How to respond to an Active Directory disaster with Recovery Manager

Welcome. This is Quest Unscripted-- --a vlog series on trending topics-- --and Quest solutions related to Active Directory-- Office 365. Oh, and don't forget Azure AD. You're here because you have questions. We're here because we have answers. I think. We will address questions we've received from customers-- --experiencing the same challenges as you-- --all with the goal of helping you confidently move-- --manage-- --and secure-- --your Microsoft environment. We call the show Quest Unscripted because-- --except for this intro-- --nothing we say is scripted or rehearsed. And we're pretty sure you'll notice that right away. All right, Bryan. Hypothetical question. Yeah. You've been hit by ransomware. You've called Microsoft. Hey, you need to start doing your restoration. They own RMAD, DRE. What next? That's a great question. So let's go look at the slides again, and we can talk about that. So you remember here, this is our secure storage setup, right? Now, hopefully you've set it up. Yeah, hopefully it's set up. Get this done ahead of time, please. If you don't have backups, there's not much any solution can do for you. Disaster, right? So disaster strikes you. You lose your DCs. You lose your tier 1 storage. It's just a file share, so it's gone too. You probably lost your RMAD server because it's just another Windows Server, and it's probably as susceptible as everything else to being attacked. But because of the hardening, your secure storage servers survive. And that means that your backups are secure. And that's all you need for recovery. So after the threat is gone-- let's say you've contained the virus, or maybe it burned through your network, or maybe you've set up an isolated area that you want to recover to. You stand up a new server for RMAD. You install the latest version. You stand up new servers to be domain controllers. Now, you don't have to stand these up. If you wanted to recover into Azure, for example, our process will automatically create server instances in Azure for you to restore to. You might stand up tier 1 storage, or you might just use the Recovery Manager server to hold those backups. And then you have to go retrieve those backups. If you remember, Bryan, from our talk earlier, we use physical access only. And that's one of the ways we keep this backup secure. Yeah. So you got to walk into your data center and go access your secure storage server. Let's pause there for a second. I know where you live, but I want to out you where you live, Bryan. I know you live in Mountain Time. Your server is in California. So does someone in California physically walk to the data center? Well, that's what we do. That's what our solution is around. Now, it is just Windows Server hardware. It is just a Windows Server. So you could decide to do other things. So for example, you could use integrated lights out, HPE iLO or iDRAC. Those are solutions. If it's a VM, which we don't recommend VMs-- but if it was, you could use vSphere in the console to get access to these boxes, or you might decide that in your hardening, you want to set up a privileged access workstation. Sounds like a good idea. But every time you do that, Bryan-- and the reason that I don't recommend any of those is you're opening the door just a little bit more. And the more you open that door, the more chance you have that those backups are going to be compromised. These attackers are getting really smart, and they are taking their time. And they will spend months in your environment so they can learn your ways and figure out how to inflict the most damage as possible so that you're going to pay the ransom. Because that's what they want. They want you to pay the ransom. But our big bet is that an attacker is not going to come fly into the US or fly into your country, go break into your data center to compromise this box. That's what we're hoping. And I think that's a pretty safe bet for most-- Yeah, physical access is still essential in 2021. Yep. Yeah. So it might sound old school. So you physically walked out there. You have physical access. You get this file. Right. So you take those backups. You copy them out-- copy them out to tier 1, whatever that is. And then from there, you can take those backups and register them back to the RMAD console. And once they're registered, you're ready to start recovery. So that's just a matter of pushing out recovery agents and running the forest recovery process. So that's it in a nutshell. That's how you get recovered for Active Directory. Great. Thank you, Bryan. Mm-hmm.