Active Directory Change Resiliency

Last month, I have had many discussions with many people on Active Directory Backup and Restore. Now, the obvious topics to talk about are disaster recovery and forest recovery. Of course, we talked about these, but in many of the discussions last month, we focused more on what I’d call ‘change resiliency’, the ability to revert changes made by Active Directory admins, quickly.

I feel this is a topic that is often neglected.
To see why this is an interesting side of the story, we only have to look at what Microsoft offers built into Windows Server and what typical Active Directory backup and restore solutions offer. Then, it becomes really easy to see how to be really smart with reverting changes in Active Directory.

Note:
Discussing these solutions is what Darren and I did extensively in our free June 27 webcast on ‘Picking the right type of solution for Active Directory Backup and Restore’, so if you’d rather listen to us, than reading the next three paragraphs, feel welcome to tune in!

What Microsoft offers

Microsoft offers three helpful technologies for Active Directory admins in Windows Server:

1. Windows Server Backup

2. The Active Directory Recycle Bin

3. The ‘Protect from Accidental Deletion’ option

Objects in Active Directory are denoted by unique security identifiers, sIDs. When you delete an object, but recreate it with the same name, username, etc. it won’t be the same object. That’s because the sID won’t be the same. Since the original object was removed from the database, it has taken its sID down with it. A new object would always have a different sID, despite being the same in all other manageable attributes being the same as the original. The sID, however, is the attribute that is used in many of the mechanisms to grant (or deny) access, like group memberships, access control lists (ACLs).

Windows Server Backup

Active Directory object reanimation and restore from backup allowed for restoration of objects in the above situation, in the timeframe prior to Windows Server 2008. Sysinternals offers a tool to accomplish the first and Microsoft, luckily, ships a backup and restore tool with Windows Server: Windows Server Backup.

Windows Server Backup can be used to create backups of the Active Directory database, also referred to by its filename ntds.dit or simply as ‘the dit’. The same tool can be used to create bare metal restore boot media to restore a Domain Controller to its former self, in a supported way.

I feel it’s important to note that Windows Server Backup uses volume shadow copies, at this stage. This allows for Windows Server backup to create a consistent backup without having end users notice any downtimes. Also, when you restore a Domain Controller with a Windows Server Backup, several changes and checks are made to ensure proper restoration between all the other Domain Controllers in the environment. It’s inherently different to the snapshots like the ones many oblivious admins used to make with tools like Acronis TrueImage, one of the industry’s favorite tools to wreck Active Directory…

The ‘Protect from Accidental Deletion’ option

With Windows Server 2008, Microsoft introduced an option in the Active Directory management tools, labeled ‘Protect from accidental deletion’. While this functionality looks like a simple option in the graphical Active Directory Users and Computers (dsa.msc) and Active Directory Administrative Center (dsac.exe) user interfaces, under the hood a set of ‘Deny’ access control entries (ACEs) is applied to the object itself and its parent object for the ‘Everyone’ security principal.

When you use any tool to delete the object, the action would fail and note a permission issue. First, the option needs to be removed, before the object can actually be removed. This avoids many of the ‘Oops’ moments for Active Directory systems managers using graphical tools. Its true strength shows when some objects are excluded from directory-wide ‘Oops’ moments when admins use PowerShell or other scripting and bulk tools.

The Active Directory Recycle Bin

Since the Windows Server 2008 R2 Forest Functional Level (FFL), Microsoft offers a solution for deleted objects, beyond reanimation and restoration from backup, in the form of the Active Directory Recycle Bin.

The technology behind the Active Directory Recycle Bin is a new attribute: ‘isRecycled’. Before, when an object, like a computer or user, is deleted, the attribute ‘isDeleted’ is set to true. With the Active Directory Recycle Bin enabled, after the recycle lifetime has expired, the ‘isRecycled’ attribute is also set to true. Then, after the tombstone lifetime has expired, the object is truly removed from the database. When only the ‘isDeleted’ attribute is set, the object is recoverable through the Active Directory Recycle Bin. All Microsoft’s management tools will filter out objects with the ‘isDeleted’ attribute set to true from view, but when you use the Active Directory Administrative Center (dsac.exe) on Windows Server 2012 or above, or the Active Directory PowerShell Module, you can restore these objects with ease, along with their sIDs, and thus original access.

What typical Active Directory backup and restore solutions offer

A bleak picture emerges, when we look at the tools and technologies offered by Microsoft: They all work at the object level, but not at the attribute level. I don’t know about you, but I don’t use the delete button on my keyboard as often as I manage typical attributes like group memberships, email addresses and display names.

Now, when I’d want to revert any of these changes, typically, I have to restore a backup and create a file in the Lightweight Directory Interchange Format (LDIF) format with the differences I want reverted.

This takes time, loads of time.
This is what I call the challenge of change resiliency.

Typical backup and restore solutions have eased the pain a bit by either making it easier to (test) restore or to make it easier to pick the attributes you want reverted in a graphical interface, while maintaining database consistency.

Easier (test) restores

One of the backup and restore solutions that make it really easy to perform restores and test restores, in my book, is Azure Site Recovery Services. With this solution, you don’t have to denote identical hardware for restoration, and you don’t even need the same hypervisor to perform a restore. All you need is an Azure Infrastructure-as-a-Service subscription and you pay-as-you-go for the storage and the VM(s) you spin up, but only for the time you actually need them, which is typically only a couple of hours.

Easier selections

In the bucket of tools that make it easy to select attributes to revert, I feel Veeam’s Agent for Microsoft Active Directory stands out. In its graphical user interface (GUI), it allows for individual attributes to be picked, but seasoned Active Directory admins can also use Lightweight Directory Access Protection (LDAP)-based filters. Then, the agent creates the LDIF file for you, and applies it. Another LDIF file is also created to undo, if need be.

How to be really smart with Active Directory Change Resiliency

While discussing with Darren, I learned there is a smarter way to address the challenge of change resiliency.

I’ll be the first to admit that while it makes sense to keep backups (cached) on Domain Controllers in terms of disaster recovery and forest recovery, however in terms of change resiliency, having a real time stream of modifications is better!

Instead of having to locate backups, (test) restore the Domain Controller, picking the attributes to restore, fiddle with LDIF files, and worry about undo scenarios, Semperis’ Directory Services Protector for Active Directory does all the work for you. Because DS Protector gathers the modifications in real time including the moment before your ‘Oops!’ moment, you can revert back to the prior consistent state in a matter of seconds. Otherwise you will end up spending hours on Active Directory mechanisms and technologies you didn’t want to know anything about earlier.

Because Semperis’ DS Protector tracks all the changes as they happen, you can undo a change, test that effect – and if you aren’t happy with it, simply revert it back to the previous state. Yes, you can have your cake and eat it too!

Further reading
If you do want to know more, than I invite you to read the free 17-page whitepaper we created, based on the discussions and the webcast, titled ‘Picking the right type of solution for Active Directory Backup and Restore’.

The post Active Directory Change Resiliency appeared first on Semperis.



*** This is a Security Bloggers Network syndicated blog from Semperis authored by Sander Berkouwer. Read the original post at: https://www.semperis.com/active-directory-change-resiliency/