Scenarios for recovering deleted objects in Active Directory
It's great when the system administrator has time to master and try all Active Directory recovery scripts using the tools of the operating system itself. However, in most cases there is no unnecessary time and a solution is needed, and not a set of articles in msdn and invigorated scripts.
Which software product to choose to restore Active Directory?
To answer this question, you must first decide on a list of recovery scenarios.
Recovering deleted objects in Active Directory is a problem that users have encountered very often since the advent of Active Directory. A lot of time passed before Microsoft finally heard the users. First, in Windows 2008, it was possible to protect objects from accidental deletion, then a basket appeared in Windows 2008 R2, and in Windows 2012 it received a graphical interface. Now a remote object can be brought back to life in just a couple of clicks, and no special product is needed for this.
')
If the old versions of Windows are still used or, for some reason, you cannot turn on the recycle bin, then we need to restore the backup made before deleting the object. And if we want to restore everything from the graphical interface, we need a specialized product. There are plenty of free utilities and paid products that allow you to recover deleted objects, however, to recover the account password, a schema extension was required, which is not always suitable for the administrator. Recovering the password for a couple of users and notifying them by phone is not a problem, but when there are a couple of such users, it can paralyze the company's work. I know only one product that can recover passwords without a schema extension - Recovery Manager for AD . Now this product is sold under the Dell label, but its roots are Russian - the product appeared in the domestic company Aelita. Recovery Manager enjoys well-deserved people's love and its old versions can even be found on torrents.
Another much more rare scenario is the restoration of changed objects. That is, they wanted to change the attribute of one user, and changed in the whole of AD. Or there was a mistake in the settings of the solution for synchronizing data from the HR system, and unwanted changes were synchronized in Active Directory.
Here, Microsoft has not yet offered a convenient solution. In order to search for modified objects and subsequent recovery in such a scenario, Microsoft suggests using the dsamain command line utility . We are raising an LDAP server with an early copy of Active Directory and comparing the states of objects in live AD and backup using ADUC or Powershell script.
As they say, a holy place is never empty. There is a lot of specialized software on the market for restoring changed objects. I recommend looking at the Blackbird Recovery for Active Directory , the aforementioned Recovery Manager and the NetWrix Active Directory Object Restore Wizard . The latter, in my opinion, is only suitable for restoring a small number of objects. Still, “clicking on” a couple of hundred objects is not very convenient.
The product from Blackbird makes continuous backup, which allows you to not lose the "useful" changes, unlike most products, where recovery restores changes since the last backup.
Also, almost every self-respecting backup software vendor made a simple wizard for restoring objects.
In addition to the granular recovery scenarios about which we spoke above, there is a recovery scenario of a whole forest, which many vendors bypass. Like, the probability of falling forest is very small and you do not need to worry about it.
Microsoft offers a forty-page document with a general description of recommendations for creating a forest restoration plan. However, in a large geographically distributed company with dozens of domain controllers, the creation of a forest restoration plan and its regular testing on an environment close to production results in person-months of the IT department. However, making a recovery plan and testing it, you can face the fact that during the time spent on recovery, the company will go to the bottom, this is especially true for banks and cellular operators.
I managed to find only one product, the decisive scenario of fully automatic forest recovery, and also allowing to significantly reduce recovery time - Dell Recovery Manager for AD Forest Edition .
The product consists of 2 parts - “normal” Recovery Manager for AD, where we set a backup schedule and can granularly restore directory objects and the Forest Recovery Console, where we create a forest recovery plan.
After we launch the product for the first time, he suggests we create a project - an electronic version of the recovery plan.
Then we specify the settings for connecting to AD or backups and the product displays us a list of all domain controllers. We only need to choose how to restore each domain controller, set passwords, configure DNS settings, and the recovery plan is ready.
Recovery itself is even easier - click Start recovery and go. No need to connect remotely to domain controllers - everything happens completely automatically.
How to test the product in conditions close to combat?
Here, too, there is an answer - for this, the product has a special wizard Active Directory Virtual Lab, which allows you to select the necessary servers and transfer them to an isolated virtual environment and thus get a smaller copy of the working environment.
Conclusion
If you are looking for a comprehensive solution to protect Active Directory - I recommend looking at Dell Recovery Manager for Active Directory Forest Edition. Only this product solves all Active Directory recovery scenarios, starting with attributes and ending with the whole forest.
Dell offers a trial version of the product that can be used for 30 days, as well as a virtual laboratory where you can “touch the product” and a series of several free webinars on functionality and installation.
Which software product to choose to restore Active Directory?
To answer this question, you must first decide on a list of recovery scenarios.
Recovering deleted objects in Active Directory is a problem that users have encountered very often since the advent of Active Directory. A lot of time passed before Microsoft finally heard the users. First, in Windows 2008, it was possible to protect objects from accidental deletion, then a basket appeared in Windows 2008 R2, and in Windows 2012 it received a graphical interface. Now a remote object can be brought back to life in just a couple of clicks, and no special product is needed for this.
')
If the old versions of Windows are still used or, for some reason, you cannot turn on the recycle bin, then we need to restore the backup made before deleting the object. And if we want to restore everything from the graphical interface, we need a specialized product. There are plenty of free utilities and paid products that allow you to recover deleted objects, however, to recover the account password, a schema extension was required, which is not always suitable for the administrator. Recovering the password for a couple of users and notifying them by phone is not a problem, but when there are a couple of such users, it can paralyze the company's work. I know only one product that can recover passwords without a schema extension - Recovery Manager for AD . Now this product is sold under the Dell label, but its roots are Russian - the product appeared in the domestic company Aelita. Recovery Manager enjoys well-deserved people's love and its old versions can even be found on torrents.
Another much more rare scenario is the restoration of changed objects. That is, they wanted to change the attribute of one user, and changed in the whole of AD. Or there was a mistake in the settings of the solution for synchronizing data from the HR system, and unwanted changes were synchronized in Active Directory.
Here, Microsoft has not yet offered a convenient solution. In order to search for modified objects and subsequent recovery in such a scenario, Microsoft suggests using the dsamain command line utility . We are raising an LDAP server with an early copy of Active Directory and comparing the states of objects in live AD and backup using ADUC or Powershell script.
As they say, a holy place is never empty. There is a lot of specialized software on the market for restoring changed objects. I recommend looking at the Blackbird Recovery for Active Directory , the aforementioned Recovery Manager and the NetWrix Active Directory Object Restore Wizard . The latter, in my opinion, is only suitable for restoring a small number of objects. Still, “clicking on” a couple of hundred objects is not very convenient.
The product from Blackbird makes continuous backup, which allows you to not lose the "useful" changes, unlike most products, where recovery restores changes since the last backup.
Also, almost every self-respecting backup software vendor made a simple wizard for restoring objects.
In addition to the granular recovery scenarios about which we spoke above, there is a recovery scenario of a whole forest, which many vendors bypass. Like, the probability of falling forest is very small and you do not need to worry about it.
Microsoft offers a forty-page document with a general description of recommendations for creating a forest restoration plan. However, in a large geographically distributed company with dozens of domain controllers, the creation of a forest restoration plan and its regular testing on an environment close to production results in person-months of the IT department. However, making a recovery plan and testing it, you can face the fact that during the time spent on recovery, the company will go to the bottom, this is especially true for banks and cellular operators.
I managed to find only one product, the decisive scenario of fully automatic forest recovery, and also allowing to significantly reduce recovery time - Dell Recovery Manager for AD Forest Edition .
The product consists of 2 parts - “normal” Recovery Manager for AD, where we set a backup schedule and can granularly restore directory objects and the Forest Recovery Console, where we create a forest recovery plan.
After we launch the product for the first time, he suggests we create a project - an electronic version of the recovery plan.
Then we specify the settings for connecting to AD or backups and the product displays us a list of all domain controllers. We only need to choose how to restore each domain controller, set passwords, configure DNS settings, and the recovery plan is ready.
Recovery itself is even easier - click Start recovery and go. No need to connect remotely to domain controllers - everything happens completely automatically.
How to test the product in conditions close to combat?
Here, too, there is an answer - for this, the product has a special wizard Active Directory Virtual Lab, which allows you to select the necessary servers and transfer them to an isolated virtual environment and thus get a smaller copy of the working environment.
Conclusion
If you are looking for a comprehensive solution to protect Active Directory - I recommend looking at Dell Recovery Manager for Active Directory Forest Edition. Only this product solves all Active Directory recovery scenarios, starting with attributes and ending with the whole forest.
Dell offers a trial version of the product that can be used for 30 days, as well as a virtual laboratory where you can “touch the product” and a series of several free webinars on functionality and installation.
Source: https://habr.com/ru/post/240601/
All Articles