Active Directory Auditing and 3rd Party Backup Software

Having managed Active Directory and built solutions for the management of AD itself for many years, I’ve been asked by countless customers for my take on Active Directory Recovery solutions – Which is the best? What’s the best way to do it? Do you really need a 3rd party tool to do it right?

AD recovery software can be a very risky proposition.

Generally speaking, I believe it to be a violation of best practices to perform recoveries on Active Directory unless there has been a catastrophic failure. Why? Well, to start, performing restores of Active Directory requires advanced knowledge and practice. However, two types of restores can be performed, one of which is a lot riskier than the other.

Non Authoritative Restore – More Risky

A Non Authoritative Restore requires rebooting DC’s and recovering your AD database from backup. If the backup is corrupt, or you don’t follow procedure correctly, you may take down the entire organization. Once the recovered objects have been selected, a whole dance of replication and synchronizations need to take place. This type of backup is where I have seen people shoot themselves in the foot most often – either recovering too much or too far back in time losing instrumental changes, or not following protocol and flipping their DC into an unsupported restored mode, a.k.a. split brain.

Authoritative Restore – Less Risky

The second and less risky type of restore is an Authoritative Restore from a replication delayed Global Catalog. This type of restore usually benefits larger organizations with many sites. Assuming you can identify a Global Catalog in another site that has yet to receive the undesired change, you can basically shut down that Global Catalogue and mark its desired objects as authoritative. You then can replicate that back out, thus reversing the deletion before it fully propagates. It’s important to note that all of these actions require complete harmony with your staff – in other words, making sure no one else is attempting to use or make changes during these stages. Unfortunately, down time is still inevitable. Services need to be bounced at a minimum, and in other cases DC’s rebooted. This can affect other applications that might have been hard coded to use that specific GC, such as Exchange, or any other apps that might have been auto/hard coded to a particular DC/GC.

As you can see, recovering deleted objects using either method is both a very difficult and dangerous task; one not to be performed by the faint at heart. This is why people relied upon 3rd party software to perform these tasks for them. However, by adopting that approach, you are basically passing the buck to a 3rd party application to make the right choices for you. One wrong click, one memory leak, version glitch, compatibility mismatch, or poorly designed application could wind up destroying your directory.

Many companies have adopted a simple, yet safe AD backup strategy.

Many customers that I’ve spoken to over the years create full backups using native Microsoft tools (I prefer DPM or native AD Backup tools, such as Ntdsutil or NTbackup myself). They are both made and supported by Microsoft to do one thing well; create and restore AD via approved methods. When the tough gets going, I sleep better at night knowing that I have two backups of AD, both made with supported applications. When in defcon mode, the last thing you want to hear from Microsoft is that your 3rd party backup application is not supported, or that it’s the root cause of your issue, and that technically speaking you do not have a valid backup to work from. If you lose AD, you might as well close the doors and start looking for a new job.

These native backups should be performed against one of your less taxed Global Catalog Servers (GC) on a nightly or weekly basis, and is simply kept for extreme measures only – e.g. Virus outbreak, extreme database corruption due to bad hardware, etc. (Note: These types of scenarios are about the only time it would be worthwhile and make sense to take the risk of performing a non-authoritative full restore of AD.)

Closing the Gap on Recovery

If you’re using Active Directory 2008 or higher, Microsoft introduced a native Recycle Bin feature which now closes the gap on recovering deleted objects. By using the Recycle Bin, admins no longer need to leverage risky restore procedures through 3rd party recovery tools, which create down time and room for error.

Active Directory 2012 further improves upon this design, providing an even richer GUI and means for restoring deleted objects.

What about changes made to AD?

Good question! Changes made to AD would be covered by a real-time change and access monitoring solution for AD like StealthINTERCEPT. Obviously I’m a bit biased towards my own organization’s solution, but there are a couple others on the market that could be leveraged as well. If an undesired change was made, solutions like StealthINTERCEPT would have captured the “before” value of the change, and could be leveraged to easily rectify the situation.

Am I the only one who adopts this “no need for AD recovery software” mindset?

Not by a long shot! I work with many customers who are still on AD 2003 and adopt this policy. They find for the random, single object or accidental deletion, it’s much safer to simply recreate the object by hand and re-ACL. This may be a pain to the end user, but in the end, it actually tends to take less time and be a lot safer than performing a restore.

Again, for massive bulk deletions or extreme corruption in AD, it would be best advised to leverage your nightly, clean, native AD backups for an authoritative restore. The cost, risk, and complexities involved with 3rd party recovery solutions just aren’t worth it – in my humble opinion.

I’d love to hear your opinions. Email us at info@stealthbits.com or leave your comment below.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*