Active Directory Disaster Recovery on Windows Server 2019
HTML-код
- Опубликовано: 10 окт 2021
- Active Directory Disaster Recovery on Windows Server 2019.
This week at work is all about backing up and restoring Windows Server Active Directory. In today's video I'm talking about a situation where our environment is cratered. A Meteor strike. Every domain controller in the enterprise is lost. We need a way to get it all back. I'm a big fan of having a local system state backup of Domain Controllers at key data centers in the environment. This backup should be copied to a secure file share where we can always count on getting a recent copy. The security on the share should be highly restricted, to only those who would need to recover it. You also have to consider that if active directory is down entirely, how will you access the system state backup. Cloud storage might be a good choice using a cloud break glass account. I highly recommend scripted builds for domain controllers to ensure consistent configuration of each DC. When we go to recover this DC we want to recreate storage volumes and drive letters to match the original server. okay as far as disasters are concerned this wasn't so bad. Make sure to document your environment, configurations, credentials used for access and whatever else you think may be needed in this situation and keep this in a safe place you can access even if everything is cratered. Leave a comment below about your worst disaster stories. Give this video a like. Before you go watch more of my windows server administration videos, please click on subscribe. Thank you very much.
Windows Server Administration Playlist:
• Windows Server Adminis... 
Наука
Excellent boss...my domain and AD restored 100%..I was searching such help on RUclips...but no proper videos there...but I saw your video in which you guided properly...I followed your instructions, and yes finally succeeded........
Thanks! Glad it helped.
By far the best tutorial on restore. There are many videos and articles over the internet, but none is having detailed information. Thanks so much for making such a detailed toutorial.
Thanks! My team still needs to test in production. The key is same hardware arrangement. So only back up two DCs per domain in two different datacenters and thoroughly document the configuration. It should be easy to reproduce in a virtual environment. Best wishes!
Such a wonderful share.
Thanks JudyPlus! You must be learning so much!
You just saved my week with that registry hack!
Excellent news! Thanks.
Its great to have a back up always 👍 Phew! Its back! Crisis averted! 😂 I cant even recover any files from my old hard drives so safe to conclude I could not do it over a network 😂
Yes, technology is a major challenge in many regards. Have you seen my latest DIY NAS Storage video? ruclips.net/video/DV57on9-KKk/видео.html
Great Video!🔥🔥 cleared most of my queries relating to Windows Backup lab for someone who is at an associate level guy. Just quick question, for break glass accounts, how do we register AD Users & Computer in Computer Management section which consist of admin accounts (needed for backed up DCs)??
Hello. I may not understand your question correctly. If you want administrative accounts to be in the local admins groups on member servers and or workstations, I would use 'preferences' in machine GPOs to add the specified accounts to the local groups. For AD domain controllers, there are no local groups. You must document the AD recovery password that is provided when promoting a DC. If you need to change the AD recovery password, you can use NTDSUTIL to do so. Thanks.
muy interesante y salva vidas, me falta probar si al restaura el dc eso afectaria a los coreos del eschnage de otro servidor
Es importante probar cualquier solución de copia de seguridad en la que se establezca. Mi equipo ha probado esto en su laboratorio con éxito, después de la pérdida completa de todos los controladores de dominio y tuvo éxito.
Si AD desaparece por completo, primero debe restaurarse, antes de recuperar Exchange y otras aplicaciones.
Mis mejores deseos.
This one is a bit complicated. Wish you all the very best of the new year--Year of 2023
More practice for my job. I shared this with my team and they have successfully tested it. Thanks.
Nice job - must have been fun to work through - but you're treating AD like it runs on a single server (not the multi-server, multi-master replicated database that it is), so there is a lot missing here and a lot to criticize - especially in today's age of cybercriminals and ransomware attacks.
I did like that you shared your Hyper-V VM Creation script - you should zip that up and share it on a link somewhere so people can grab a copy.
cheers!
Hi thanks for your comment. Yeah, I have several hundred DCs, spanning six forests, 16 domains in a global enterprise. Trust me, I would never run a domain on less than two DCs, period. But as you say ransomeware could potentially take the whole thing down. I have seen it with partner companies that lost everything. That is the scenario here, everything is lost and there is just this one system state backup. Can I get AD back? That was the question I asked my team while looking at what the backup team was doing about AD. Otherwise, backing up DCs is a waste. Because as you say, promote a new one and let it replicate from the existing ones. Thanks again.
I found your video to be the best I have seen thus far, explaining everything in detail. I have a system backup of server 2016. The restore completed but when I rebooted the vm is in a boot loop and then it stops from attempting to boot. The version of backup is 14393.5125 and the new server (test vm) 14393.493. Do you have any thoughts or ideas.
Like I say at 4:35 and at the end, there is a need to standardize the DCs and document the configuration of the server to recover. You need to match that as close as possible. So same hardware, same O/S, perhaps even down to the patch level.
Going back to an older version and applying system state restore is probably the culprit. We just tested this in the workplace and the team was able to do the restore successfully. All our servers are in vCenter, same hardware and VM templates. Patches are applied across that fleet.
What we are doing now in production is only backing up two DCs from each domain. Previously our outsource support was just backing up DCs willy nilly and some of the 14 domains out of 6 forests weren't backed up at all.
I hope you can try again and get the win! Thanks.
@@ShotokuTech Hi, when you state document the config exactly what referring to the os build. I backed up from a physical and I attempting to restore to a virtual machine. Can you please explain. thx
@@nicolecox8691 Yeah that would be a problem. System state contains all the information related to the hardware, drivers, etc. So to go from one type of hardware to another is not a workable proposition for system state recovery. You need to recover on the same hardware. Are you in a production disaster recovery scenario? Is your AD domain lost at this time? You might be able to recreate it by using this technique: ruclips.net/video/C4P9kN5tbUU/видео.html
@@ShotokuTech I am not in a disaster recovery, I am testing so when this occurs I am aware how to resolve the issue. I am testing if all AD was compromise how I would get AD back online.
@@nicolecox8691 Try it with two virtual servers of the same configuration for your test and it will work for you. Same CPU and RAM, disk arrangement. Install and patch the same version O/S. We plan to eliminate the few remaining physical DCs from our environment with the phase out of Server 2012R2 this next year. The two servers we have backed up in each domain are selected because their configuration is up to our specification and can be reproduced should it be needed. Best wishes.
The best disaster recovery for Windows is to remove it and install Linux.
If you don't have a computer, you don't need one. Because if you had one and it broke you would not know what to do with yourself. So I suggest having two computers.