[Introduction]
The familiar melody in the mobile phone sounded, and the call was triggered, but the news was unpleasant: An emergency fault, a disaster where the customer accidentally deleted the ad object, and a total of more than computer accounts were deleted by mistake, it involves many production systems across the country. If it is not processed in a timely manner, large-scale business paralysis will occur.
Without delay, we were immediately "armed" and headed straight to the scene. After nearly all-night battles, the disaster recovery was finally completed.
[Thinking]
Ad is the core of enterprise IT infrastructure management, and its importance is self-evident. Being able to calmly treat and calmly handle disaster recovery scenarios of AD is undoubtedly an important benefit to the building and a great test for a system administrator.
This article will share the possible disaster scenarios and Countermeasures in AD management based on many project experiences and the theoretical basis of AD. One thing to note: the premise discussed in this article is that there should be at least two DC's reasonable ad architecture. If there is only one DC, it will cause irreparable disaster in some cases, please bring your own incense burner and worship Buddha.
Note: This article only discusses different ad disaster scenarios and solutions, and does not involve technical details. We hope that readers will focus on the overall situation and want to learn more about the implementation of technical details, we will also introduce it.
1. Scenario 1: objects are deleted by mistake and backed up, but the operation has not been completed to other DC.
If the loss of the exception object is detected in a timely manner and has not been synchronized to other DC, the fault can be limited to one DC if the connection between the DC and other DC can be cut off in time, you only need to recover the backup (to enter the Directory Service Restoration mode), and then enable the network connection properly, so that it can synchronize data with other DC, you can recover the fault.
2. Scenario 2: objects are deleted by mistake and backed up. The operation has been completed to other DC.
Generally, when we find that the ad object is corrupted or lost, it has been synchronized to other DC, and at this time, if we simply use the restoration backup method, it will lead to failure. The reason is: The data of the deleted object is not actually deleted, but has a tombstone survival time. At this time, the restoration operation is performed, the restored DC is the old undeleted object, and the other DC is the new and deleted object. when data is synchronized, follow the principle of applying valid data afterwards, yes, the objects will be deleted, so the restored objects will be deleted.
At this point, we need a restoration method called authorization restoration. Simply put, it is to manually increase the version number of the restored object and forcibly change it to the latest data, synchronize data as authoritative data.
The methods for restoring authorization are as follows:
Go to the Directory Service Restoration mode and restore the backup (Note: Do not select to authorize the restoration of the AD database, so that all data is restored to the backup State );
After the restoration is successful, do not restart the DC. Go to the command line tool and prepare for the authorization restoration;
The command and key parameters are as follows: ntdsutil/authoritative restore
Tip: be familiar with the LDAP name syntax of the restored object.
3. Scenario 3: objects are deleted by mistake, but no backup is available.
There are two solutions for restoring objects without backup: Ad recycle bin and tombstone.
If the forest function level is lower than that of Windows Firewall, modify the following two attributes: isdeleted and distinguishedname.
If the forest function level reaches windows 2008r2, we strongly recommend that you enable the ad recycle bin function to easily implement lossless restoration of AD objects. If the server is Windows 2008r2, the ad recycle bin needs to be completed in Windows powershell. If the server is Windows 2012 or later, the ad recycle bin can be completed in the graphic interface, just as convenient as the traditional recycle bin in the desktop system.
Precautions for the ad recycle bin:
Once the active recycle bin is enabled, it cannot be disabled;
Objects deleted before the active recycle bin function is enabled cannot be restored;
This function can be enabled only when the forest function level reaches windows 2008r2;
After the ad recycle bin is enabled, the LDP tool cannot be used any more;
The retention period of objects in the ad recycle bin is 180 days.
4. Scenario 4: DC damage.
If the DC is damaged and cannot be repaired quickly, you can consider rebuilding the DC. However, the original DC will become junk data and need to be cleaned up.
You can run the ntdsutil command to clear junk server objects. The specific parameter is metadatacleanup. If you find that the object to be cleaned is operating on the host during the cleaning process, a prompt box is displayed, and you can directly migrate the host role.
Ad disaster recovery scenarios and Solutions