Active Directory is the premier authentication and directory mechanism in the Windows server world. 95% of Fortune 1000 companies use Active Directory. Without Active Directory, managing a company with over 5 or 10 computers becomes a cumbersome pain.
Active Directory is critical to the overall management of a network. If Active Directory breaks, employees may not be able to log on to their computers, access network resources (shared drives or printers), or even access the internet at all. That’s why it’s important to take a few easy steps to ensure Active Directory redundancy before disaster strikes.
Internet Creations uses Active Directory to streamline its sign-on process for all its computers. Internet Creations has 10 conference rooms, and if a user account had to be setup on each of them every time an employee was hired, it would take a substantial amount of time to complete. It also provides a familiar experience for our users to use the same username and password to log on to every computer in our office.
Internet Creations also integrates Active Directory with Salesforce Identity Connect for Single Sign-On (SSO). Employees are logged-in to Salesforce automatically via their Active Directory credentials.
The Active Directory Recycle Bin is a feature that was introduced in Windows Server 2008R2, and exists in every iteration of Windows Server since then. The Active Directory Recycle Bin contains deleted Active Directory objects for easy restoration in the event of an undesirable deletion. Frequently, someone may decide to “clean up” their Active Directory and get rid of unneeded objects (or so they think). Then, days, weeks, or months later, something bad will happen because of those deletions. Re-creating identical Active Directory objects likely won’t fix the problem due to the object’s unique identifier or GUID. Furthermore, the “deleter” likely won’t remember what exactly they deleted (and from where) those days, weeks, or months ago.
Enter the Active Directory Recycle Bin. The Active Directory Recycle Bin is a Powershell-based utility in Windows Server 2008R2, and a GUI-based utility in later versions of Windows Server. The GUI-based utility in contemporary version of Windows Server is a part of the Active Directory Administrative Center.
Once in the Active Directory Recycle Bin, you can simply view and restore any and all deleted Active Directory objects.
To enable the Active Directory Recycle Bin in Windows Server 2008R2, follow the steps here.
To enable the Active Directory Recycle Bin in Windows Server 2012 and above, follow the steps here.
Be sure to set the time that the Active Directory Recycle Bin holds objects before final deletion. By default, this period is 60 days. It can be increased, though. I recommend 1 year. Follow the steps here to adjust that timeframe.
A critical caveat of the Active Directory Recycle Bin is that it is not retroactive. It can only restore objects that have been deleted after it has been turned on. If you’ve deleted an object without previously enabling the Active Directory Recycle Bin, these steps won’t help you. You will have to take a more tedious and manual approach to recovering the deleted items.
Now that you’re using the Active Directory Recycle Bin, why not secure your Active Directory even further by adding a Secondary Domain Controller (SDC)? A Secondary Domain Controller is a simple way to increase the redundancy of your Active Directory. Read on!
A Secondary Domain Controller is an Active Directory Domain Controller that keeps a copy of the entire Active Directory database. The Secondary Domain Controller can handle most functions of a Primary Domain Controller (PDC) during an outage affecting the Primary Domain Controller. Maybe the Primary Domain Controller is being rebooted or maybe the Primary Domain Controller’s hardware has failed, if you have a Secondary Domain Controller, the cause for concern is much lower than if you didn’t have a Secondary Domain Controller.
A Secondary Domain Controller can handle DNS queries, logon authentication, catalog lookups, and other functions during the time the Primary Domain Controller is “down”. If the Primary Domain Controller is unrecoverable, you can convert the Secondary Domain Controller to be the new Primary Domain Controller through a process called FSMO Role Seizure or Operations Masters Seizure (the latter is the newer term).
If you must resort to a seizure, it is important to know that the old Primary Domain Controller can never again be brought back “Online”. If it is brought back Online, it will cause synchronization issues with the domain. For this reason, a seizure should be a last resort with no option of going back.
Provisioning a Secondary Domain Controller is simple: Install the Windows Server operating system on a new physical server or Virtual Machine, join the server to the existing Active Directory Domain, and then promote the server to a Domain Controller using “dcpromo” or “Add Roles” in Administrative Tools – Server Manager. Then, set your DHCP server to issue two DNS servers now; one for your Primary Domain Controller (that should already be programmed in the DHCP server), and one for the new Secondary Domain Controller.
Now that you can sleep easy knowing you’re not dead-in-the-water if your Primary Domain Controller fails, let’s talk about the best way to backup and restore your Active Directory Domain Controllers.
Backing-up an Active Directory Domain Controller is different from other types of backup. For instance, a simple file backup program like Carbonite, CrashPlan, or Mozy will either not be able to backup and restore Active Directory, or it will take many hurdles to complete.
Internet Creations has found success with Active Directory backups by using the simple built-in backup tools that come with Windows Server 2008 and above.
Firstly, Microsoft explicitly recommends that Domain Controller serve no other function apart from hosting Active Directory. Ideally, your Domain Controller will not also be the File Server, Database server, or Windows Server Update Services (WSUS) server, for example. If your backup just has to worry about Active Directory, then Windows Server Backup is your friend.
Windows Server Backup is built-in to all Windows Server operating systems since Windows Server 2008. Windows Server Backup makes good use of Volume Shadow Copies (via VSS) to backup data. You may elect to backup to an external hard drive connected to the server or Virtual Machine, or, you may elect to backup to a drive share. Either option is acceptable (albeit the drive share backup will only contain the most recent backup). For your offsite backup, you may now use a third-party program like Carbonite, CrashPlan, or Mozy to backup the files generated by Windows Server Backup. These files are specialized VHD (Virtual Hard Drive) files that contain the entire volume being backed-up.
On an Active Directory Domain Controller simply running Active Directory services, a Windows Server Backup job can often be completed in less than an hour. Windows Server Backup can be scheduled to run at a set time (or multiple times) throughout the day. Here’s an article with step-by-step instructions for setting up Windows Server Backup.
When restoring from a Windows Server Backup in an environment where you only have one Domain Controller, you should restore the entire server to a new, empty Virtual Machine. Ensure the “old” server (or broken server) you are restoring from is no longer on the network to avoid IP and name conflicts. In an environment with both a Primary Domain Controller and Secondary Domain Controller, if one Domain Controller is still functioning, you might consider simply building a new server, join it to the domain, and then promote it to a Domain Controller. Then, give it the proper FSMO Roles or Operations Masters from the “dead” Domain Controller. The new Domain Controller will replicate from the existing one so it will contain a copy of the Active Directory database.