Quest TBW Disasters Within Disasters

  • View
    220

  • Download
    0

Embed Size (px)

Transcript

  • 8/6/2019 Quest TBW Disasters Within Disasters

    1/11

    TECHNICAL BRIEF

    Looking Past Microsoft forTrue Active Directory Protection

    Disasters within Disasters

  • 8/6/2019 Quest TBW Disasters Within Disasters

    2/11

  • 8/6/2019 Quest TBW Disasters Within Disasters

    3/11

    Technical Brief: Disasters within Disasters: Looking Past Microsoft for True Active Directory Protection 2

    ContentsAbstract ......................................................................................................................................................... 3

    Introduction.................................................................................................................................................... 4

    Disasters within Disasters: Looking Past Microsoft for True Active Directory Protection ............................. 5

    The Active Directory Objects That Were Lost Forever .............................................................................. 5

    The Disaster Recovery Plan That Relied on Hope .................................................................................... 6

    The Day the Forest Died ............................................................................................................................ 7

    The Backups That Werent Backed Up ...................................................................................................... 8

    Avoid Disaster with Quest Recovery Solutions ............................................................................................ 9

  • 8/6/2019 Quest TBW Disasters Within Disasters

    4/11

    Technical Brief: Disasters within Disasters: Looking Past Microsoft for True Active Directory Protection 3

    AbstractThe foundation of every small business Windows environment is Active Directory. And Active Directorydisasters come in all shapes and sizes. To recover quickly, your business needs to have the rightprotection in place for your Active Directory data. Windows alone cannot provide this kind of functionality.

    Quest offers Active Directory recovery solutions that bring quick restores after any type of disaster, largeor small. Whether its object and attribute recovery in Recovery Manager for Active Directory, forest-levelrecovery in Recovery Manager for Active Directory Forest Edition or simplified off-site protection withOnDemand Recovery for Active Directory, Quest solutions provide the AD protection you need to get yourbusiness up and running again fast.

  • 8/6/2019 Quest TBW Disasters Within Disasters

    5/11

    Technical Brief: Disasters within Disasters: Looking Past Microsoft for True Active Directory Protection 4

    IntroductionThe stories youre about to read are true. Only the names have been changed to protect the innocentguilty. The disasters described and the disasters within those disasters are real. We recount them herein the hope that doing so will prevent them from reoccurring. So think hard about your own Active

    Directory protection as you read these accounts . If you discover youre relying only on Microsoft and itstools for support, you may also find yourself experiencing a similar series of cascading failures somedaysoon. But it doesnt have to be that way.

    Dont make the same mistakes and suffer the same fate

  • 8/6/2019 Quest TBW Disasters Within Disasters

    6/11

    Technical Brief: Disasters within Disasters: Looking Past Microsoft for True Active Directory Protection 5

    Disasters within Disasters:Looking Past Microsoft for True Active

    Directory ProtectionThe Active Directory Objects That Were Lost ForeverJohn Brown is not a terrifically experienced IT professional. In fact, so me would say hes not that skilled at all. His inexperience isnt necessarily his fault . Hes new in the IT industry, fresh out of tradeschool and full of book knowledge. Hes also fairly exuberant about all the IT education hes just acquired and ready to apply it at his first new job in a medium-sized customer service firm.

    Like many entry-level IT professionals, John s first assignment is staffing the Help Desk. He enjoys the work and the challenge, fielding calls and triaging problems. He also enjoys relatively unfettered access to the companys Active Directory . As a Help Desk staffer, he s been tasked with creating accounts, as well as modifying and deleting them inside his Active Directory Users and Computers

    console . Its a big responsibility, but not unheard of for people in his position.

    One day he discovers his assigned rights also give him access to Group Policy Objects. He knows Group Policies. He learned about them in class.

    Time to put his book knowledge to the test. Thinking he knows a better way to configure his companysGroup Policies, he s soon in over his head, creating more harm than good. Now in a rush to fix things,he accidentally deletes the Group Policies. All of them. Realizing his mistake, he then tries to cover his tracks, only to accidentally delete an entire Organizational Unit of users in the process. Johns new jobmight be over now, but the company s problems have just begun.

    This cautionary tale can happen again all too easily. Handing over account management responsibilitiesto Help Desk professionals is a common practice. The tasks are labor-intensive and require little previousexperience. Doing so without locking down permissions is also, unfortunately, common.

    The moral of the story? Ineffective permissions control on inexperienced IT staff can create disasterswithin disasters (as in the previous scenario) and can easily destroy company data.

    It wont be easy to get that Active Directory data back with Windows tools alone. A series of steps isrequired to restore Group Policies, none of which is easy to complete. Same goes for restoring lost useraccounts even with the new Active Directory Recycle Bin in Windows Server 2008 R2, it can be anightmare of PowerShell scripts and tombstoned object retrieval.

    To protect AD data and avoid such dire circumstances, solutions such as Recovery Manager for ActiveDirectory from Quest Software are critically important. Using Recovery Manager, a lost Group Policy,user or computer object (even entire groups of them) can be quickly identified, retrieved and resurrectedwith a few simple clicks. More than just a System State backup, its a searchable catalog of retrievabledata that recovers Active Directory objects with a minimum of user impact.

  • 8/6/2019 Quest TBW Disasters Within Disasters

    7/11

    Technical Brief: Disasters within Disasters: Looking Past Microsoft for True Active Directory Protection 6

    The Disaster Recovery Plan That Relied on HopeRhonda Wills is a disaster-recovery consultant for a midsize office. Brought in to develop worst-case scenario response plans, Rhonda finds herself awash in paperwork, flowcharts and what-if hypotheticals. Her plans nearly complete, she has outlined the steps to restore her clients core services within hours of their demise.

    Disaster planning isnt easy . Figuring out which services are most critical and analyzing their dependencies is a major part of Rhondas task . Being relatively experienced, she knows that the dependency tree for almost every IT service eventually points back to Active Directory. That core requirement means that restoring domain controller functionality is the first step in any recovery plan.

    Theres only one problem. Rhonda can plan, but she has no ability to test her plans. Rhonda has noway to test her plans without hardware and a solution that quickly creates virtual copies of her domain controllers. All she can do is hope for the best, once her job is finished and her contract concludes.

    Hope is a poor substitute for verification.

    Does the success of your disaster recovery plan depend on hope like Rh ondas? Will you have to wait for an actual disaster to test your plans? With the right software, you dont.

    Testing disaster recovery plans is as important as creating them. To assist your testing efforts, RecoveryManager for Active Directory Forest Edition now supports built-in physical-to-virtual (P2V) backups,converting your physical domain controllers to virtual ones. With a selected virtual platform in place, youcan avert potential disaster by testing changes (like new schema extensions) before introducing them toyour production environment.

  • 8/6/2019 Quest TBW Disasters Within Disasters

    8/11

    Technical Brief: Disasters within Disasters: Looking Past Microsoft for True Active Directory Protection 7

    The Day the Forest DiedLee Mitchell is an experienced Active Directory engineer for a multisite manufacturing company, but today is one of the worst days of his professional career. Just hours ago, Lee returned from a long lunch to find cascading corruption throughout his Active Directory. The corruption soon spread through each of his dozen domain controllers.

    His Active Directory forest is completely down, and so is his company.

    Lee realizes the scope of this disaster within a disaster as he begins paging through Microsoftsrestoration steps. Starting with the document Recovering your Active Directory Forest http://download.microsoft.com/download/6/8/3/683CBB2A-8FB6-41D0-AA47-36081C3CBA94/ForestRec.doc , Lee finds the 15 laborious steps required just to get one forest root DC operational. With the companys two subdomains also down, getting a single DC up and running for each requires 12 more steps per domain. Eight more post-recovery steps follow those. Its going tobe a long night. Possibly nights. H es not sure.

    Lee tries to reassure himself. H es an exceptionally skilled Active Directory engineer. Hes worked inlarge businesses