White paper

Saving the Forests

Written by Don Jones, Microsoft MVP

Imagine an organization with a high-security environment—say, a military organization—that tries to exercise best practices in security using Windows. This might include having domain controllers automatically shut down when there’s a failure of a security event log write. But what if an event log becomes corrupted and can’t be written to? That’s right, the entire ActiveDirectory (AD) forest shuts down—taking the entire infrastructure offline.

Now, let’s imagine another environment, where AD is being synchronized with a mainframe system. There is a power failure, and the mainframe appears to lose all of its user groups. Because of an error in the synchronization software, the AD groups are deleted as well, keeping both systems in sync. This means that many, many groups, in many,many domains, simply disappeared—in an instant.

Sure, these are nightmares—but for the unfortunate people who had to live through them, they were real. Both incidents actually happened.