The Evolution of Active Directory Recovery Ulf B. Simon-Weidner Senior Consultant, Author, Trainer,...
-
Upload
lenard-hardy -
Category
Documents
-
view
216 -
download
3
Transcript of The Evolution of Active Directory Recovery Ulf B. Simon-Weidner Senior Consultant, Author, Trainer,...
The Evolution of Active Directory RecoveryUlf B. Simon-WeidnerSenior Consultant, Author, Trainer, SpeakerComputacenter, Germany
SIA319
Active Directory gone bad
DC RecoveryRecreate or Restore
Where's a backup?
Is it the same Hardware?
Domain RecoveryReplicated Error in the domain partition
No DCs in the Domain are functional / replicate
Forest RecoveryReplicated Error in the configuration partition
Faulty Schema-Update
Corrupted Data (malicious or accidental)
No DCs in the Forest are functional / replicate
Different Scenarios
Multi-Object RecoveryWrong Processes
Accidential Deletion
Bad Scripts / Tools
Object RecoveryWrong Processes
Accidential Deletion
Bad Scripts / Tools
Attribute RecoveryBad Scripts
Active Directory-Users and –Computers (WS2k3+): "Accidential editing" multiple Objects
Replication
My Users
My Groups
My Computers
My Users
My Groups
My Computers
Authoritative Restore
Non-Authoritative RestoreGetting a Domain Controller back via System State Restore
Authoritative RestoreUsing a Non-Authoritative Restored DC(which has not bee replicated)
Or DC which didn‘t receive the deletion yet
Mark Objects as newer
Replicate
Replication
My Users
My Groups
My Computers
My Users
My Groups
My Computers
*
***
Main Issue: Restoring Links
Users are members of Groups
There are other links, like Managers, Password Settings Objects, ...
To restore links:Only Forward-Links are writeable
Only FW-Links will be restored where the Target is available
Solution:Authoritative Restore at least twice or
Use LDIFs (Windows Server 2003+)
Recycle Bin
Behind the scenes: NTDS.dit
Data-Table
DNT PDNT Name Attribute isDeleted
12345 1010 company „company“, „DC“
12351 12345 Deleted Objects „container“
12360 12345 Users „user“, „container“
12865 12360 Consulting „consulting“, „group“
12890 12360 Ulf„ulf“, „B“, „Simon-Weidner“, „1-5-..“, „Consuling Services“
12891 12360 Joe„Joe“, „Ware“, „1-5-..“, „Consulting Services“
Link-Table
From To
12865 12890
12865 12891
Link-Table
From To
12865 12890
12865 1289112865 12891
Behind the scenes: NTDS.dit
Deletion: Object is moved into „Deleted Objects“-Container and marked as deleted.Links are removed on each DC.
Data-Table
DNT PDNT Name Attribute isDeleted
12345 1010 company „company“, „DC“
12351 12345 Deleted Objects „container“
12360 12345 Users „user“, „container“
12865 12360 Consulting „consulting“, „group“
12890 12360 Ulf„ulf“, „B“, „Simon-Weidner“, „1-5-..“, „Consuling Services“
12891 12360 Joe\0ADEL:GUID„Joe“, „Ware“, „1-5-..“, „Consulting Services“
TRUE
Recycle Bin: Lifecycle
No Recycle bin feature
LiveObject
GarbageCollection
Delete
© Microsoft
Auth RestoreTombstone Lifetime
60/180 Days
with Recycle Bin enabled
LiveObject
TombstoneObject*
GarbageCollection
Delete
UndeleteTombstone
Lifetime60/180 Days
Deleted Object Lifetime
60/180 Days
Deleted Object
TombstoneObject
NTDS.dit: AD Recyclebin
DNT PDNT Name Attribute isDeleted
12345 1010 company „company“, „DC“
12351 12345Deleted Objects
„container“
12360 12345 Users „user“, „container“
12865 12360 Consulting „consulting“, „group“
12890 12360 Ulf„ulf“, „B“, „Simon-Weidner“, „1-5-..“, „Consuling Services“
12891 12360 Joe„Joe“, „Ware“, „1-5-..“, „Consulting Services“
From To
12865 12890
12865 12891
Schema extended Forest-Level Enable Recycle-Bin
DNT PDNT Name Attribute isDeletedIs
Recycled
12345 1010 company „company“, „DC“
12351 12345Deleted Objects
„container“
12360 12345 Users „user“, „container“
12865 12360 Consulting „consulting“, „group“
12890 12360 Ulf„ulf“, „B“, „Simon-Weidner“, „1-5-..“, „Consuling Services“
12891 12360 Joe„Joe“, „Ware“, „1-5-..“, „Consulting Services“
From ToDeactivate
d
12865 12890
12865 12891
Data-Table Link-Table
* *
DNT PDNT Name Attribute isDeletedIs
Recycled
12345 1010 company „company“, „DC“
12351 12345Deleted Objects
„container“
12360 12345 Users „user“, „container“
12865 12360 Consulting „consulting“, „group“
12890 12360 Ulf„ulf“, „B“, „Simon-Weidner“, „1-5-..“, „Consuling Services“
12891 12360„Joe“, „Ware“, „1-5-..“, „Consulting Services“
NTDS.dit: AD Recyclebin
DNT PDNT Name Attribute isDeleted
12345 1010 company „company“, „DC“
12351 12345Deleted Objects
„container“
12360 12345 Users „user“, „container“
12865 12360 Consulting „consulting“, „group“
12890 12360 Ulf„ulf“, „B“, „Simon-Weidner“, „1-5-..“, „Consuling Services“
12891 12360Joe\0A
DEL:GUID„Joe“, „Ware“, „1-5-..“, „Consulting Services“
TRUE
From To
12865 12890
12865 12891
User Deleted Object (Duration: Deleted Objects-Lifetime)
From ToDeactivate
d
12865 12890
12865 12891 TRUE
Data-Table Link-Table
Undele
te
Restoring multiple Objects
Deleted Objects-ContainerEverything flat
DN changed, Attributes still exist, lastKnownParent is helping
Objects must be reanimated into existing containers
Top-Bottom
Evaluate lastKnownParent and lastKnownRDN
RDN > 128 chars truncated
CN=Deleted Objects
CN=Robert\0ADEL:…
OU=Finance
CN=Tom
CN=Sally
OU=Admins
CN=Mark
CN=Mark\0ADEL:…
CN=Tom\0ADEL:…
CN=Sally\0ADEL:…
OU=Admins\0ADEL:…
OU=Finance\0ADEL:...
OU=Finance
CN=Tom
CN=Sally
OU=Admins
CN=Mark
Dele
te© Microsoft
Issues and solution paths
Issue Operating System Level Solution Path
DC broken any Fresh install or rebuiltWS2k3+: Install from Media-Option
Domain broken any Recover >=1 DC and Rebuilt others
Forest broken any Each Domain:Recover >=1 DC and Rebuilt others
Object(s) fully deleted <=WS2k3R2 Autoritative Restore or „Do-It-Yourself“*
WSk2k8 Tombstone-Reanimation + Snapshot
>=WS2k8R2 Recycle Bin
Object(s) partly deleted <= WS2k3R2 Aut. Restore or „Do-It-Yourself“*
WS2k8+ Snapshot
Accidental Changes any Manual, Snapshot or „Do-It-Yourself“*
Object(s) fully deleted
>=WS2k8R2 Recycle Bin
AD Recycle bin
Requires Forestlevel Windows Server 2008 R2New in R2: Rollback to 2008 DL/FL when Recycle bin is not enabled
Optional Feature Recycle bin must be enabledonce on cannot be turned off
Now you are stuck with your forest level
Make sure that you have a solid state before
Enables to fully restore objectsTo the state when they were deleted
Additional Scripts and Data helps
New in Windows Server 2012
Active Directory Administrative CenterSupports Domain- and Forest level upgrade in the GUISupports enabling the Recycle bin in the GUISupports undeleting of single objects in the GUI
Undeleting multiple objects still requires PowerShell-Script
WS2k8+: Active Directory Snapshots
Create SnapshotNtdsutil.exe -> Snapshot -> Activate Instance NTDS -> Create
Mount Snapshot in File system
Snapshot as Read-Only Directory
Accessing the R/O Directory‘s Data
Ntdsutil.exe -> Snapshot-> List All / Mount
ID-> Mount {GUID}
Dsamain.exe –dbpath c:\$snap2007...\ntds.dit –ldapport 10000
Active Directory-Users & - Computers, LDP, ADSIEdit, dsquery, ... against Port 10000
Reanimating Tombstones
isDeleted
TRUE
rdn Cn=Ulf\A0DEL:GUID
name
phone
memberOf
SID S-1-5-21-xx-xx-..
isDeleted <not set>
rdn Cn=Ulf
name
phone
memberOf
SID S-1-5-21-xx-xx-..
isDeleted
<not set>
rdn Cn=Ulf
name Ulf B. Simon-Weidner
phone +49 (89) 555-1234
memberOf
???
email [email protected]
SID S-1-5-21-xx-xx-..e.g. ADRestore, admod, LDP
Manually, Script, LDIF,..
Virtual DCs, ready for today?
Spread DCs across VM-InfrastructuresDon’t roll back SnapshotsSynchronize the right time
“The most (forest/domain) recovery scenarios I’ve seen are caused by virtual environments!”Lingering Objects or USN-Rollbacks are caused many times from virtual environments!“Don’t use it? Wrong! Do it right!”
Virtualizing DCs: USN-Rollback2200USN 2210 2220 2230 2240 2250 2260 2270
1020USN 1030 1040 1050 1060 1070 1080 1090
DC01 (USN 2220) and DC02 (USN 1040) in sync – DC02 Snapshot created
DC01 (USN 2260) in sync with DC02 (USN 1080)
DC02 rolled back to Snapshot at USN 1040
Result:DC01 thinks he has all updates from DC02 since 1080, however DC02 is at 1040: changes between 1040 and 1080 not replicated to DC01
DC01
DC02 ?
Virtualizing DCs in Windows Server 2012
Domain controllers recognize when being rolled back
DCs take same action when supported System State Restore is done and reinitializes replication agreements
Requirements:VM Host must support „VM Generation Identifyer“ (e.g. Hyper-V 3.0)VM Guest (=DC) must support feature(Windows Server 2012)
Preventing human errors
DELEGATE!!!If somehow possible delegate permissionsAvoid using Built-in Groups, especially Account OperatorsDelegate Domain Admins if possibleTools are helping
Preventing accidental deletions
In Windows Server 2008 (and R2):Protect OUs from accidental deletion (GUI)Migrated? Use PowerShell:
Can (and should) be done in W2k(3) „manually“:DENY Delete & Delete Subtree for Everyone on all Ous
Suggestion:Change default security descriptor of OUs to ensure that delegated admins and older tools “inherit” the default
get-ADOrganizationalUnit –filter * | set-ADOrganizationalUnit –protectedFromAccidentalDeletion $true
for /f "tokens=*" %i in ('dsquery ou -limit 0') do dsacls %i /d everyone:SDDT
Preperation: Backup
It is very important to backup the right dataSystemstate (at least)List of objects (distinguishedNames)GPOs (contents)GPO-Links
Optionally: maintain Versions of BackupOptionally: keep AD-Snapshots
Windows Backup
System State BackupData which is needed to restore the DC over existing OSWS2k8 only: System State needs to be done via commandline
Critical Volume BackupOn „Dedicated DCs“ usually just 15% moreBare Metal RestoreIf incremental backups are used, don’t forget to create full backups also regulary
Needs to be installed:
powershell.exe -command "&{import-module ServerManager; add-windowsfeature Backup}"
Lists of objects
GPO-Links and their options, of the domain and sites
ldifde -f c:\Backupdata\DomainGpoLinks.ldf -r "(gplink=*)" -l gplink,gpoptions ldifde -f c:\Backupdata\SiteGpoLinks.ldf -d cn=configuration,dc=… -r "(gplink=*)" -l gplink,gpoptions
All distinguished names (for authoritative restore):
dsquery * domainroot -scope subtree -attr modifytimestamp distinguishedname -limit 0 > c:\backupdata\objlist.txt
All GPOs (requires BackupAllGPOs.wsf and Lib_CommonGPMCFunctions.js from the GPMC-Scripts):
cscript e:\scripts\BackupAllGPOs.wsf c:\BackupData
Create Backup / Snapshots
Create the Backup in the script:wbadmin.exe START BACKUP -backupTarget:%TargetUNC% -allCritical -include:c:,e: -noVerify -vssFull -quiet
Create AD-Snapshots:
Ntdsutil.exe snapshot “Activate Instance NTDS” create quit quit
Maintain Versions
How many backups should be kept at the UNC?Set Backup2Keep=10
SETLOCAL ENABLEDELAYEDEXPANSIONset count=0for /f "tokens=*" %%i in ('dir /o:-d /b %TargetUNC%\WindowsImageBackup\%computername%\backup*.') do ( set /a count=!count! + 1 if !count! GTR %Backup2Keep% ( echo DELETE !Count!: %%i rd /s /q "%TargetUNC%\WindowsImageBackup\%computername%\%%i" ) else ( echo MAINTAIN !Count!: %%i ))
works against local or remote (UNC) repositories, even SMB-Filer ;)
Snapshots as additions
Enable „Versions“
Can be used in Quests AD Recovery Manager
Should be „managed“:VSS only assures the „Volume“ of recent Snapshots to be keptThey grow over timeThe dit might be small
What we do:Configure how many snapshots are kept fullyCopy the DIT out of the snapshot to a repositoryConfigure how many DITs are keptDelete old snapshots / DITs
Issues and solution paths
Issue Operating System Level Solution Path
DC broken any Fresh install or rebuiltWS2k3+: Install from Media-Option
Domain broken any Recover >=1 DC and Rebuilt others
Forest broken any Each Domain:Recover >=1 DC and Rebuilt others
Object(s) fully deleted <=WS2k3R2 Autoritative Restore or „Do-It-Yourself“*
WSk2k8 Tombstone-Reanimation + Snapshot
>=WS2k8R2 Recycle Bin
Object(s) partly deleted <= WS2k3R2 Aut. Restore or „Do-It-Yourself“*
WS2k8+ Snapshot
Accidental Changes any Manual, Snapshot or „Do-It-Yourself“*
Object(s) fully deleted
>=WS2k8R2 Recycle Bin
Restore Deleted Objects (and their Links)
Find Deleted Objects
Recyclebin
Enable RecyclebinEnable-ADOptionalFeature ‘Recylce Bin Feature’ –Scope ForestOrConfigurationSet –target (Get-ADForest).Name
Get-ADObject –LDAPFilter ‘(&(name=Ulf*)(isDeleted=*))’ -IncludeDeletedObjects
… | Restore-ADObject
Restore Tree:Leverage script from http://blogs.msdn.com/adpowershell/archive/2009/06/01/inspecting-deleted-objects-before-restore.aspx
LDIFDE –r "(name=)" –m–f filename.ldf –p port LDIFDE –i –z –f input.ldf
Restoring Object Data
dn: CN=User,OU=Demo,DC=xyz,DC=comchangetype: modifyreplace: cncn: User_Marketing-
dn: CN=User,OU=Demo,DC=xyz,DC=comchangetype: modifyreplace: snsn: Marketing-
dn: CN=User,OU=Demo,DC=xyz,DC=comchangetype: modifyreplace: cc: DE-
dn: CN=User,OU=Demo,DC=xyz,DC=comchangetype: addcn: User_Marketingsn: Marketingc: DEl: Hometowntitle: Worker-Bee-
Different Scenarios
Specific attributes
Specific Objects
Objects underneath an specific OU
ldifde –d “ou=Demo,dc=…” –m –f filename.ldf –p port
ldifde –d “ou=Demo,dc=…” –r “(objectClass=User)” –f filename.ldf –p port
ldifde –d “ou=demo,dc=…” –l “physicalDeliveryOfficeName, telephoneNumber” filename.ldf –p port
Restoring Links
dsget user cn=Ulf,ou=Demo,dc=xyz,dc=com -s localhost:10002 -memberof | dsmod group -addmbr cn=Ulf,ou=Demo,dc=xyz,dc=com
Forward-Link in the Restored Object
Will be recovered if target is thereRead from Snapshot and update
Backlink in the Restored Object:
Update the object in the Backlink, e.g. update the group in memberOf with the object recovered
Multi-DomainRun this procedure against a GC (recovered or snapshot) in every domain
Ways to get data
Recycle Bin:Available if all DCs are WS2k8R2 or higher
Snapshots:Available if one DC (per Domain) is WS2k8+
W2k(3): Backups also create a consistent state of the DIT
WS2k3-DITS and higher can be mounted with dsamain (-allowUpgrade)
WS2k8 w/o DC (member or stand alone) can mount DITs: AD binaries or AD-LDS
Windows 7/8: AD-LDS for Win7 brings dsamain
Strategy for Versioning / Online Recovery
OS Source Get DataPrepare
Targetobject
Write Data Fix Links
WS2012 BackupSnapshot
Database mounting Recyclebin Script if diff.
VersionScript if diff.
Version
WS2k8R2(Versions)
BackupSnapshot
Database mounting Recyclebin Script if diff.
VersionScript if diff.
Version
WS2k8 BackupSnapshot
Database mounting
Tombstone reanimation Script Script
WS2k3(R2) Backup Database mounting
Tombstone reanimation Script Script
W2k Backup Offline DC (Tombstone reanimation) Script Script
One Policy forDCs_which_are_backed_upDCs_which_maintain_snapshots (create and manage)All_DCs to synchronize NTDS-Password
Deploy your Backup-Strategy
Create Policy whichCreate FoldersCopies Files neededCreates Scheduled Task
Group Policy Preferences in WS2k8R2:
Additional
Prepare RDP for Directory Services Restore Mode
RDP into Machine Change default boot option Boot RDP into DSRM
ntdsutil "set dsrm password“ "sync from domain account xyz“ q q
Sync DSRM Password:Deactivated Domain AccountRegulary set PasswordSchedule the following Commandline on all DCs (via GPO)
bcdedit /copy {current} /dbcdedit /set {%i} safeboot dsrepair
Get your data up-to-date after the restore
Windows Server 2008+: Auditing of object changesauditpol /get /category:“DS Access“auditpol /set /subcategory:“Directory Service Changes“
Documented Changes are helping
Maybe a ntds.dit of the faulty state, use the AD Snapshot Browser
Link-Value Replication also helps (if the Domain is at Windows Server 2003 and the group was editied afterwards)
Windows Server 2008+: Auditing of object changesauditpol /get /category:“DS Access“auditpol /set /subcategory:“Directory Service Changes“
Extending the Management Interfaces
Active Directory Administrative CenterRegistering legacy-tabs for objects is possible
Extending the Context-Menu is not possible
Active Directory Users and ComputersBoth options are still possible
Consider DC-Cloning for Recoveryin Windows Server 2012
Additional DCs deployed using Cloning
First DC recovered from Backup
DC01
DC01
First DC recovered from Backup
Additional DCs deployed using Cloning
Think beyond
One company manages 5000 separate, single domain forests via slow lines
Data needs to stay on decentral premises
Minimum Infrastructure / Storage, regular backup to large
1 DC + Clients, quite at physical risk to be stolen
Single-DC-Restore
Task: How to restore an AD without using large Backups?
Known AD- and OU-Structure which is installed automaticallyCreate a dump of all Users and Groups with min. Information (import would create them)Create a dump of all Users and Groups with all Information (import will modify attributes)Create a list of all computersCreate a list of all Users/Groups and their SIDs
Single-DC-Restore
To restore:During installation of AD, Server recognizes he's being rebuildCreates minimum Users and Groups from scriptModifies all writeable attributes from Users and Groups (incl. Links)Add new SIDs to list of Users/Groups + Old SIDReacl: change all Permissions Old-SID New SIDRejoin Computers to domain (netdom + reacl)
The Evolution of Active Directory Recovery
Operating System AD Recovery Feature
Windows 2000 Authoritative Restore
System State Backup and Restore
Metadata-Cleanup (ntdsutil)
Windows Server 2003 Link-Value Replication
Group Policy Management Console
Individual Backup/Restore of GPOs
Windows Server 2003 SP1 Maintain SID-History in Tombstone
Increase Tombstone Lifetime (180 days)
LDIF-Files in Ntdsutil to restore links
Install from Media
Windows Server 2003 R2 w/o SP2: Tombstone-Lifetime accidenally 60d again
Windows Server 2008 Active Directory Snapshots
Windows Server Backup (Sysstate via CMD)
Synchronize DSRM-Password
Metadata-Cleanup (AD Users and Computers)
Active Directory Change Auditing
Windows Server 2008 R2 Active Directory Recycle Bin
Windows Server Backup (Sysstate via GUI)
Related Content
Breakout Sessions: SIA313 (2:45 S220A), Review Sessions you missed online
Hands-on Labs: SIA11-HOL, SIA21-HOL, WSV44-HOL
Related Certification Exam: (70-410 + 70-411 + 70-412) or 70-416
(available later this year)
Find Me Later: Q&A after the session, www.msmvps.com/UlfBSimonWeidner
SIA, WSV, and VIR Track Resources
Talk to our Experts at the TLC
#TE(sessioncode)
DOWNLOAD Windows Server 2012 Release Candidate
microsoft.com/windowsserverHands-On Labs
DOWNLOAD Windows Azure
Windowsazure.com/teched
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be
a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.