Security Watch

Testing, Testing, 1, 2, 3...

Disaster recovery plans should be part of any testing plan.

I do my research and testing within the confines of a test network. Sometimes it's a single Windows forest with a single domain and sometimes it's a multi-domain, multi-forest, multi-OS monster. Mostly it's not meant to exist for more than a few months, so I don't spend a lot of time worrying about keeping it viable in the face of natural disaster or even simple hard drive failure. If something in the test Windows network dies, it's not going to mean its not going to put me out of business. Can you say the same?

Do you have a disaster recovery plan for your Windows network? I'm not talking about simple data or even system backup here. I'm talking about your plan for completely recovering from the loss of your Active Directory infrastructure. Could you withstand the loss of one of your operations masters? How about the first domain controller installed in a domain? How long would it take to rebuild the DC? Would that time span be short enough to prevent you from major revenue loss?

There are two themes here: First, you should have a comprehensive plan for recovering from the loss of any part of, or all of, your AD infrastructure. Second, you should be able to do so without causing your business financial ruin.

First things first. What should you be doing today that might save your hide tomorrow? Here are three important steps: if you aren't doing them, you should be asking yourself why.

  1. Back up every DC, but make doubly sure you back up every operations role master, global catalog server and the first DC in the domain. You can only restore a DC from its own backup. You can create new DCs in the domain to take the place of those that serve no special role, and you can recover operation masters and rebuild a GC, but can you do so fast enough?
  2. Back up frequently. A backup older than the tombstone age set in AD is not a backup. A tombstone represents a deleted item. The tombstone exists so that an item can be replicated throughout AD, making sure that each DC eventually has deleted the item. If your backup is older than the tombstone age, you won't be able to successfully use it to restore a healthy AD back to your pre-disaster state.
  3. Practice recovery of each type of DC loss. If you don't have a test network to attempt this on, get one. It's a small investment that can mean everything.

There's a lot more to disaster recovery—and, more importantly, maintaining business continuity. If you've got some statistics on the time it took you to recover from an AD failure, let me know.

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.


  • Secured-Core PCs Promise To Stop Malware at the Firmware Level

    Microsoft and its hardware partners recently described new "Secured-core" PCs, which add protections against firmware-based attacks.

  • How To Ransomware-Proof Your Backups: 4 Key Best Practices

    Backups are the only guaranteed way to save your data after a ransomware attack. Here's how to make sure your backup strategy has ransomware mitigation built right in.

  • Microsoft Buys Mover To Aid Microsoft 365 Shifts

    Microsoft announced on Monday that it bought Mover to help organizations migrate data and shift to using Microsoft 365 services.

  • Microsoft Explains Windows 7 Extended Security Updates Setup Process

    Microsoft this week described installation instructions for volume licensing users of Windows 7 Service Pack 1 to get Extended Security Updates (ESU) activated on PCs.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.