my personal blog about systemcenter

All posts in AD

 

One of the new features in Windows Server 2012 AD is a added user interface to the AD Recycle Bin.

 

To enable the Recycle Bin the AD have to be in 2008 R2 Forest mode

image

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=internal,DC=systemcenterdemo,DC=dk’ –Scope ForestOrConfigurationSet –Target ‘internal.systemcenterdemo.dk’

image

Find a object to delete

image

And go into Active Directory Administrative Center Deleted Objects and there you can recover the object

image

If you have deleted a OU with Users , you cant recover the user directly

image

If you don’t want the OU restored you can use Restore To

image

Or recover the OU and then recover the subitems

 

Backup is one thing , Restore is another especially disaster recovery , in this blog post we will cover the scenario where everything is gone except the backup tapes , first blog post will cover getting the domain up and running again where following posts will cover fileservers , sql and exchange.

Data Protection Manager requires a functional domain to be able to recover any data from tape , so first step will always be to get the domain up and running again.

In this post we a production domain test.local with dc10.test.local as the sole domain controller and dpm10.test.local as the Data Protection Manager server.

For restore purpose we setup dctemp10.temptest.local and dpmtemp10.temptest.local to restore the data , so  a disaster recovery will always require staging of the restore data if the domain is lost.

Its always recommended to keep additional backup of the domain controllers outside of Data Protection Manager to ensure that we always no matter what happens can recover the domain and then start recovery

But always keep separate backup of domain controllers , there cant be to many backups if the media is located in a big safe somewhere Smiley

 

image

On the test.local domain we need a complete backup of the Domain Controller

image

And we will need the configuration database for Data Protection Manager

imageimage

After creating the Protection Groups create a manual recovery point to tape , both for the domain controller and the Data Protection Manager configuration database

image

For testing I am using Cristalink brilliant Virtual Tape Library for Data Protection Manager http://www.cristalink.com/fs/ , so here the backup is located on 3 virtual tapes.

image

We need a new domain to restore to until we can get the original production environment up and running so here we created a new domain and is adding a Data Protection Manager Server to the same domain.

 

image

To simulate adding tapes from the library we use FileStreams Import feature Load From File

image

And then we can see the same tapes as we had before the wipe of the Domain Controller and Data Protection Manager Server

image

image

We then need to start a detailed inventory so we can see what’s on the tapes

 

image

After the detailed inventory have completed we need to Recatalog Imported Tape to add the content of the tapes to the Data Protection Managers configuration database

image

We then need to recover the System Protection from the tapes we did a recatalog on

image

Only restore option for systemprotection is a network folder

 

image

And its time to start the restore

image

Data Protection Manager == Success

image

We then need to share the folder out so we can access it from the Windows 2008 R2 installation media

image

to Restore from the recovered data we need to start the Windows 2008 R2 installer , DHCP needs to be enabled for networking support

image

Select a repair

image

As there are no local images to restore from select next

image

And start networking

image

Connect to the DPM Server

image

With Credentials from the new temporary domain

image

Select the Image to restore

 

image

Start the ReImage

image

And Wait Smiley

image

For about 12 minutes on my test setup

image

And after a reboot and setting fixed ip address the domain is up and running , and we now have a working domain so we can start to restore the Data Protection Manager server and then start restore all remaining workloads.

 

This is part 1 of 2 , next post will try to cover the steps for recovery when there is only tapes left.

Data Protection Manager require a domain to be able to work , this means that in a disaster recovery scenario we need to be able to get active directory up and running without the help of Data Protection Manager , this is in my opinion a big issue that everyone needs to step up on the soap box and yell about , adding the option to logon with a local account would speed up things and help out a lot , this would require that the site is alive and only the Active Directory is dead or that there is a 2nd Data Protection Server creating protection of critical workloads Offsite

Disaster Recovery can be triggered by complete site failure or rouge admin disabling all high privileged account locking admins out of the domain

The “workaround” is to schedule local backups with Windows Server Backup and then let Data Protection Manager back that up to tape as we can restore that from a “clean” build , but preferable copy the backup offsite or to tape directly on a server , this will be a cost issues on a lot of smaller sites but it cant be stressed enough that we need be to able to recovery Active Directory without Data Protection Manager.

This is in addition to the normal backup of domain controllers though Data Protection Manager, and would apply to every single backup vendor , always keep a separate native backup of active directory, auditors will complain but setting up a safe procedure for storage the additional backup is worth the effort

Reference : http://technet.microsoft.com/en-us/library/cc772519(WS.10).aspx

 

image

image

image

Setup a schedule

image

image

When destination is remote , the backup will be overwritten each day so its needs to keep some rotation on the destination to ensure that there is more than one generation to recover from if disaster strikes , and again if there can be  backup to tape it would be great

image

And we now have a WindowsImageBackup we can use if disaster strikes