Links de Interes: Active Directory Disaster and Recovery

Links de Interes: Active Directory Disaster and Recovery

  • Comments 1
  • Likes

Hola,

En el presente post, les dejo links de interés para armado, preparación, prevención y ejecución de Disaster and Recovery. Tenemos que tener la idea en claro, que nuestra infraestructura de Active Directory es el Core y permite el funcionamiento de muchas otras plataformas, que sea por autenticación, resolución de nombre, delegaciones, etc toman los recursos de nuestro dominio y para brindar un correcto servicio, tenemos que tener un plan estructurado y detallado de recovery ante fallas que se nos puedan presentar, desde un simple objeto borrado, pasando por OUs con muchos objetos, Domain Controllers, Dominios, Políticas de Dominio y hasta un desastre de magnitudes importantes que hasta pueda afectar nuestro Forest Completo.

Este tema es muy extenso de tratar y lamentablemente en muy pocos lugares le dan la importancia que realmente necesita, nos acordamos de tener un plan de recovery cuando tal vez es demasiado tarde..., pero es importante tener documentado y sobre un ambiente hacer pruebas, como para llegado el caso aplicar algo en nuestro ambiente productivo, sepamos los pasos a seguir y no se pierda tiempo con ejecuciones y "pruebas" sin sentido, demorando el tiempo de resolución del problema.

A continuación, les dejo una lista de varios links de interés, el cual les será de utilidad para armar la documentación de Disaster and Recovery de su empresa, sobre el ambiente de laboratorio para hacer estas pruebas, pueden armarlo sobre infraestructura virtual, es recomendable generar una estructura paralela de iguales características que producción, tanto en cantidad de objetos como en cantidad de equipos, ya que les servirá para destinar tiempos de resolución, pero tal vez si tienen una empresa con una estructura de Active Directory grande, no pueden duplicar todo igual, con lo que armando su laboratorio "a escala", ya les sirve para sobre cada tipo de desastres, estimar tiempos de resolución.-

Ahora si, les dejo los links, son en verdad muchos, pero pueden ir tomando los que les sea de utilidad ya que varios son de conocimiento general con lo que no necesitaran tomar información del mismo, pero de seguro, algunos se les pase y puedan tenerlo desde el siguiente detalle:

How to move a Windows installation to different hardware
http://support.microsoft.com/kb/249694

How to automate Ntdsutil.exe using a script
http://support.microsoft.com/kb/243267

How to perform an in-place upgrade of Windows Server 2003
http://support.microsoft.com/kb/816579

How to perform an in-place upgrade of Windows 2000
http://support.microsoft.com/kb/292175

Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/kb/832017

How to optimize the location of a domain controller or global catalog that resides outside of a client's site
http://support.microsoft.com/kb/306602

NetLogon Service–Related KB Articles
Registration of gc._msdcs.<DnsForestName> Records in DNS Is Required
http://support.microsoft.com/kb/258213/

How to enable or disable DNS updates in Windows 2000 and in Windows Server 2003
http://support.microsoft.com/kb/246804

How to Prevent Domain Controllers from Dynamically Registering DNS Names
http://support.microsoft.com/kb/198767

Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

KDC Service–Related KB Articles
How to force Kerberos to use TCP instead of UDP in Windows
http://support.microsoft.com/kb/244474

User Token Expires When You Log on by Using a Smart Card for a Long Time
http://support.microsoft.com/kb/323931

Authentication May Intermittently Fail
http://support.microsoft.com/kb/818173

How to troubleshoot RPC Endpoint Mapper errors in Windows Server 2003
http://support.microsoft.com/kb/839880

You cannot log on or you experience a long delay on a domain controller or on a member  computer that is running Windows 2000, Windows XP, or Windows Server 2003
http://support.microsoft.com/kb/883268

Managing Trusts
http://technet2.microsoft.com/windowsserver/en/library/89869a49-3b6c-472a-9612-b11d30d080481033.mspx?mfr=true

Trust Technologies
http://technet2.microsoft.com/windowsserver/en/library/9d688a18-15c7-4d4e-9d34-7a763baa50a11033.mspx?mfr=true

How to build and reset a trust relationship from a command line
http://support.microsoft.com/kb/175025/

Schema Updates Require Write Access to Schema in Active Directory
http://support.microsoft.com/kb/285172

Initial Synchronization Requirements for Windows 2000 Server and Windows Server 2003 Operations Master Role Holders  
http://support.microsoft.com/?id=305476

Summary of ―Piling On Scenarios in Active Directory Domains 
http://support.microsoft.com/kb/305027

Using Ntdsutil.exe to transfer or seize FSMO roles to a DC 
http://support.microsoft.com/kb/255504

Clean up server metadata
http://go.microsoft.com/fwlink/?LinkId=70779

How Operations Masters Work 
http://go.microsoft.com/fwlink/?LinkId=70799

Phantoms, tombstones and the infrastructure master 
http://support.microsoft.com/kb/248047

Creating and Deleting Objects in Active Directory Domain Services
http://msdn.microsoft.com/en-us/library/aa772216.aspx

Performing an Authoritative Restore of Active Directory Objects
http://technet2.microsoft.com/windowsserver/en/library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx?mfr=true

Guarding Against Accidental Bulk Deletions in Active Directory 
http://technet2.microsoft.com/windowsserver/en/library/ea72bc34-6136-42e3-aa36-e2246f15d09d1033.mspx?mfr=true

Security Descriptors and Access Control Lists Technical Reference 
http://technet2.microsoft.com/windowsserver/en/library/0b340511-024f-43d0-86d7-17ada2f5b4f41033.mspx

Best Practice Guide for Securing Active Directory Installations
http://technet.microsoft.com/en-us/library/cc773365.aspx

Download: Best Practice Guide for Securing Active Directory Installations.doc
http://www.microsoft.com/downloads/details.aspx?familyid=2eaa45c7-d936-413e-9586-a8bb6ff739d9&displaylang=en&tm

Best Practice Guide for Securing Active Directory Installations and Day-to-Day Operations
http://technet.microsoft.com/en-us/windowsserver/2000/bb735369.aspx

Download: Windows Server 2003 Active Directory Operations Guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=6a238df8-115c-4e1a-89f1-ee9bc9486c0f&DisplayLang=en

Download: Active Directory Domain Services Operations Guide.doc
http://www.microsoft.com/downloads/details.aspx?familyid=291BDDB7-EDC6-4E6D-9852-A9A14991D67C&displaylang=en

How to restore deleted user accounts and their group memberships in Active Directory
http://support.microsoft.com/kb/840001

Using LDIFDE to import and export directory objects to Active Directory
http://support.microsoft.com/default.aspx?scid=kb;EN-US;237677

AdRestore v1.1
http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx

How to disable the drag-and-drop functionality of the Active Directory Users and Computers tool in Windows Server 2003
http://support.microsoft.com/kb/827687

Metadata Cleanup 
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498

How to remove Orphaned domains from Active Directory
http://support.microsoft.com/kb/230306

DsRemoveDsDomainW error 0x2015 error message when you use NTDSUTIL to try to remove metadata for a domain controller that was removed from your network in Windows Server 2003
http://support.microsoft.com/kb/887424

Domain controllers do not demote gracefully when you use the Active Directory Installation Wizard to force demotion in Windows Server 2003 and in Windows 2000 Server
http://support.microsoft.com/kb/332199

IFM
How to use the Install from Media feature to promote Windows Server 2003-based domain controllers
http://support.microsoft.com/kb/311078

Unattended Installation
[DCInstall] (Unattended Installation)
http://technet2.microsoft.com/WindowsServer/en/library/9639f180-c7fe-41c6-8c3d-92389023f0e71033.mspx

Unattended promotion and demotion of Windows 2000 and Windows Server 2003 domain controllers
http://support.microsoft.com/kb/223757

DSRM 
How to Change the Recovery Console Administrator Password on a Domain Controller
http://support.microsoft.com/kb/239803

How to Reset the Directory Services Restore Mode Administrator Account Password in Windows Server 2003
http://support.microsoft.com/kb/322672

Using Terminal Services for remote administration of Windows 2000 or Windows Server 2003 domain controllers in Directory Service Restore mode
http://support.microsoft.com/kb/256588

Backup and Restore 
A new event error message is logged if you do not back up a Windows Server 2003 Service  Pack 1 (SP1)-based domain controller in a given time period
http://support.microsoft.com/kb/914034

How to perform an authoritative restore to a domain controller in Windows 2000
http://support.microsoft.com/kb/241594

Domain controller is not functioning correctly
http://support.microsoft.com/kb/837513

Replication
Using Repadmin.exe to troubleshoot Active Directory replication
http://support.microsoft.com/kb/229896

Initiating Replication Between Active Directory Direct Replication Partners
http://support.microsoft.com/kb/232072

TechNet Support WebCast: Troubleshooting Active Directory replication using the Repadmin tool: A look into the inner workings
http://support.microsoft.com/kb/905739

Monitoring and Troubleshooting Active Directory Replication Using Repadmin
http://technet.microsoft.com/en-us/library/cc811551.aspx

Windows 2000 - Best Practices: Active Directory Forest Recovery
http://www.microsoft.com/downloads/details.aspx?FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE&displaylang=en

Windows 2003 - Planning for Active Directory Forest Recovery
http://www.microsoft.com/DOWNLOADS/details.aspx?familyid=AFE436FA-8E8A-443A-9027-C522DEE35D85&displaylang=en

Windows 2008 - Planning for Active Directory Forest Recovery
http://technet.microsoft.com/en-us/library/cc786327.aspx

Active Directory Directory Services Maintenance Utility (ntdsutil.exe) 
http://go.microsoft.com/fwlink/?LinkId=70810

Webcast: Windows Server 2003 Active Directory Diagnostics, Troubleshooting, and Recovery 
http://go.microsoft.com/fwlink/?LinkId=70804

Virus scanning recommendations for computers that are running Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista
http://support.microsoft.com/kb/822158

How to rebuild the SYSVOL tree and its content in a domain
http://support.microsoft.com/kb/315457

Best Practices for SYSVOL Maintenance
http://support.microsoft.com/kb/324175

Introduction to Administering SYSVOL
http://technet2.microsoft.com/windowsserver/en/library/551f0123-26a7-4ce5-be71-173e7aa79bd31033.mspx?mfr=true

Restoring and Rebuilding SYSVOL
http://technet2.microsoft.com/windowsserver/en/library/21280b7f-9f14-4ff9-8c0d-ec0e555522f01033.mspx?mfr=true

SYSVOL Junction inherits NTFS permissions from the drive root
http://support.microsoft.com/?id=319808

How to relocate the SYSVOL tree on a domain controller that is running Windows 2000 Server or Windows Server 2003
http://support.microsoft.com/?id=842162

How to minimize SYSVOL size by removing administrative templates (.adm files)
http://support.microsoft.com/kb/813338

FRS Technical Reference
http://technet2.microsoft.com/WindowsServer/en/library/965a9e1a-8223-4d3e-8e5d-39aeb70ec5d91033.mspx?mfr=true

Active Directory Operations overview
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd11.mspx

Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP
http://support.microsoft.com/?id=822158

FRS Tools and Settings
http://technet2.microsoft.com/windowsserver/en/library/3a94d321-4400-442f-a1a9-9569a0db2a561033.mspx?mfr=true

Recovering missing FRS objects and FRS attributes in Active Directory
http://support.microsoft.com/Default.aspx?id=312862

Troubleshooting journal wrap errors on SYSVOL and DFS replica sets
http://support.microsoft.com/?id=292438

Active Directory Operations Overview: Troubleshooting File Replication Service
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd11.mspx#E2BAC

Folder Name Is Changed to ―FolderName_NtFrs_<xxxxxxxx>
http://support.microsoft.com/?id=328492

Using the BurFlags registry key to reinitialize File Replication Service replica sets
http://support.microsoft.com/kb/290762

Default Group Policy objects become corrupted: disaster recovery
http://technet.microsoft.com/en-us/library/cc739095.aspx

Windows 2000 Default Group Policy Restore Tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=B5B685AE-B7DD-4BB5-AB2A-976D6873129D&displaylang=en

Group Policy: Back Up, Restore, Copy, and Import
http://technet.microsoft.com/en-us/library/cc759276.aspx

Scripting Group Policy tasks using GPMC
http://technet.microsoft.com/en-us/library/cc784365.aspx

GPO Operations - Backup/Restore - Administering Group Policy with GPMC
http://www.microsoft.com/downloads/details.aspx?familyid=D8291B79-922A-439C-88E9-54041A2953DD&displaylang=en

How to configure the Windows Time service against a large time offset
http://support.microsoft.com/kb/884776

Windows Time Service Technical Reference
http://technet.microsoft.com/en-us/library/cc773061.aspx

Managing the Windows Time Service
http://technet.microsoft.com/en-us/library/cc737124.aspx

How to detect and recover from a USN rollback in Windows 2000 Server
http://support.microsoft.com/kb/885875

How to detect and recover from a USN rollback in Windows Server 2003
http://support.microsoft.com/kb/875495

Considerations when hosting Active Directory domain controller in virtual hosting environments
http://support.microsoft.com/kb/888794

Possible Active Directory Inconsistency After You Restore a Domain Controller
http://support.microsoft.com/kb/316829

Information about lingering objects in a Windows 2000 Server-based forest or in a Windows Server 2003-based forest 
http://support.microsoft.com/kb/910205

Lingering objects prevent Active Directory replication from occurring
http://support.microsoft.com/kb/317097

Lingering objects may remain after you bring an out-of-date global catalog server back online 
http://support.microsoft.com/kb/314282

Outdated Active Directory objects generate event ID 1988 in Windows Server 2003
http://support.microsoft.com/kb/870695

The Active Directory database Garbage Collection process
http://support.microsoft.com/kb/198793

Useful shelf life of a system-state backup of Active Directory
http://support.microsoft.com/kb/216993

Enable strict replication consistency
http://technet.microsoft.com/en-us/library/cc784245.aspx

The Repadmin.exe tool does not report existing lingering objects in Windows Server 2003
http://support.microsoft.com/kb/948071

Clean that Active Directory forest of lingering objects (non-Microsoft)
http://blogs.technet.com/glennl/archive/2007/07/26/clean-that-active-directory-forest-of-lingering-objects.aspx

Active Directory Utilities (non-Microsoft)
http://www.codeplex.com/ActiveDirectoryUtils

Best Practice Guide for Securing Active Directory Installations
http://technet.microsoft.com/en-us/library/cc773365.aspx

10 Immutable Laws of Security
http://technet.microsoft.com/en-us/library/cc722487.aspx

Best Practice Guide for Securing Active Directory Installations
http://technet.microsoft.com/en-us/library/cc773365.aspx

10 Immutable Laws of Security
http://technet.microsoft.com/en-us/library/cc722487.aspx

Auditing Security Events Best practices
http://technet2.microsoft.com/WindowsServer/en/library/5658fae8-985f-48cc-b1bf-bd47dc2109161033.mspx?mfr=true

Securing Active Directory Administrative Groups and Accounts
http://technet.microsoft.com/en-us/library/cc700835.aspx

Default groups
http://technet.microsoft.com/en-us/library/cc756898.aspx

Download: Best Practices for Delegating Active Directory Administration
http://www.microsoft.com/DownLoads/details.aspx?familyid=631747A3-79E1-48FA-9730-DAE7C0A1D6D3&displaylang=en

Download: Best Practices for Delegating Active Directory Administration Appendices
http://www.microsoft.com/DownLoads/details.aspx?familyid=29DBAE88-A216-45F9-9739-CB1FB22A0642&displaylang=en

Domain Migration Cookbook Chapter 1: Security
http://technet.microsoft.com/en-us/library/bb727125.aspx

Using SID History to Preserve Resource Access
http://technet.microsoft.com/en-us/library/cc779590.aspx

Netdom trust
http://technet.microsoft.com/en-us/library/cc835085.aspx

When to create an external trust
http://technet.microsoft.com/en-us/library/cc755427.aspx

Security Considerations for Trusts
http://technet.microsoft.com/en-us/library/cc755321.aspx

Enhanced Active Directory Disaster recovery features in Windows Server 2008
Ntdsutil
http://technet.microsoft.com/en-us/library/cc753343.aspx

Active Directory Database Mounting Tool Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc753609.aspx

Dsamain
http://technet.microsoft.com/en-us/library/cc772168.aspx

Installing Windows Server Backup
http://technet.microsoft.com/en-us/library/cc771232.aspx

Perform a Full Server Backup of a Domain Controller by Using the GUI (Windows Server Backup)
http://technet.microsoft.com/en-us/library/cc771045.aspx

Perform a Full Server Backup of a Domain Controller by Using the Command Line (Wbadmin)
http://technet.microsoft.com/en-us/library/cc771583.aspx

Scheduling Regular Full Server Backups of a Domain Controller
http://technet.microsoft.com/en-us/library/cc754843.aspx

Scenario Overviews for Backing Up and Recovering AD DS
http://technet.microsoft.com/en-us/library/cc732238.aspx

Other Active Directory Disaster Recovery links
Back up the WINS database
http://technet.microsoft.com/en-us/library/cc727901.aspx

Recovering a WINS Database From Other Backup Sources
http://support.microsoft.com/kb/235609

DHCP Backup/Restore
http://technet.microsoft.com/en-us/library/cc774808.aspx

Salu2

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment