Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 79
Reply with quote  #1 
Still working on my documentation and planning for various scenarios...

1. If we have a full server backup of every domain controller, is restoring each domain controller an option, notably in the scenario of a failed schema upgrade (extremely rare, from what I understand, but we still need a plan or procedure just in case)? From past discussions, I understood it was. I'm also weighing the pros and cons of that option versus restoring a selected domain controller and rebuilding the others from there.

2. At the start of the process (the process outlined in the link below), one article has you isolating the domain controller you intend to restore from the rest of the network. Elsewhere, they have you shutting down the other domain controllers. So what if your backup target is not locally attached media but rather a network share? I would think it's not very practical to isolate the domain controller from the network in that case (although you could turn off the others). In my first try at forest recovery, I just shut down my other domain controllers to prevent replication. Outside of a security breach, where you might want more strict isolation, what not just shut off the other domain controllers?

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-guide

Thanks in advance!
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 237
Reply with quote  #2 
Hi, 

> is restoring each domain controller an option,

Technically, yes. But it's a risk: The most recent backup wins. If you restore 10 DCs with a 7d old backup, and just one from a 1d old backup, the 1d wins. So that is a risk: you cannot afford a mistake.

> one article has you isolating the domain controller you intend to restore from the rest of the network.

That is the starting point: the simplest configuration is recovering one DC in an isolated network. This has the lowest risk and most options. It's not the fastest option, that's right.

> where you might want more strict isolation, what not just shut off the other domain controllers?

if the one DC that you are recoving is live on the network, it will get hit by any machine that can find it and might be overloaded -- especially in Enterprise networks.

My take on this: you want to be conservative when planning something as drastic as forest recovery. Don't cut corners, follow the book.


__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
DM-AVAL

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 79
Reply with quote  #3 
Thanks, Willem.

Is there a recommended way to isolate a physical domain controller and remote storage (accessed, obviously, through the network)?

I'm thinking... separate VLAN or (?) but that requires the participation of another team.

Otherwise, I've almost covered all the steps in a test environment.

10 and 11 have to do with resetting the computer account password and the krbtgt password, both twice. Is that necessary in all circumstances or only when a security breach is suspected? If my schema upgrade fails or a provisioning script does something to AD that I did not foresee, does that require password resets?

There is a part about resetting admin account passwords (domain, entreprise, schema, etc.) but there, a reference is made to security concerns.
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 237
Reply with quote  #4 
> Is there a recommended way to isolate a physical domain controller and remote storage (accessed, obviously, through the network)?

In this day and age a physical DC would really be my last resort when recovering, also for this reason.

There is no best practice that I can think of. Do whatever you have to do. One thing I have done is to go physically to the machine and just plug it into a standalone switch.

> resetting the computer account password and the krbtgt password, both twice

Two reasons: security, and to reduce the impact when the DC is accidently connected to the network while there are still live but old DCs. It's an optimization. OTOH, it takes less than a minute to do it, so why not? 

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.