled is then inserted into the DR DC and hey presto you have a fully working copy of the production DC.

    The problem that is posed by this is that because this DR DC is sat in a seperated network with no connection to the production network, any changes in AD aren't replicated (between now and the next disk pull, that is). A bigger more worrying problem is that the servers connected to the DR DC "disjoin" from the domain as eventually the Trusted Domain Objects (the servers) computer account passwords expire and/or are out of step.

    My question is, does anyone know how we can get around this or have any suggestions for a better setup?

  • #2
    Re: Active Directory - Disaster Recovery

    Sorry , this is not called a worm DR , this is called Freezing cold nearly 0 degrees Kelvin DR.
    It gets even worse.
    the dc would be offline past it's tombstone lifetime and you will have lingering objects.
    and if you think this is bad, it becomes is even worse, what about once you need to operate that DR of yours, How many AD stuff you would loos!!??

    all kinds of changes you had made in the AD would reverse and god helps you if you would remember what were the changes you got to repair now.

    users would stop working, permissions are lost, Mail boxes might no longer be available for some users and god knows what else.
    You might find yourself better of building a new AD rather trying repairing you old AD (that is already to much of a scenario...but you get my point).

    I don't know who in your company thought of that idea, but you as the IT guy have the responsibility talking them off this method of DR it is faulty way of think from the begin with.

    start with that question (ask them), why in the name of god do they need the exact DC in the DR? don't they just need a working AD?

    if they convince you that they need the same DC, then a backup and restore is your option I personally wouldn't go for that option since in MS KB they state that once you restore the DC on dissimilar hardware it shell be used temporary until you promote another DC which was cleaned Installation replacing the restored one.

    The best DR you should be thinking of and that would be your task convincing them, is having another DC on a remote site living happily with he's fellow DC, chatting
    with each other and sharing experiences together....well you get my point, and if something does happen to the site you got a perfectly working DC to start with.

    If the DR that you are referring to is a disaster to the Directory (man error or whatever) and not the lost of the site all together then I got something for that as well. , actually 2 things.

    1) have perfectly working backups for the DC' system partition and System State.
    2) configure that DR DC on a different site and schedule replication between sites (on the site link) to replicate once a day, or once every Thursday or whatever suits your DR needs, that way you get a perfectly working AD and a DR and you only loos few days of AD stuff.
    Last edited by Akila; 22nd May 2008, 21:16.

    Comment


    • #3
      Re: Active Directory - Disaster Recovery

      Originally posted by Akila View Post
      2) configure that DR DC on a different site and schedule replication between sites (on the site link) to replicate once a day, or once every Thursday or whatever suits your DR needs, that way you get a perfectly working AD and a DR and you only loos few days of AD stuff.
      Lag sites are really cool! Just last month I had a client that had a site admin (do not ask why he had the permissions from the start - politics) who whacked 2 OUs with ~150 user and about the same number of computer accounts.

      Several months before that I configured their DR site as lag site and all I had to do was to run auth restore of 2 OUs ("restore tree") on the DC in lag site (and import the generated LDIFs). 20 minutes including reboots and all the objects were back.
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment


      • #4
        Re: Active Directory - Disaster Recovery

        heeem , I thought the point of lag site is if something like this happens ,you restore by bumping the USN up (in away reversing the deletion) not restoring. heem maybe I miss understood you.
        if a restore is needed I would actually try out your tool - the ADRestore.
        http://blogs.microsoft.co.il/files/f...ntry40811.aspx
        BTW - does ADrestore restores also the backlinks?
        Last edited by Akila; 23rd May 2008, 09:19.

        Comment


        • #5
          Re: Active Directory - Disaster Recovery

          You are right, but the way to bump up the USN (and increase the version number of restored objects/attributes) is to reboot the DC in lag site into DSRM, and do "restore subtree" from ntdsutil without actually restoring the DB.
          You still have to boot into DSRM as ntdsutil does not let you do any kind of auth restore while you are not in DSRM mode.

          Remember that USN is used for deciding what changes to replicate out, while velersion numbers are used for collision resolution, so while assigning "LastReplicatedUSN"+1 to an object/attribute will make it replicate out, it will not make sure the change is committed on other DCs unless version numbers are increased too.

          As for ADRestore.NET, it deals only with tombstones, which are not the case here (at least not on the DC in the lag site where we are "restoring" from). ADRestore.NET (or anything else that does tombstone reanimation) will not restore linked attributes as those are not preserved when an object becomes a tombstone (take a look at this screenshot: http://blogs.microsoft.co.il/blogs/g...ge_thumb_2.png. The attributes you see there are almost everything that is preserved on tombstone unless you change the defaults). I am also quite sure that linked attributes can not be marked to be preserved on tombstones.
          Last edited by guyt; 23rd May 2008, 11:58.
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Re: Active Directory - Disaster Recovery

            Thanks guys very informative.

            Akila - I'm aware of the problems you mentioned... that's why you will see I have already written my concerns in my post and am asking for a new way to do this! I have asked all the questions and they insisit on a "warm" standby environment. I think you have answered my question in as far as AD is concerned, it cannot be a working and up to date AD if it can't communicate with the other DC's.

            The problem I have been left with as a result of the above is this :- If they accept that a system state restore, metadata cleanup & seizing of FSMO roles AD recovery as the way forward..... how can they have a a set of servers, hosted with the same name ready to receive a restore? The domain won't be there for those servers to have membership to - see what I mean?

            So the only other option is to host a DC, somewhere on another site as you mentioned (lag site). Problem still remains that they can't have a set of servers with the same name as there will be DNS/IP clashes right?

            The insistance from the company is to have a DR setup where they have a set of servers with the same name ready to be restored to. Can this be done and if so how can this be done?

            Thanks again
            Last edited by latz; 23rd May 2008, 14:12.

            Comment


            • #7
              Re: Active Directory - Disaster Recovery

              Backup tapes make a clone and send it to the remote site.
              if you got Storage (e.g EVA,CLARiiON,Netapp , etc) then a SAN copy would do the job.
              for the servers just back them up and send the tapes to the remote site (make a clone 1st and send the clone save sets).
              as far as the DC I don't see why it should be the same name but if it is needed then once you restore the system partition and system state you got your Name back .

              actually I might have an idea.
              run a VMWare server on the remote site and schedule a P2V using VMWARE converter or whatever you like
              (you can use the VMWare Server which is free, or MS VS whatever you like)
              to duplicate the machines, just make sure not to power those on (the new VM machines) after you duplicate them, you just got yourself a nice set of DC/Servers, whatever you like on a VM for DR.
              either P2V them Directly on to the remote site (not such a good idea over the WAN) or duplicate those servers on site and send the VMDK files to the remote site.
              all you got left to do is mount those vmdk files on the VM server and you have a nice cloned site.

              there are other Products you could be using for these you might want to check them out.
              Symantec BackupExec System restore
              Acronis Universal restore,Etc.
              you might find those suited for your need.

              I personally using for my DR the good NTbackup of System State and System Partition.
              and also I use Quest Recovery manager for Active Directory - you might want to check that out as well.
              Quest claims you can restore a DC on a dissimilar Hardware using their product restoring only the System State.
              I tried it on a VM and it did not work for me, I opened a case and in the end they told me that "dissimilar Hardware" does not include a VM only, real dissimilar "Hardware", hard for to believe it since VM is the easiest with less hardware computability problems in compare to another hardware, whatever I don't know.
              Last edited by Akila; 23rd May 2008, 14:41.

              Comment


              • #8
                Re: Active Directory - Disaster Recovery

                Funny that Akila - I was just about to type another post in regarding the VM setup!

                They have a HP EVA 8000 SAN on the production environment and the DR environment so SAN copy is an option except the servers are DAS booted not SAN booted.

                Problem still remains, how to keep a set of servers switched on and connected to the domain that share the same name as the ones on the production network? For example, SERVER1 in production they insist should be SERVER1 in DR, not DRSERVER1 or SERVER1DR etc.

                P2V will work if the servers aren't powered on until/unless there is a diasaster but they want them on and ready to go.

                Regarding Quest - why are you using that? I have managed to restore AD to a completely different unit without using anything other than the system state, windows/winnt and program files directories.


                Thanks for your help
                Last edited by latz; 23rd May 2008, 14:58.

                Comment


                • #9
                  Re: Active Directory - Disaster Recovery

                  Again, with the P2V stuff, if you do multiple DCs, watch out for USN rollback conditions ! This is almost impossible to pull off properly unless it is done exactly at the same time and no replication happens at all. Make sure you restore system state backups properly.
                  VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                  Comment


                  • #10
                    Re: Active Directory - Disaster Recovery

                    Originally posted by latz View Post
                    P2V will work if the servers aren't powered on until/unless there is a disaster but they want them on and ready to go.
                    then power them on just make sure the network connectivity to the production is offline, all you'll have to do in the DR situation is activate the Virtual switch or whatever (takes you exactly 2 min'

                    Originally posted by latz View Post
                    Regarding Quest - why are you using that? I have managed to restore AD to a completely different unit without using anything other than the system state, windows/winnt and program files directories.
                    we mainly using Quest ARM for online restore.
                    based on MS TID "How to perform a disaster recovery restoration of Active Directory on a computer with a different hardware configuration"
                    http://support.microsoft.com/kb/263532
                    you must restore the System partition as well. With quest you don't need.

                    Comment


                    • #11
                      Re: Active Directory - Disaster Recovery

                      I don't think you understand what I am saying.... They aren't interested in doing this any other way expcept for those servers staying on and ready to go. Is there a way this can be achieved?

                      We aren't talking switch on and off or restore or anything like that.

                      Thanks

                      Comment


                      • #12
                        Re: Active Directory - Disaster Recovery

                        Originally posted by latz View Post
                        I don't think you understand what I am saying.... They aren't interested in doing this any other way expcept for those servers staying on and ready to go. Is there a way this can be achieved?
                        Thanks
                        lol, I thought they might compromise on those 2 min'.
                        in that case I am out of ideas, sorry m8.
                        maybe could help out. (I am sure you went through before on that issue)
                        Last edited by Akila; 26th May 2008, 18:14.

                        Comment


                        • #13
                          Re: Active Directory - Disaster Recovery

                          I wish they would.... it would save me a lot of time!!!

                          Thanks for all your help and giving me some good ideas.

                          Comment

                          Working...
                          X