Help! My Active Directory has been breached and I can't get back up...

Let’s face it, because Active Directory is the authentication and authorization source for most all organizations, it makes it a primary target for the bad guys.  In fact, according to Microsoft, 95 million of the over 500 million active on-premise Active Directory accounts are under attack daily. That’s about 20 percent!

Of course the first thing we should be looking at is our security plan, but that’s a topic for another day. This blog post is all about recovery.

Organizations need to have a solid Disaster Recovery Plan for Active Directory. There are two types of recovery that I consider when it comes to Active Directory. First, there is the day-to-day or most common things that happen, typically human error. Things like deleted users, group changes, attributes that got messed up because of some bad PoSh scripting, GPO settings, etc. Or maybe, you are moving to O365, and that is bringing with it a lot of change and risk to your directory with Azure AD Connect and other components?

“Can’t I just use the recycle bin?” Sure, if it’s a couple users or something simple. But, not for group policy changes. And, what if it was an entire OU with hundreds or thousands of users and groups? Or, you are unaware of what got deleted or changed in the environment? How would you even know what to recover?

In those cases, you would need something a little more sophisticated that can do a comparison of a previous state and restore what is needed through a simple wizard. That’s where Quest Recovery Manager comes in. From a simple interface, or even through Active Directory Users and Computers, you can have objects, OU’s, GPO’s, or granular attributes recovered in minutes.

But what about the things that (hopefully) aren’t day-to-day? Remember that breach we talked about? Or what about things like a schema extension that went awry? DNS corruption? Exchange Configuration corruption? Viruses? Malicious activity? You get the point. And YES, I’ve seen all of these while working with different organizations, and they all had one thing in common. They required the organization to do Forest Recovery.

“It’s OK, Microsoft has a document for that…” Except, that it’s 60 pages long and filled with Powershell scripts that need to be executed on each and every one of your domain controllers in the correct order with your boss looking over your shoulder asking “when are we going to back up?” Not exactly the perfect scenario to be successful if you ask me. And, typically it doesn’t meet your Recovery Time Objectives (RTO – how long can our systems be down and our business still survive).

Again, Recovery Manager from Quest can save the day, allowing you to restore your entire Active Directory forest in an automated fashion, and from a single console. This eliminates the need to physically interact with each of your domain controllers, having to get your Powershell commands accurate, and most importantly, speeds your recovery time significantly so you can meet those RTO’s.

One of the most important things you can do to help yourself be prepared for a disaster is to test your Active Directory DRP at least once annually, in a lab environment that matches your production environment.

“But wait…my test lab is old and doesn’t even resemble my production environment??”

That’s OK. We’ve got you covered there too. Believe me, you are not alone. This is something that many organizations struggle with. Included with the product is our Active Directory Virtual Lab (ADVL) that fixes that headache. It allows you to create a complete replica of your production environment, using P2V or V2V, into an isolated lab environment. This virtual lab can contain all your domain controllers, but you have the control to include or exclude anything you want. So, if you want to include other member servers, your Exchange boxes, or anything else that is fine. In fact, I have many customers that have used the virtual lab to test things like:

  • Active Directory DRP
  • Forest Functional Levels
  • Upgrades to Exchange, Sharepoint, etc.
  • Monthly patches
  • Schema extensions
  • Application changes
  • And the list goes on and on…

Organizations need to assume that disasters will happen, but if you follow the advice I’ve laid out here, you can build and test a sound disaster recovery plan, and be prepared for the inevitable.

Learn More

Anonymous