RE: [ActiveDir] Protecting Active Directory

Thu, 04 Mar 2004 12:50:51 -0800

I think there's two approaches here but correct me if I misunderstood to flow. 
 
One concept is to restore the actual object in case of accidental deletion, intentional deletion, corruption, etc.  The other is to track the membership in case one of it's members gets whacked.  That about what you're saying?
 
To me, these are two very important, but separate scenarios.  One solution already in place is a tracking mechanism that exports group information on a daily basis.  That's the custom version of what I have now, but it's nowhere near as efficient as a SQL/AD/AM solution would be in a multi-domain environment. It only allows us to put the group membership back, but has nothing to do with the group object itself.  If we lost that, we lost the sID etc that would make it useful outside of a restore.  In case of administrative error, we can look back at the reference (keep a week's worth for now) and put it back the way it should be without having to go to tape. 
 
If you're going to the trouble of creating this homegrown system wouldn't it make sense to make it part of the lifecycle management system?  There's certainly a market for that in the states with the current round of laws about data and process. 
 
Just a thought, but having a system that audits (for lack of a better term) user/group lifecycles and resource allocation would be an interesting thing to have. Kind of another tier in the management of the system (a meta-directory type solution or other?)
 
Al

From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 04, 2004 2:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Protecting Active Directory

ha, I knew that would be your answer ;-))
 
and I can partly understand your strategy => the owner of the group should know what's in it, so if there is a problem with the memberships it's his and not yours.  But this is really only acceptable for a small issue, where you loose a couple of memberships - not when you use a couple of hundred of users incl. their memberships.
 
Sure losing a DLG membership has the same result in losing resource access than a GG does - however, DLGs in multi-forest environments are simply harder to recover the "native" way (i.e. be authoritatively restoring your accidentally deleted users from one domain), as that restored DC doesn't know of the DLG memberships outside of it's own domain, which will then be lost for good (much easier to recover memberships ins GGs and UGs as the DC/GC will "know" of the memberships after the recovery). Your DLG memberships won't come back until re-added by your group-owners, who will be happy to manage re-adding hundreds of users into various groups via the UI they use... :-(
 
Obviously your impact will be less than for other companies, as you have a really cool group-structure however .But no matter how careful you are, Murphy is watching you. And things will happen. And you have to be prepared...
 
The AD/AM idea isn't bad, but I'm just implementing the same based on SQL and it's almost done - a nice tool that gives you exactly what you're describing. And will help to recover those lost group-memberhips and it will allow you to see which group your users or other objects are in within the forest - in any domain. Stay tuned. However, it will still require a normal authoritative restore of the actual objects that were deleted - thus it's not as powerful as some of the online-recovery methods available out there. So I encurage anyone responsible for back-up of their AD also to look at these tools.
 
/Guido

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Donnerstag, 4. M�rz 2004 16:18
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Protecting Active Directory

Using the DLG's doesn't kill us any more than if we used GG's. Same loss of resource access.
 
As for the accidents, the guys with the big guns don't use the GUI for most anything, they use very targeted scripts that do very specific things. We don't, for instance have any mass delete anything scripts. All one off delete.
 
The groups are supposed to have well known membership to the admins running them, they are supposed to be auditing the groups on a very regular basis as to who should be in them. So loss of a group should simply be recreate the group, reassign to the proper ACE in the proper file structure (we don't do one group secures a zillion different things or at least heavily discourage it), readd the correct people.
 
I do have some ideas floating in the back of my mind about pulling all groups, computers, users off into a single AD/AM instance so we can track things there. Don't sync the deletes other than marking a field in AD/AM when the delete or occurred. This is more for being able to do quick checks for things in the directory (everything would be tuple indexed) but could also help if someone smoked a group that they shouldn't have as we would have the last known membership for sure. I would also like to get some form of change log management in there as well but that project is way pie in the sky at the moment. Trying to get K3 deployed at the moment and the final pieces of E2K deployed.
 
 
 
-------------
http://www.joeware.net   (download joeware)
 
 
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Thursday, March 04, 2004 2:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Protecting Active Directory

actually, you need to consider this issue more than others Joe, as you're building all group-memberships on Domain Local Groups (in a multi-domain environment) which will kill you, if you do accidentally delete the wrong objects. Obviously you could still restore all domains - but that's pretty nasty.
 
And accidents don't only happen to lower privileged admins - it could be one of you three...
 
/Guido

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Mittwoch, 3. M�rz 2004 16:40
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Protecting Active Directory

Yes, excellent point. We haven't started worrying about that granularity yet. If something is deleted, we figured the person with the power to delete it intended it. Have a nice day. There are only three people who can really do any huge mass deletes across the board and we all sit within smacking distance of each other so we are careful as we have sensitive ears and don't want to be cuffed. I do think we need some sort of solution for this eventually though. But it is more to reduce nuisance factor for silly OU admins than anything else.
 
Right now mostly still just worrying about the old South East Michigan was swallowed by a volcano that came out of nowhere... How do we make sure we can recover.
 
-------------
http://www.joeware.net   (download joeware)
 
 
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Wednesday, March 03, 2004 3:01 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Protecting Active Directory

will only be good for restoring the DC hardware, but depending on your setup won't be sufficient to fully recover accidentally deleted objects.
 
I've worked with Aelita on this whitepaper to discuss the potential issues:
 
/Guido

From: joe [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 3. M�rz 2004 02:11
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Protecting Active Directory

1. Multiple DCs in diseparate locations.
 
2. Virtual DC for each domain that is shut down nightly and the disk file for each is copied to some other location.
 
-------------
http://www.joeware.net   (download joeware)
 
 
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto
Sent: Tuesday, March 02, 2004 3:49 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Protecting Active Directory
Importance: High

What is the best way to backup your domain controller so you can restore it in a disaster situation.

Reply via email to