Links de Interes: Active Directory Disaster and Recovery
Hola,
En el presente post, les dejo links de interés para armado, preparación, prevención y ejecución de Disaster and Recovery. Tenemos que tener la idea en claro, que nuestra infraestructura de Active Directory es el Core y permite el funcionamiento de muchas otras plataformas, que sea por autenticación, resolución de nombre, delegaciones, etc toman los recursos de nuestro dominio y para brindar un correcto servicio, tenemos que tener un plan estructurado y detallado de recovery ante fallas que se nos puedan presentar, desde un simple objeto borrado, pasando por OUs con muchos objetos, Domain Controllers, Dominios, Políticas de Dominio y hasta un desastre de magnitudes importantes que hasta pueda afectar nuestro Forest Completo.
Este tema es muy extenso de tratar y lamentablemente en muy pocos lugares le dan la importancia que realmente necesita, nos acordamos de tener un plan de recovery cuando tal vez es demasiado tarde..., pero es importante tener documentado y sobre un ambiente hacer pruebas, como para llegado el caso aplicar algo en nuestro ambiente productivo, sepamos los pasos a seguir y no se pierda tiempo con ejecuciones y "pruebas" sin sentido, demorando el tiempo de resolución del problema.
A continuación, les dejo una lista de varios links de interés, el cual les será de utilidad para armar la documentación de Disaster and Recovery de su empresa, sobre el ambiente de laboratorio para hacer estas pruebas, pueden armarlo sobre infraestructura virtual, es recomendable generar una estructura paralela de iguales características que producción, tanto en cantidad de objetos como en cantidad de equipos, ya que les servirá para destinar tiempos de resolución, pero tal vez si tienen una empresa con una estructura de Active Directory grande, no pueden duplicar todo igual, con lo que armando su laboratorio "a escala", ya les sirve para sobre cada tipo de desastres, estimar tiempos de resolución.-
Ahora si, les dejo los links, son en verdad muchos, pero pueden ir tomando los que les sea de utilidad ya que varios son de conocimiento general con lo que no necesitaran tomar información del mismo, pero de seguro, algunos se les pase y puedan tenerlo desde el siguiente detalle:
How to move a Windows installation to different hardware
https://support.microsoft.com/kb/249694
How to automate Ntdsutil.exe using a script
https://support.microsoft.com/kb/243267
How to perform an in-place upgrade of Windows Server 2003
https://support.microsoft.com/kb/816579
How to perform an in-place upgrade of Windows 2000
https://support.microsoft.com/kb/292175
Service overview and network port requirements for the Windows Server system
https://support.microsoft.com/kb/832017
How to optimize the location of a domain controller or global catalog that resides outside of a client's site
https://support.microsoft.com/kb/306602
NetLogon Service–Related KB Articles
Registration of gc._msdcs.<DnsForestName> Records in DNS Is Required
https://support.microsoft.com/kb/258213/
How to enable or disable DNS updates in Windows 2000 and in Windows Server 2003
https://support.microsoft.com/kb/246804
How to Prevent Domain Controllers from Dynamically Registering DNS Names
https://support.microsoft.com/kb/198767
Enabling debug logging for the Net Logon service
https://support.microsoft.com/kb/109626
KDC Service–Related KB Articles
How to force Kerberos to use TCP instead of UDP in Windows
https://support.microsoft.com/kb/244474
User Token Expires When You Log on by Using a Smart Card for a Long Time
https://support.microsoft.com/kb/323931
Authentication May Intermittently Fail
https://support.microsoft.com/kb/818173
How to troubleshoot RPC Endpoint Mapper errors in Windows Server 2003
https://support.microsoft.com/kb/839880
You cannot log on or you experience a long delay on a domain controller or on a member computer that is running Windows 2000, Windows XP, or Windows Server 2003
https://support.microsoft.com/kb/883268
Managing Trusts
https://technet2.microsoft.com/windowsserver/en/library/89869a49-3b6c-472a-9612-b11d30d080481033.mspx?mfr=true
Trust Technologies
https://technet2.microsoft.com/windowsserver/en/library/9d688a18-15c7-4d4e-9d34-7a763baa50a11033.mspx?mfr=true
How to build and reset a trust relationship from a command line
https://support.microsoft.com/kb/175025/
Schema Updates Require Write Access to Schema in Active Directory
https://support.microsoft.com/kb/285172
Initial Synchronization Requirements for Windows 2000 Server and Windows Server 2003 Operations Master Role Holders
https://support.microsoft.com/?id=305476
Summary of ―Piling On Scenarios in Active Directory Domains
https://support.microsoft.com/kb/305027
Using Ntdsutil.exe to transfer or seize FSMO roles to a DC
https://support.microsoft.com/kb/255504
Clean up server metadata
https://go.microsoft.com/fwlink/?LinkId=70779
How Operations Masters Work
https://go.microsoft.com/fwlink/?LinkId=70799
Phantoms, tombstones and the infrastructure master
https://support.microsoft.com/kb/248047
Creating and Deleting Objects in Active Directory Domain Services
https://msdn.microsoft.com/en-us/library/aa772216.aspx
Performing an Authoritative Restore of Active Directory Objects
https://technet2.microsoft.com/windowsserver/en/library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx?mfr=true
Guarding Against Accidental Bulk Deletions in Active Directory
https://technet2.microsoft.com/windowsserver/en/library/ea72bc34-6136-42e3-aa36-e2246f15d09d1033.mspx?mfr=true
Security Descriptors and Access Control Lists Technical Reference
https://technet2.microsoft.com/windowsserver/en/library/0b340511-024f-43d0-86d7-17ada2f5b4f41033.mspx
Best Practice Guide for Securing Active Directory Installations
https://technet.microsoft.com/en-us/library/cc773365.aspx
Download: Best Practice Guide for Securing Active Directory Installations.doc
https://www.microsoft.com/downloads/details.aspx?familyid=2eaa45c7-d936-413e-9586-a8bb6ff739d9&displaylang=en&tm
Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations
https://technet.microsoft.com/en-us/windowsserver/2000/bb735369.aspx
Download: Windows Server 2003 Active Directory Operations Guide
https://www.microsoft.com/downloads/details.aspx?FamilyID=6a238df8-115c-4e1a-89f1-ee9bc9486c0f&DisplayLang=en
Download: Active Directory Domain Services Operations Guide.doc
https://www.microsoft.com/downloads/details.aspx?familyid=291BDDB7-EDC6-4E6D-9852-A9A14991D67C&displaylang=en
How to restore deleted user accounts and their group memberships in Active Directory
https://support.microsoft.com/kb/840001
Using LDIFDE to import and export directory objects to Active Directory
https://support.microsoft.com/default.aspx?scid=kb;EN-US;237677
AdRestore v1.1
https://technet.microsoft.com/en-us/sysinternals/bb963906.aspx
How to disable the drag-and-drop functionality of the Active Directory Users and Computers tool in Windows Server 2003
https://support.microsoft.com/kb/827687
Metadata Cleanup
How to remove data in Active Directory after an unsuccessful domain controller demotion
https://support.microsoft.com/kb/216498
How to remove Orphaned domains from Active Directory
https://support.microsoft.com/kb/230306
DsRemoveDsDomainW error 0x2015 error message when you use NTDSUTIL to try to remove metadata for a domain controller that was removed from your network in Windows Server 2003
https://support.microsoft.com/kb/887424
Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
https://support.microsoft.com/kb/332199
IFM
How to use the Install from Media feature to promote Windows Server 2003-based domain controllers
https://support.microsoft.com/kb/311078
Unattended Installation
[DCInstall] (Unattended Installation)
https://technet2.microsoft.com/WindowsServer/en/library/9639f180-c7fe-41c6-8c3d-92389023f0e71033.mspx
Unattended promotion and demotion of Windows 2000 and Windows Server 2003 domain controllers
https://support.microsoft.com/kb/223757
DSRM
How to Change the Recovery Console Administrator Password on a Domain Controller
https://support.microsoft.com/kb/239803
How to Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003
https://support.microsoft.com/kb/322672
Using Terminal Services for remote administration of Windows 2000 or Windows Server 2003 domain controllers in Directory Service Restore mode
https://support.microsoft.com/kb/256588
Backup and Restore
A new event error message is logged if you do not back up a Windows Server 2003 Service Pack 1 (SP1)-based domain controller in a given time period
https://support.microsoft.com/kb/914034
How to perform an authoritative restore to a domain controller in Windows 2000
https://support.microsoft.com/kb/241594
Domain controller is not functioning correctly
https://support.microsoft.com/kb/837513
Replication
Using Repadmin.exe to troubleshoot Active Directory replication
https://support.microsoft.com/kb/229896
Initiating Replication Between Active Directory Direct Replication Partners
https://support.microsoft.com/kb/232072
TechNet Support WebCast: Troubleshooting Active Directory replication using the Repadmin tool: A look into the inner workings
https://support.microsoft.com/kb/905739
Monitoring and Troubleshooting Active Directory Replication Using Repadmin
https://technet.microsoft.com/en-us/library/cc811551.aspx
Windows 2000 - Best Practices: Active Directory Forest Recovery
https://www.microsoft.com/downloads/details.aspx?FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE&displaylang=en
Windows 2003 - Planning for Active Directory Forest Recovery
https://www.microsoft.com/DOWNLOADS/details.aspx?familyid=AFE436FA-8E8A-443A-9027-C522DEE35D85&displaylang=en
Windows 2008 - Planning for Active Directory Forest Recovery
https://technet.microsoft.com/en-us/library/cc786327.aspx
Active Directory Directory Services Maintenance Utility (ntdsutil.exe)
https://go.microsoft.com/fwlink/?LinkId=70810
Webcast: Windows Server 2003 Active Directory Diagnostics, Troubleshooting, and Recovery
https://go.microsoft.com/fwlink/?LinkId=70804
Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista
https://support.microsoft.com/kb/822158
How to rebuild the SYSVOL tree and its content in a domain
https://support.microsoft.com/kb/315457
Best Practices for SYSVOL Maintenance
https://support.microsoft.com/kb/324175
Introduction to Administering SYSVOL
https://technet2.microsoft.com/windowsserver/en/library/551f0123-26a7-4ce5-be71-173e7aa79bd31033.mspx?mfr=true
Restoring and Rebuilding SYSVOL
https://technet2.microsoft.com/windowsserver/en/library/21280b7f-9f14-4ff9-8c0d-ec0e555522f01033.mspx?mfr=true
SYSVOL Junction inherits NTFS permissions from the drive root
https://support.microsoft.com/?id=319808
How to relocate the SYSVOL tree on a domain controller that is running Windows 2000 Server or Windows Server 2003
https://support.microsoft.com/?id=842162
How to minimize SYSVOL size by removing administrative templates (.adm files)
https://support.microsoft.com/kb/813338
FRS Technical Reference
https://technet2.microsoft.com/WindowsServer/en/library/965a9e1a-8223-4d3e-8e5d-39aeb70ec5d91033.mspx?mfr=true
Active Directory Operations overview
https://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd11.mspx
Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP
https://support.microsoft.com/?id=822158
FRS Tools and Settings
https://technet2.microsoft.com/windowsserver/en/library/3a94d321-4400-442f-a1a9-9569a0db2a561033.mspx?mfr=true
Recovering missing FRS objects and FRS attributes in Active Directory
https://support.microsoft.com/Default.aspx?id=312862
Troubleshooting journal wrap errors on SYSVOL and DFS replica sets
https://support.microsoft.com/?id=292438
Active Directory Operations Overview: Troubleshooting File Replication Service
https://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd11.mspx#E2BAC
Folder Name Is Changed to ―FolderName_NtFrs_<xxxxxxxx>
https://support.microsoft.com/?id=328492
Using the BurFlags registry key to reinitialize File Replication Service replica sets
https://support.microsoft.com/kb/290762
Default Group Policy objects become corrupted: disaster recovery
https://technet.microsoft.com/en-us/library/cc739095.aspx
Windows 2000 Default Group Policy Restore Tool
https://www.microsoft.com/downloads/details.aspx?FamilyID=B5B685AE-B7DD-4BB5-AB2A-976D6873129D&displaylang=en
Group Policy: Back Up, Restore, Copy, and Import
https://technet.microsoft.com/en-us/library/cc759276.aspx
Scripting Group Policy tasks using GPMC
https://technet.microsoft.com/en-us/library/cc784365.aspx
GPO Operations - Backup/Restore - Administering Group Policy with GPMC
https://www.microsoft.com/downloads/details.aspx?familyid=D8291B79-922A-439C-88E9-54041A2953DD&displaylang=en
How to configure the Windows Time service against a large time offset
https://support.microsoft.com/kb/884776
Windows Time Service Technical Reference
https://technet.microsoft.com/en-us/library/cc773061.aspx
Managing the Windows Time Service
https://technet.microsoft.com/en-us/library/cc737124.aspx
How to detect and recover from a USN rollback in Windows 2000 Server
https://support.microsoft.com/kb/885875
How to detect and recover from a USN rollback in Windows Server 2003
https://support.microsoft.com/kb/875495
Considerations when hosting Active Directory domain controller in virtual hosting environments
https://support.microsoft.com/kb/888794
Possible Active Directory Inconsistency After You Restore a Domain Controller
https://support.microsoft.com/kb/316829
Information about lingering objects in a Windows 2000 Server-based forest or in a Windows Server 2003-based forest
https://support.microsoft.com/kb/910205
Lingering objects prevent Active Directory replication from occurring
https://support.microsoft.com/kb/317097
Lingering objects may remain after you bring an out-of-date global catalog server back online
https://support.microsoft.com/kb/314282
Outdated Active Directory objects generate event ID 1988 in Windows Server 2003
https://support.microsoft.com/kb/870695
The Active Directory database Garbage Collection process
https://support.microsoft.com/kb/198793
Useful shelf life of a system-state backup of Active Directory
https://support.microsoft.com/kb/216993
Enable strict replication consistency
https://technet.microsoft.com/en-us/library/cc784245.aspx
The Repadmin.exe tool does not report existing lingering objects in Windows Server 2003
https://support.microsoft.com/kb/948071
Clean that Active Directory forest of lingering objects (non-Microsoft)
https://blogs.technet.com/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx
Active Directory Utilities (non-Microsoft)
https://www.codeplex.com/ActiveDirectoryUtils
Best Practice Guide for Securing Active Directory Installations
https://technet.microsoft.com/en-us/library/cc773365.aspx
10 Immutable Laws of Security
https://technet.microsoft.com/en-us/library/cc722487.aspx
Best Practice Guide for Securing Active Directory Installations
https://technet.microsoft.com/en-us/library/cc773365.aspx
10 Immutable Laws of Security
https://technet.microsoft.com/en-us/library/cc722487.aspx
Auditing Security Events Best practices
https://technet2.microsoft.com/WindowsServer/en/library/5658fae8-985f-48cc-b1bf-bd47dc2109161033.mspx?mfr=true
Securing Active Directory Administrative Groups and Accounts
https://technet.microsoft.com/en-us/library/cc700835.aspx
Default groups
https://technet.microsoft.com/en-us/library/cc756898.aspx
Download: Best Practices for Delegating Active Directory Administration
https://www.microsoft.com/DownLoads/details.aspx?familyid=631747A3-79E1-48FA-9730-DAE7C0A1D6D3&displaylang=en
Download: Best Practices for Delegating Active Directory Administration Appendices
https://www.microsoft.com/DownLoads/details.aspx?familyid=29DBAE88-A216-45F9-9739-CB1FB22A0642&displaylang=en
Domain Migration Cookbook Chapter 1: Security
https://technet.microsoft.com/en-us/library/bb727125.aspx
Using SID History to Preserve Resource Access
https://technet.microsoft.com/en-us/library/cc779590.aspx
Netdom trust
https://technet.microsoft.com/en-us/library/cc835085.aspx
When to create an external trust
https://technet.microsoft.com/en-us/library/cc755427.aspx
Security Considerations for Trusts
https://technet.microsoft.com/en-us/library/cc755321.aspx
Enhanced Active Directory Disaster recovery features in Windows Server 2008
Ntdsutil
https://technet.microsoft.com/en-us/library/cc753343.aspx
Active Directory Database Mounting Tool Step-by-Step Guide
https://technet.microsoft.com/en-us/library/cc753609.aspx
Dsamain
https://technet.microsoft.com/en-us/library/cc772168.aspx
Installing Windows Server Backup
https://technet.microsoft.com/en-us/library/cc771232.aspx
Perform a Full Server Backup of a Domain Controller by Using the GUI (Windows Server Backup)
https://technet.microsoft.com/en-us/library/cc771045.aspx
Perform a Full Server Backup of a Domain Controller by Using the Command Line (Wbadmin)
https://technet.microsoft.com/en-us/library/cc771583.aspx
Scheduling Regular Full Server Backups of a Domain Controller
https://technet.microsoft.com/en-us/library/cc754843.aspx
Scenario Overviews for Backing Up and Recovering AD DS
https://technet.microsoft.com/en-us/library/cc732238.aspx
Other Active Directory Disaster Recovery links
Back up the WINS database
https://technet.microsoft.com/en-us/library/cc727901.aspx
Recovering a WINS Database From Other Backup Sources
https://support.microsoft.com/kb/235609
DHCP Backup/Restore
https://technet.microsoft.com/en-us/library/cc774808.aspx
Salu2