quest tbw disasters within disasters

8/6/2019 Quest TBW Disasters Within Disasters

1/11

TECHNICAL BRIEF

Looking Past Microsoft forTrue Active Directory Protection

Disasters within Disasters


2/11


3/11

Technical Brief: Disasters within Disasters: Looking Past Microsoft for True Active Directory Protection 2

ContentsAbstract ......................................................................................................................................................... 3

Introduction.................................................................................................................................................... 4

Disasters within Disasters: Looking Past Microsoft for True Active Directory Protection ............................. 5

The Active Directory Objects That Were Lost Forever .............................................................................. 5

The Disaster Recovery Plan That Relied on Hope .................................................................................... 6

The Day the Forest Died ............................................................................................................................ 7

The Backups That Werent Backed Up ...................................................................................................... 8

Avoid Disaster with Quest Recovery Solutions ............................................................................................ 9


4/11


AbstractThe foundation of every small business Windows environment is Active Directory. And Active Directorydisasters come in all shapes and sizes. To recover quickly, your business needs to have the rightprotection in place for your Active Directory data. Windows alone cannot provide this kind of functionality.

Quest offers Active Directory recovery solutions that bring quick restores after any type of disaster, largeor small. Whether its object and attribute recovery in Recovery Manager for Active Directory, forest-levelrecovery in Recovery Manager for Active Directory Forest Edition or simplified off-site protection withOnDemand Recovery for Active Directory, Quest solutions provide the AD protection you need to get yourbusiness up and running again fast.


5/11


IntroductionThe stories youre about to read are true. Only the names have been changed to protect the innocentguilty. The disasters described and the disasters within those disasters are real. We recount them herein the hope that doing so will prevent them from reoccurring. So think hard about your own Active

Directory protection as you read these accounts . If you discover youre relying only on Microsoft and itstools for support, you may also find yourself experiencing a similar series of cascading failures somedaysoon. But it doesnt have to be that way.

Dont make the same mistakes and suffer the same fate


6/11


Disasters within Disasters:Looking Past Microsoft for True Active

Directory ProtectionThe Active Directory Objects That Were Lost ForeverJohn Brown is not a terrifically experienced IT professional. In fact, so me would say hes not that skilled at all. His inexperience isnt necessarily his fault . Hes new in the IT industry, fresh out of tradeschool and full of book knowledge. Hes also fairly exuberant about all the IT education hes just acquired and ready to apply it at his first new job in a medium-sized customer service firm.

Like many entry-level IT professionals, John s first assignment is staffing the Help Desk. He enjoys the work and the challenge, fielding calls and triaging problems. He also enjoys relatively unfettered access to the companys Active Directory . As a Help Desk staffer, he s been tasked with creating accounts, as well as modifying and deleting them inside his Active Directory Users and Computers

console . Its a big responsibility, but not unheard of for people in his position.

One day he discovers his assigned rights also give him access to Group Policy Objects. He knows Group Policies. He learned about them in class.

Time to put his book knowledge to the test. Thinking he knows a better way to configure his companysGroup Policies, he s soon in over his head, creating more harm than good. Now in a rush to fix things,he accidentally deletes the Group Policies. All of them. Realizing his mistake, he then tries to cover his tracks, only to accidentally delete an entire Organizational Unit of users in the process. Johns new jobmight be over now, but the company s problems have just begun.

This cautionary tale can happen again all too easily. Handing over account management responsibilitiesto Help Desk professionals is a common practice. The tasks are labor-intensive and require little previousexperience. Doing so without locking down permissions is also, unfortunately, common.

The moral of the story? Ineffective permissions control on inexperienced IT staff can create disasterswithin disasters (as in the previous scenario) and can easily destroy company data.

It wont be easy to get that Active Directory data back with Windows tools alone. A series of steps isrequired to restore Group Policies, none of which is easy to complete. Same goes for restoring lost useraccounts even with the new Active Directory Recycle Bin in Windows Server 2008 R2, it can be anightmare of PowerShell scripts and tombstoned object retrieval.

To protect AD data and avoid such dire circumstances, solutions such as Recovery Manager for ActiveDirectory from Quest Software are critically important. Using Recovery Manager, a lost Group Policy,user or computer object (even entire groups of them) can be quickly identified, retrieved and resurrectedwith a few simple clicks. More than just a System State backup, its a searchable catalog of retrievabledata that recovers Active Directory objects with a minimum of user impact.


7/11


The Disaster Recovery Plan That Relied on HopeRhonda Wills is a disaster-recovery consultant for a midsize office. Brought in to develop worst-case scenario response plans, Rhonda finds herself awash in paperwork, flowcharts and what-if hypotheticals. Her plans nearly complete, she has outlined the steps to restore her clients core services within hours of their demise.

Disaster planning isnt easy . Figuring out which services are most critical and analyzing their dependencies is a major part of Rhondas task . Being relatively experienced, she knows that the dependency tree for almost every IT service eventually points back to Active Directory. That core requirement means that restoring domain controller functionality is the first step in any recovery plan.

Theres only one problem. Rhonda can plan, but she has no ability to test her plans. Rhonda has noway to test her plans without hardware and a solution that quickly creates virtual copies of her domain controllers. All she can do is hope for the best, once her job is finished and her contract concludes.

Hope is a poor substitute for verification.

Does the success of your disaster recovery plan depend on hope like Rh ondas? Will you have to wait for an actual disaster to test your plans? With the right software, you dont.

Testing disaster recovery plans is as important as creating them. To assist your testing efforts, RecoveryManager for Active Directory Forest Edition now supports built-in physical-to-virtual (P2V) backups,converting your physical domain controllers to virtual ones. With a selected virtual platform in place, youcan avert potential disaster by testing changes (like new schema extensions) before introducing them toyour production environment.


8/11


The Day the Forest DiedLee Mitchell is an experienced Active Directory engineer for a multisite manufacturing company, but today is one of the worst days of his professional career. Just hours ago, Lee returned from a long lunch to find cascading corruption throughout his Active Directory. The corruption soon spread through each of his dozen domain controllers.

His Active Directory forest is completely down, and so is his company.

Lee realizes the scope of this disaster within a disaster as he begins paging through Microsoftsrestoration steps. Starting with the document Recovering your Active Directory Forest http://download.microsoft.com/download/6/8/3/683CBB2A-8FB6-41D0-AA47-36081C3CBA94/ForestRec.doc , Lee finds the 15 laborious steps required just to get one forest root DC operational. With the companys two subdomains also down, getting a single DC up and running for each requires 12 more steps per domain. Eight more post-recovery steps follow those. Its going tobe a long night. Possibly nights. H es not sure.

Lee tries to reassure himself. H es an exceptionally skilled Active Directory engineer. Hes worked inlarge businesses, even consulted a while. Hes worked with nearly every facet of Active Directory and

constructed many from the ground up . But hes never had to deal with a full forest recovery. The thought of having to learn the steps during an actual crisis situation terrifies him.

That corruption worked its way into the directory so fast, he thinks to himself. I ts amazing it hasnt happened until now. Multi-master replication is great for distributing database changes, but it knows no discrimination when bad ones replace good ones .

Manufacturing companies measure downtime in minutes. Now every part of his company is non- operational until Lee can resurrect his forest. He knows this outage will have an impact on his company, as well as his job.

Considering how pervasive Active Directory is in a Windows network, it s surprising how insufficient nativetools are for restoring its data. Using native tools alone, restoring an individual user or computer object

requires a multistep process thats far from trivial. Restoring th e AD database to an individual domaincontroller is similarly fraught with the potential for damaging mistakes.

Reconstructing a whole AD forest after widespread corruption? Thats a task best left to experts. But itsrare to find an Active Directory expert with experience in entire-forest restores. A much better solutionleans on automation created by experts who are intimately familiar with a forest recoverys proper steps.Recovery Manager for Active Directory Forest Edition is the solution companies require if theyre tobring that expert knowledge in-house.

No forest recovery is a click-and-go process. Domain controllers require rebuilding, and all of ActiveDirectorys integrated services require reconnection. For quicker recovery, its crucial to automate themany necessary steps. Recovery Manager Forest Edition helps speed recovery time with itssimultaneous system recovery feature, restoring every DC simultaneously from a single, centralizedlocation. Its automation aligns with the Microsoft forest-recovery processes, giving you the flexibility torestore each DC in the most appropriate way possible. With the assistance of Recovery Manager ForestEdition, you wont be left alone to recover your forest after a disaster.
http://download.microsoft.com/download/6/8/3/683CBB2A-8FB6-41D0-AA47-36081C3CBA94/ForestRec.dochttp://download.microsoft.com/download/6/8/3/683CBB2A-8FB6-41D0-AA47-36081C3CBA94/ForestRec.dochttp://download.microsoft.com/download/6/8/3/683CBB2A-8FB6-41D0-AA47-36081C3CBA94/ForestRec.dochttp://download.microsoft.com/download/6/8/3/683CBB2A-8FB6-41D0-AA47-36081C3CBA94/ForestRec.dochttp://download.microsoft.com/download/6/8/3/683CBB2A-8FB6-41D0-AA47-36081C3CBA94/ForestRec.doc


9/11


The Backups That Werent Backed Up Joe Gear is the IT professional who can do it all. On any given day he might be changing toner cartridges, troubleshooting desktops, adding email accounts or building new servers for his small business employer.

Joe enjoys being a Jack of all trades . He developed his skill set quickly by getting involved in every aspect of the IT environment. He believes the small business environment helped him advance much faster than he could have in a larger organization. In big companies, he reminds himself, youretasked with just a few things. Here, I get to do everything !

Doing everything might be great for Joes career development, but its been difficult on the company asit s grown. A recent expansion had Joe working nearly around the clock just to keep up building new servers, installing network cabling, deploying desktops, all while keeping existing services functioning.

Its natural, he says in hindsight, to focus on new tasks, particularly when the companys growing.But that blind focus on building new things is probably what caused the problem with the old ones that day.

That day happened a few months earlier. Like many problems, it started off small but grew as Joe

kept digging deeper and deeper.

Joe had arrived at work to discover an Organizational Unit of computer accounts had mysteriously vanished. There was a lot of finger-pointing and loud arguing, but no one really knows how the accounts were deleted, even to this day.

Then the disaster within the disaster began after Joe gave up troubleshooting and sought out the backup tapes. Joe knew that AD restores were complicated and painful, but he was confident he could fix the problem if he could only find that last backup set.

He never found that set because it never completed.

Neither had the backups the day before. Or the day before that. Over a months worth of domain controller backups simply never existed, just as all the computer accounts Joe needed to return his business to functionality didnt exist. Rebuilding those accounts took orders of magnitude longer than necessary, creating an equally negative impact to his small companys operations.

Small business IT pros are a special breed. Theyre responsible for everything from servers to desktops,phone systems to printers. Tasked with long hours, these hard-working individuals are expected to knoweverything. But a person spread too thinly is likely to neglect core infrastructure activities, particularlybackups that seem automated, but in fact might not be.

The foundation of every Windows environment is Active Directory. So when Active Directory backups fail,the restore will, too. Recovery Manager for Active Directory will alert you if a backup fails. It alsoorganizes backups so you consistently get the most up-to-date information. Similarly, RecoveryManagers SaaS version, OnDemand Recovery for Active Directory, was designed especially withsmall businesses in mind. This cloud-based service ensures your backups are complete. AD backupsizes are tiny compared to the rest of your company data, but no less important. OnDemand Recoverysecurely transfers AD data to cloud storage, protecting it with federated identity management andindustry-standard authentication and authorization.

Supporting similar features to the on-premises Recovery Manager for Active Directory tool, OnDemandRecovery for Active Directory provides the additional benefit of offsite protection for AD data andeliminates the need for continual maintenance and manual upgrades.


10/11


Avoid Disaster withQuest Recovery SolutionsDisasters come in all shapes and sizes. Having the right protection for your Active Directory data is critical

for quick recovery. You cant get this functionality from Windows alone.

Quest AD recovery solutions bring quick restores to Active Directory after any type of disaster, largeor small. Whether youre looking for object and attribute recovery in Recovery Manager for ActiveDirectory, forest-level recovery in Recovery Manager for Active Directory Forest Edition, orsimplified off-site protection with OnDemand Recovery for Active Directory , Quest solutions providethe protection you need, along with a recognizable return on investment.

For more information about Quest solutions, check outhttp://www.Quest.com/Recovery-manager-for-active-directory .
http://www.quest.com/Recovery-manager-for-active-directoryhttp://www.quest.com/Recovery-manager-for-active-directoryhttp://www.quest.com/Recovery-manager-for-active-directory


11/11

5 Polaris Way, Aliso Viejo, CA92656 | PHONE 800.306.9329 | WEB www.quest.com | [email protected] you are located outside North America, you can nd local o ce information on our Web site.

TECHNICAL BRIEF

About Quest Software, Inc.Quest Software (Nasdaq: QSFT) simplifies and reduces the cost of managing IT for morethan 100,000 customers worldwide. Our innovative solutions make solving the toughest IT

management problems easier, enabling customers to save time and money across physical,

virtual and cloud environments. For more information about Quest solutions for application

management, database management, Windows management, virtualization management

and IT management, go to www.quest.com .

Contacting Quest SoftwarePHONE 800.306.9329 (United States and Canada)

If you are located outside North America, you can find your

local office information on our Web site.

EMAIL [email protected]

MAIL Quest Software, Inc.

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656

USA

Contacting Quest SupportQuest Support is available to customers who have a trial version of a Quest product or who

have purchased a commercial version and have a valid maintenance contract.

Quest Support provides around-the-clock coverage with SupportLink, our Web self-service.

Visit SupportLink at https://support.quest.com .

SupportLink gives users of Quest Software products the ability to:

Search Quests online Knowledgebase

Download the latest releases, documentation and patches for Quest products

Log support cases

Manage existing support cases

View the Global Support Guide for a detailed explanation of support programs, online services,

contact information and policies and procedures.

2011 Quest Software, Inc.ALL RIGHTS RESERVED.

Quest, Quest Software, the Quest Software logo are registered trademarks of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respectiveowners WPW DisasterswithinDisasters US EC 20110613

quest tbw disasters within disasters

Documents