By Alan Klietz Algin Technology LLC
Copyright © 2007 Algin Technology LLC. All Rights Reserved. Microsoft® Windows® and Active Directory® are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners. Algin Technology LLC 3055 Old Highway 8, Suite 35 Minneapolis, MN 55418 E-mail: firstname.lastname@example.org Telephone: +1 866 488 6657 +1 612 235 2100 Fax: +1 612 235 2108
Table of Contents
Introduction Small Organizations Scenario: Grace Community Church Large Organizations Scenario: General Products Corporation OU-level and object-level recovery Branch Office Recovery Disaster Recovery Forest-wide recovery Testing Major or Irreversible Changes Staff Training Domain Consolidation and Restructuring Recovery Best Practices Backup Schedule Restore Order SYSVOL Best Practices for Restoring SYSVOL Recovery Technical Issues AD Database Size ESE page corruption SYSVOL Recovery SYSVOL Restore Types Group Policy Containers and Version Synchronization EFS Key Recovery Guidelines for EFS Key Recovery USN Rollback What is USN Rollback? How to Avoid USN Rollback How to Fix USN Rollback 10 10 11 11 11 12 12 1 1 1 3 3 3 5 5 5 6 6 6 7 7 7 7 7 8 8 8 9 9 Backup Expiration Lingering Objects What are Lingering Objects? How to Remove Lingering Objects Administrator Password Recovery 12 13 13 13 13
Active Directory Recovery Planning for Small and Large Organizations
Active Directory® (AD) is a distributed directory system developed by Microsoft® Corporation to serve a wide variety of organizations from small offices to large multinational corporations. In addition to traditional directory information such as phone numbers and job titles, Active Directory contains the Identification and Authentication (I&A) credentials for the users of a Microsoft Windows® network. AD determines the security boundaries (“domains”), access rights, and usage policies for your network. Because Active Directory is a central component of Windows I&A, developing a recovery plan is essential for reliability and availability of your network. The requirements of your AD recovery plan will be influenced by several factors, including your organizational size, your security and reliability requirements, and your budget and resource availability.
A small organization usually has a limited budget and staff. Often the most significant requirement is the need to limit Total Cost of Ownership (TCO) while serving the mission of the organization.
Scenario: Grace Community Church
Mary is a volunteer who runs the computer system for the church staff at Grace Community Church. Because it is a small organization with a limited budget, Mary needs to be frugal in budgeting expenses. In planning church’s Windows network, Mary decides on Microsoft Small Business Server with Active Directory as the most economical choice. Mary now needs to develop an AD maintenance and recovery plan. Mary’s AD recovery plan includes the following considerations: • • • Running a small domain with a single server. Recovering AD if the single server fails. Minimizing capital and maintenance costs.
Running a domain with a single server: Microsoft generally allows only one Small Business Server (SBS) domain controller in an Active Directory forest (Q884453). Intended for small organizations, the SBS computer is often the only domain controller for the entire organization. Recovering AD if the single server fails: With one server there are three basic methods for recovering AD: 1) Restore the entire System State and the Windows files from the system disk. 2) Move only the AD database and related data files. 3) Rebuild the AD forest. Method 1: Restore the System State and Windows disk. This method copies the entire Windows operating system and all related files from the system disk (typically C:).