Well – sounds kind of straight forward, right? If my AD is down no-one can logon to their PCs, access network resources, launch apps etc’. but still some CIOs look at AD as just another service in the organization.
I’ll try to break down why Active Directory Disaster Recovery is so important, and how can you actually analyze how important it is for your organization, based on my experience with some of the largest enterprise customers I’ve been working with.
First of all, let me start with a statement I’ve heard from one of my colleagues at Microsoft – “Active Directory is like electricity, no one appreciates it while it’s there, but the moment it stops working all hell breaks loose”. I think it’s the most accurate statement I’ve heard about Active Directory Disaster Recovery .
So let’s see what services Active Directory provides our organization:
- First and foremost authentication services – when a user comes in the morning to their PC and types in their username and password the username and the hash of the password are sent to the Domain Controller in order to verify they are correct, after which the user is able to gain access to his/her PC. Having that said about users, same applies to computer accounts. When you boot up a PC member of the domain, it is authenticated the same way a user is.
- Resources Authentication and authorization – after the user has gained access to their PC they usually try to access resources on the network – file servers, web servers, sharepoint, DB you name it. The authentication to those resources are managed by the Domain Controller, either by using Kerberos (and then the user requests and receives a ticket granting access to a specific resources), or NTLM, then the resources itself performs “chaining”, and forwards the username and hash of the password received from the user to the Domain Controller to authentication the session. (Note: You can find more details on NTLM authentication in a great post by GuyTe – http://blogs.technet.com/b/isrpfeplat/archive/2010/11/05/optimizing-ntlm-authentication-flow-in-multi-domain-environments.aspx)
- Group Policy processing – Although Group Policy processing is done by the client side, Domain Controllers are the one providing clients (PCs, and users) with the list of objects need processing.
- DNS – although it is not mandatory, but many organizations are using their Domain Controllers to provide name resolution services to their organization, both internal for servers in the domain, and external (internet name resolution through forwards or root hints).
- Directory Services Data Repository – The Active Directory is also a data repository which can be consumed by many applications, starting with Sharepoint, Exchange and SQL and can be used by Oracle, CheckPoint, Cisco or any other 3rd party vendor integrating with AD.
Now that we’ve covered all the basic services (in a really high level, as each of those can be a book by itself J ), let’s see what happens if our domain is not available:
- No Authentication Services available – no user will be able to login to their PCs, as well as the PCs themselves authenticating and accessing network resources.
- No Resource authentication and authorization – even if you’re using cached credentials across all your devices, and are able to access your desktop, you won’t be able to access any of the network resources in the organization.
- No GPOs – many times GPOs are used to enforce security settings across clients and servers in the organization. The GPO processing is not available, and no settings will be enforced on the clients – meaning if someone has changed a security setting (as he’s a local admin on his PC), this will not be reverted back to the organizational baseline.
- No DNS – name resolution (if hosted on a DC) is unavailable, meaning your devices cannot access the web, and/or other services on the network.
- No Access to Data repository – Depending on the specifics of the implementation the application can either stop functioning completely (as in the case of Exchange Server), or the functionality can be reduced (for example: organizational VPN solution not being able to authenticate remote access users as it relies on AD for authentication services).
In such a scenario, it is safe to say that your business is down!