IT Decision Maker

Blog archive

Clearing the Air on Forest Recovery

There's a bit of confusion on the topic of Active Directory forest recovery, and I'll admit that I was caught up in the confusion as well. The confusion stems, I think, primarily from third-party software vendors who either have, or do not have, forest recovery tools to sell.

Vendors who don't sell forest recovery tools will tell you that they don't do so because you can only do a forest recovery on conjunction with Microsoft Product Support Services. If you attempt a forest recovery on your own, Microsoft may not support any further issues you have with Active Directory in the future.

Vendors who do sell forest recovery tools will tell you that their tools make a forest recovery faster and easier, and that their tools follow Microsoft's recommendations for completing the process safely.

They're both right.

This is a point I myself was confused about. It turns out that Microsoft is perfectly fine with you using third-party forest recovery tools to speed up the recovery process as you perform it with Microsoft's guidance.

You do have to be on the phone with Microsoft, but you can use tools to speed up the tasks they ask you to perform.

So do you need a forest recovery product?

It depends. I'm told that all of the Fortune 500 own one, and that makes sense to me. Giant companies tend to buy a lot of insurance for a variety of things, and owning a forest recovery product is really a form of insurance. A Fortune 500 company that's missing an AD forest could be losing millions of dollars per hour, and a tool that speeds up the process probably makes perfect financial sense.

On the other hand, a very small company with a single domain and just a handful of domain controllers might not find financial sense in a forest recovery tool. Keep in mind that such a tool will neither prevent a forest failure, nor make recovery instantaneous; there's still a Microsoft-guided process to go through. So for very small companies, the time saved might not outweigh whatever financial loss they could expect to incur during the outage.

Other companies are going to just have to look. How much time will an unassisted forest recovery take? How much will a recovery tool speed things up? How much money will you lose either way? If the additional time -- and thus financial impact -- of not having a tool is greater than the cost of such a tool, then you should probably consider buying the tool. Think of it as a specialized form of insurance policy, much like your flood insurance or worker's comp insurance.

All that said, you should absolutely separate forest recovery -- which is they very definition of "disaster recovery" -- from the day-to-day data restoration that your company also needs. Every company should have a product capable of doing single-item and attribute-level recovery for Active Directory, capabilities not natively offered in any version of Windows (the Win2008R2 "Recycle Bin" feature can't do attribute-level restoration). Such a restoration tool may or may not be part of a change auditing solution, depending on whether or not you need such a thing. Restoration tools exist that include the forest recovery capability, but as you're evaluating such tools try to consider those capabilities independently. You're not likely to need a forest recovery tool very often; that day-to-day object restoration capability, however, will come up frequently.

Posted by Don Jones on 12/29/2011 at 1:14 PM


comments powered by Disqus

Subscribe on YouTube