Now before we talk about Active Directory Forest Recovery, let’s try to take a look at what are the different recovery scenarios, and when will I need each?
(Note: if you’re here just for the title scroll to the bottom of the post).
The first and the easiest one is Object Recovery.
Object Recovery is the process of recovering an object (or objects) which was deleted. This can be a result of human error, machine error (Identity management solution mistakenly de-provisions a user) or security breach to which we’ll have a separate section.
Object recovery is relatively easy, specifically with the Windows 2008 R2 introduced Recycle Bin feature (more on this here: https://technet.microsoft.com/en-us/library/dd379542(v=ws.10).aspx).
The second one, which isn’t very hard as well is the Server recovery.
Say you have one Domain Controller, out of 2 (at least, if not please, immediately promote the second), and this server suffers from a hardware failure. What’s the easiest thing to do in order to recovery a DC? Well, just promote it! As there’s no difference between one DC and the next, recovering a server is as simple as just promoting that specific domain controller from scratch. Obviously you might want to keep the same name, and the IP address, but hopefully you got yourself a build guide, so you should know how to build a DC from scratch.
The third one would be Domain Recovery.
With a Domain Recovery you are recovering a single domain in an entire Forest. What could be the cause for that? Well beginning from human error, but usually those are caused by multiple hardware failures (all DCs in DomainX are gone, or if there’s just one), mass deletions in the database, or configuration issues. The domain recovery is a bit hard to explain in a single blog post, but I’ll sure touch the subject of recovering a single domain in a Forest environment in a later post.
Now, that’s where things are getting complicated
Attribute Recovery
Let’s imagine you accidentally ran a script that modified deleted everyone’s first name attribute content. How would you recover from that? Well, it’s either going for Object Recovery for all the users, but then you could be missing changes, depending on when the backup was taken.
Now let’s imagine this was done by someone else, like a bug in a piece of software, or a security breach in the organization allowed an attacker to mangle your content??
At the moment there’s no perfect solution to the problem. You could use snapshots, and use those as a reference, but getting the right content from the snapshot to the live database could easily turn into an ldifde nightmare (plus, finding the difference between snapshot and live isn’t an easy task as well).
And my favorite one Active Directory Forest Recovery
For that, I’m going to turn to the Forest Recovery white paper by Microsoft: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-guide.
And quote the section called ‘Deciding when to perform forest recovery’:
All domain controllers have been logically corrupted or physically damaged to a point that business continuity is impossible; for example, all business applications that depend on AD DS are nonfunctional.
A rogue administrator has compromised the Active Directory environment.
An attacker intentionally or an administrator accidentally runs a script that spreads data corruption across the forest.
An attacker intentionally or an administrator accidentally extends the Active Directory schema with malicious or conflicting changes.
None of the domain controllers can replicate with their replication partners.
Changes cannot be made to AD DS at any domain controller.
New domain controllers cannot be installed in any domain.
How do you do that? Well that’s pages 29-54 in the white paper, outlining the detailed steps required.