Testing, Testing, 1, 2, 3...

Disaster recovery plans should be part of any testing plan.

I do my research and testing within the confines of a test network. Sometimes it's a single Windows forest with a single domain and sometimes it's a multi-domain, multi-forest, multi-OS monster. Mostly it's not meant to exist for more than a few months, so I don't spend a lot of time worrying about keeping it viable in the face of natural disaster or even simple hard drive failure. If something in the test Windows network dies, it's not going to mean its not going to put me out of business. Can you say the same?

Do you have a disaster recovery plan for your Windows network? I'm not talking about simple data or even system backup here. I'm talking about your plan for completely recovering from the loss of your Active Directory infrastructure. Could you withstand the loss of one of your operations masters? How about the first domain controller installed in a domain? How long would it take to rebuild the DC? Would that time span be short enough to prevent you from major revenue loss?

There are two themes here: First, you should have a comprehensive plan for recovering from the loss of any part of, or all of, your AD infrastructure. Second, you should be able to do so without causing your business financial ruin.

First things first. What should you be doing today that might save your hide tomorrow? Here are three important steps: if you aren't doing them, you should be asking yourself why.

  1. Back up every DC, but make doubly sure you back up every operations role master, global catalog server and the first DC in the domain. You can only restore a DC from its own backup. You can create new DCs in the domain to take the place of those that serve no special role, and you can recover operation masters and rebuild a GC, but can you do so fast enough?
  2. Back up frequently. A backup older than the tombstone age set in AD is not a backup. A tombstone represents a deleted item. The tombstone exists so that an item can be replicated throughout AD, making sure that each DC eventually has deleted the item. If your backup is older than the tombstone age, you won't be able to successfully use it to restore a healthy AD back to your pre-disaster state.
  3. Practice recovery of each type of DC loss. If you don't have a test network to attempt this on, get one. It's a small investment that can mean everything.

There's a lot more to disaster recovery—and, more importantly, maintaining business continuity. If you've got some statistics on the time it took you to recover from an AD failure, let me know.

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.