Partilhar via


Links de Interes: Active Directory Disaster and Recovery

Hola,

En el presente post, les dejo links de interés para armado, preparación, prevención y ejecución de Disaster and Recovery. Tenemos que tener la idea en claro, que nuestra infraestructura de Active Directory es el Core y permite el funcionamiento de muchas otras plataformas, que sea por autenticación, resolución de nombre, delegaciones, etc toman los recursos de nuestro dominio y para brindar un correcto servicio, tenemos que tener un plan estructurado y detallado de recovery ante fallas que se nos puedan presentar, desde un simple objeto borrado, pasando por OUs con muchos objetos, Domain Controllers, Dominios, Políticas de Dominio y hasta un desastre de magnitudes importantes que hasta pueda afectar nuestro Forest Completo.

Este tema es muy extenso de tratar y lamentablemente en muy pocos lugares le dan la importancia que realmente necesita, nos acordamos de tener un plan de recovery cuando tal vez es demasiado tarde..., pero es importante tener documentado y sobre un ambiente hacer pruebas, como para llegado el caso aplicar algo en nuestro ambiente productivo, sepamos los pasos a seguir y no se pierda tiempo con ejecuciones y "pruebas" sin sentido, demorando el tiempo de resolución del problema.

A continuación, les dejo una lista de varios links de interés, el cual les será de utilidad para armar la documentación de Disaster and Recovery de su empresa, sobre el ambiente de laboratorio para hacer estas pruebas, pueden armarlo sobre infraestructura virtual, es recomendable generar una estructura paralela de iguales características que producción, tanto en cantidad de objetos como en cantidad de equipos, ya que les servirá para destinar tiempos de resolución, pero tal vez si tienen una empresa con una estructura de Active Directory grande, no pueden duplicar todo igual, con lo que armando su laboratorio "a escala", ya les sirve para sobre cada tipo de desastres, estimar tiempos de resolución.-

Ahora si, les dejo los links, son en verdad muchos, pero pueden ir tomando los que les sea de utilidad ya que varios son de conocimiento general con lo que no necesitaran tomar información del mismo, pero de seguro, algunos se les pase y puedan tenerlo desde el siguiente detalle:

How to move a Windows installation to different hardware
https://support.microsoft.com/kb/249694

How to automate Ntdsutil.exe using a script
https://support.microsoft.com/kb/243267

How to perform an in-place upgrade of Windows Server 2003
https://support.microsoft.com/kb/816579

How to perform an in-place upgrade of Windows 2000
https://support.microsoft.com/kb/292175

Service overview and network port requirements for the Windows Server system
https://support.microsoft.com/kb/832017

How to optimize the location of a domain controller or global catalog that resides outside of a client's site
https://support.microsoft.com/kb/306602

NetLogon Service–Related KB Articles
Registration of gc._msdcs.<DnsForestName> Records in DNS Is Required
https://support.microsoft.com/kb/258213/

How to enable or disable DNS updates in Windows 2000 and in Windows Server 2003
https://support.microsoft.com/kb/246804

How to Prevent Domain Controllers from Dynamically Registering DNS Names
https://support.microsoft.com/kb/198767

Enabling debug logging for the Net Logon service
https://support.microsoft.com/kb/109626

KDC Service–Related KB Articles
How to force Kerberos to use TCP instead of UDP in Windows
https://support.microsoft.com/kb/244474

User Token Expires When You Log on by Using a Smart Card for a Long Time
https://support.microsoft.com/kb/323931

Authentication May Intermittently Fail
https://support.microsoft.com/kb/818173

How to troubleshoot RPC Endpoint Mapper errors in Windows Server 2003
https://support.microsoft.com/kb/839880

You cannot log on or you experience a long delay on a domain controller or on a member computer that is running Windows 2000, Windows XP, or Windows Server 2003
https://support.microsoft.com/kb/883268

Managing Trusts
https://technet2.microsoft.com/windowsserver/en/library/89869a49-3b6c-472a-9612-b11d30d080481033.mspx?mfr=true

Trust Technologies
https://technet2.microsoft.com/windowsserver/en/library/9d688a18-15c7-4d4e-9d34-7a763baa50a11033.mspx?mfr=true

How to build and reset a trust relationship from a command line
https://support.microsoft.com/kb/175025/

Schema Updates Require Write Access to Schema in Active Directory
https://support.microsoft.com/kb/285172

Initial Synchronization Requirements for Windows 2000 Server and Windows Server 2003 Operations Master Role Holders  
https://support.microsoft.com/?id=305476

Summary of ―Piling On Scenarios in Active Directory Domains 
https://support.microsoft.com/kb/305027

Using Ntdsutil.exe to transfer or seize FSMO roles to a DC 
https://support.microsoft.com/kb/255504

Clean up server metadata
https://go.microsoft.com/fwlink/?LinkId=70779

How Operations Masters Work 
https://go.microsoft.com/fwlink/?LinkId=70799

Phantoms, tombstones and the infrastructure master 
https://support.microsoft.com/kb/248047

Creating and Deleting Objects in Active Directory Domain Services
https://msdn.microsoft.com/en-us/library/aa772216.aspx

Performing an Authoritative Restore of Active Directory Objects
https://technet2.microsoft.com/windowsserver/en/library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx?mfr=true

Guarding Against Accidental Bulk Deletions in Active Directory 
https://technet2.microsoft.com/windowsserver/en/library/ea72bc34-6136-42e3-aa36-e2246f15d09d1033.mspx?mfr=true

Security Descriptors and Access Control Lists Technical Reference 
https://technet2.microsoft.com/windowsserver/en/library/0b340511-024f-43d0-86d7-17ada2f5b4f41033.mspx

Best Practice Guide for Securing Active Directory Installations
https://technet.microsoft.com/en-us/library/cc773365.aspx

Download: Best Practice Guide for Securing Active Directory Installations.doc
https://www.microsoft.com/downloads/details.aspx?familyid=2eaa45c7-d936-413e-9586-a8bb6ff739d9&displaylang=en&tm

Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations
https://technet.microsoft.com/en-us/windowsserver/2000/bb735369.aspx

Download: Windows Server 2003 Active Directory Operations Guide
https://www.microsoft.com/downloads/details.aspx?FamilyID=6a238df8-115c-4e1a-89f1-ee9bc9486c0f&DisplayLang=en

Download: Active Directory Domain Services Operations Guide.doc
https://www.microsoft.com/downloads/details.aspx?familyid=291BDDB7-EDC6-4E6D-9852-A9A14991D67C&displaylang=en

How to restore deleted user accounts and their group memberships in Active Directory
https://support.microsoft.com/kb/840001

Using LDIFDE to import and export directory objects to Active Directory
https://support.microsoft.com/default.aspx?scid=kb;EN-US;237677

AdRestore v1.1
https://technet.microsoft.com/en-us/sysinternals/bb963906.aspx

How to disable the drag-and-drop functionality of the Active Directory Users and Computers tool in Windows Server 2003
https://support.microsoft.com/kb/827687

Metadata Cleanup 
How to remove data in Active Directory after an unsuccessful domain controller demotion
https://support.microsoft.com/kb/216498

How to remove Orphaned domains from Active Directory
https://support.microsoft.com/kb/230306

DsRemoveDsDomainW error 0x2015 error message when you use NTDSUTIL to try to remove metadata for a domain controller that was removed from your network in Windows Server 2003
https://support.microsoft.com/kb/887424

Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
https://support.microsoft.com/kb/332199

IFM
How to use the Install from Media feature to promote Windows Server 2003-based domain controllers
https://support.microsoft.com/kb/311078

Unattended Installation
[DCInstall] (Unattended Installation)
https://technet2.microsoft.com/WindowsServer/en/library/9639f180-c7fe-41c6-8c3d-92389023f0e71033.mspx

Unattended promotion and demotion of Windows 2000 and Windows Server 2003 domain controllers
https://support.microsoft.com/kb/223757

DSRM 
How to Change the Recovery Console Administrator Password on a Domain Controller
https://support.microsoft.com/kb/239803

How to Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003
https://support.microsoft.com/kb/322672

Using Terminal Services for remote administration of Windows 2000 or Windows Server 2003 domain controllers in Directory Service Restore mode
https://support.microsoft.com/kb/256588

Backup and Restore 
A new event error message is logged if you do not back up a Windows Server 2003 Service Pack 1 (SP1)-based domain controller in a given time period
https://support.microsoft.com/kb/914034

How to perform an authoritative restore to a domain controller in Windows 2000
https://support.microsoft.com/kb/241594

Domain controller is not functioning correctly
https://support.microsoft.com/kb/837513

Replication
Using Repadmin.exe to troubleshoot Active Directory replication
https://support.microsoft.com/kb/229896

Initiating Replication Between Active Directory Direct Replication Partners
https://support.microsoft.com/kb/232072

TechNet Support WebCast: Troubleshooting Active Directory replication using the Repadmin tool: A look into the inner workings
https://support.microsoft.com/kb/905739

Monitoring and Troubleshooting Active Directory Replication Using Repadmin
https://technet.microsoft.com/en-us/library/cc811551.aspx

Windows 2000 - Best Practices: Active Directory Forest Recovery
https://www.microsoft.com/downloads/details.aspx?FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE&displaylang=en

Windows 2003 - Planning for Active Directory Forest Recovery
https://www.microsoft.com/DOWNLOADS/details.aspx?familyid=AFE436FA-8E8A-443A-9027-C522DEE35D85&displaylang=en

Windows 2008 - Planning for Active Directory Forest Recovery
https://technet.microsoft.com/en-us/library/cc786327.aspx

Active Directory Directory Services Maintenance Utility (ntdsutil.exe)  
https://go.microsoft.com/fwlink/?LinkId=70810

Webcast: Windows Server 2003 Active Directory Diagnostics, Troubleshooting, and Recovery 
https://go.microsoft.com/fwlink/?LinkId=70804

Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista
https://support.microsoft.com/kb/822158

How to rebuild the SYSVOL tree and its content in a domain
https://support.microsoft.com/kb/315457

Best Practices for SYSVOL Maintenance
https://support.microsoft.com/kb/324175

Introduction to Administering SYSVOL
https://technet2.microsoft.com/windowsserver/en/library/551f0123-26a7-4ce5-be71-173e7aa79bd31033.mspx?mfr=true

Restoring and Rebuilding SYSVOL
https://technet2.microsoft.com/windowsserver/en/library/21280b7f-9f14-4ff9-8c0d-ec0e555522f01033.mspx?mfr=true

SYSVOL Junction inherits NTFS permissions from the drive root
https://support.microsoft.com/?id=319808

How to relocate the SYSVOL tree on a domain controller that is running Windows 2000 Server or Windows Server 2003
https://support.microsoft.com/?id=842162

How to minimize SYSVOL size by removing administrative templates (.adm files)
https://support.microsoft.com/kb/813338

FRS Technical Reference
https://technet2.microsoft.com/WindowsServer/en/library/965a9e1a-8223-4d3e-8e5d-39aeb70ec5d91033.mspx?mfr=true

Active Directory Operations overview
https://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd11.mspx

Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP
https://support.microsoft.com/?id=822158

FRS Tools and Settings
https://technet2.microsoft.com/windowsserver/en/library/3a94d321-4400-442f-a1a9-9569a0db2a561033.mspx?mfr=true

Recovering missing FRS objects and FRS attributes in Active Directory
https://support.microsoft.com/Default.aspx?id=312862

Troubleshooting journal wrap errors on SYSVOL and DFS replica sets
https://support.microsoft.com/?id=292438

Active Directory Operations Overview: Troubleshooting File Replication Service
https://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd11.mspx#E2BAC

Folder Name Is Changed to ―FolderName_NtFrs_<xxxxxxxx>
https://support.microsoft.com/?id=328492

Using the BurFlags registry key to reinitialize File Replication Service replica sets
https://support.microsoft.com/kb/290762

Default Group Policy objects become corrupted: disaster recovery
https://technet.microsoft.com/en-us/library/cc739095.aspx

Windows 2000 Default Group Policy Restore Tool
https://www.microsoft.com/downloads/details.aspx?FamilyID=B5B685AE-B7DD-4BB5-AB2A-976D6873129D&displaylang=en

Group Policy: Back Up, Restore, Copy, and Import
https://technet.microsoft.com/en-us/library/cc759276.aspx

Scripting Group Policy tasks using GPMC
https://technet.microsoft.com/en-us/library/cc784365.aspx

GPO Operations - Backup/Restore - Administering Group Policy with GPMC
https://www.microsoft.com/downloads/details.aspx?familyid=D8291B79-922A-439C-88E9-54041A2953DD&displaylang=en

How to configure the Windows Time service against a large time offset
https://support.microsoft.com/kb/884776

Windows Time Service Technical Reference
https://technet.microsoft.com/en-us/library/cc773061.aspx

Managing the Windows Time Service
https://technet.microsoft.com/en-us/library/cc737124.aspx

How to detect and recover from a USN rollback in Windows 2000 Server
https://support.microsoft.com/kb/885875

How to detect and recover from a USN rollback in Windows Server 2003
https://support.microsoft.com/kb/875495

Considerations when hosting Active Directory domain controller in virtual hosting environments
https://support.microsoft.com/kb/888794

Possible Active Directory Inconsistency After You Restore a Domain Controller
https://support.microsoft.com/kb/316829

Information about lingering objects in a Windows 2000 Server-based forest or in a Windows Server 2003-based forest 
https://support.microsoft.com/kb/910205

Lingering objects prevent Active Directory replication from occurring
https://support.microsoft.com/kb/317097

Lingering objects may remain after you bring an out-of-date global catalog server back online 
https://support.microsoft.com/kb/314282

Outdated Active Directory objects generate event ID 1988 in Windows Server 2003
https://support.microsoft.com/kb/870695

The Active Directory database Garbage Collection process
https://support.microsoft.com/kb/198793

Useful shelf life of a system-state backup of Active Directory
https://support.microsoft.com/kb/216993

Enable strict replication consistency
https://technet.microsoft.com/en-us/library/cc784245.aspx

The Repadmin.exe tool does not report existing lingering objects in Windows Server 2003
https://support.microsoft.com/kb/948071

Clean that Active Directory forest of lingering objects (non-Microsoft)
https://blogs.technet.com/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

Active Directory Utilities (non-Microsoft)
https://www.codeplex.com/ActiveDirectoryUtils

Best Practice Guide for Securing Active Directory Installations
https://technet.microsoft.com/en-us/library/cc773365.aspx

10 Immutable Laws of Security
https://technet.microsoft.com/en-us/library/cc722487.aspx

Best Practice Guide for Securing Active Directory Installations
https://technet.microsoft.com/en-us/library/cc773365.aspx

10 Immutable Laws of Security
https://technet.microsoft.com/en-us/library/cc722487.aspx

Auditing Security Events Best practices
https://technet2.microsoft.com/WindowsServer/en/library/5658fae8-985f-48cc-b1bf-bd47dc2109161033.mspx?mfr=true

Securing Active Directory Administrative Groups and Accounts
https://technet.microsoft.com/en-us/library/cc700835.aspx

Default groups
https://technet.microsoft.com/en-us/library/cc756898.aspx

Download: Best Practices for Delegating Active Directory Administration
https://www.microsoft.com/DownLoads/details.aspx?familyid=631747A3-79E1-48FA-9730-DAE7C0A1D6D3&displaylang=en

Download: Best Practices for Delegating Active Directory Administration Appendices
https://www.microsoft.com/DownLoads/details.aspx?familyid=29DBAE88-A216-45F9-9739-CB1FB22A0642&displaylang=en

Domain Migration Cookbook Chapter 1: Security
https://technet.microsoft.com/en-us/library/bb727125.aspx

Using SID History to Preserve Resource Access
https://technet.microsoft.com/en-us/library/cc779590.aspx

Netdom trust
https://technet.microsoft.com/en-us/library/cc835085.aspx

When to create an external trust
https://technet.microsoft.com/en-us/library/cc755427.aspx

Security Considerations for Trusts
https://technet.microsoft.com/en-us/library/cc755321.aspx

Enhanced Active Directory Disaster recovery features in Windows Server 2008
Ntdsutil
https://technet.microsoft.com/en-us/library/cc753343.aspx

Active Directory Database Mounting Tool Step-by-Step Guide
https://technet.microsoft.com/en-us/library/cc753609.aspx

Dsamain
https://technet.microsoft.com/en-us/library/cc772168.aspx

Installing Windows Server Backup
https://technet.microsoft.com/en-us/library/cc771232.aspx

Perform a Full Server Backup of a Domain Controller by Using the GUI (Windows Server Backup)
https://technet.microsoft.com/en-us/library/cc771045.aspx

Perform a Full Server Backup of a Domain Controller by Using the Command Line (Wbadmin)
https://technet.microsoft.com/en-us/library/cc771583.aspx

Scheduling Regular Full Server Backups of a Domain Controller
https://technet.microsoft.com/en-us/library/cc754843.aspx

Scenario Overviews for Backing Up and Recovering AD DS
https://technet.microsoft.com/en-us/library/cc732238.aspx

Other Active Directory Disaster Recovery links
Back up the WINS database
https://technet.microsoft.com/en-us/library/cc727901.aspx

Recovering a WINS Database From Other Backup Sources
https://support.microsoft.com/kb/235609

DHCP Backup/Restore
https://technet.microsoft.com/en-us/library/cc774808.aspx

Salu2