Active Directory Forest Recovery
Active Directory Forest Corruption and the process of recovery from it, or other scenarios that can threaten the forest are discussed below.
A full
whitepaper can be downloaded from our Resource Library discussing the topic of Corruption and Recovery further.
What is AD Corruption
A forest corruption is an unknown failure that causes every domain controller
in the forest to fail and, in the worse case scenario, fail to boot into Active
Directory mode. It is relevant to bear in mind that both forests and / or
domains could suffer from this unknown failure. Forest corruption would prevent
one or more of the following from operating correctly:
The ability of every domain controller to boot into Active Directory Online mode
User authentication at the console of any domain controller in the forest
Remote user authentication
Local or replicated operations
Normal operation of Active Directory dependent components
Local or remote access to data held in Active Directory
If a forest corruption occurred, it would be replicated through the Active Directory forest through a standard replication cycle and this is less than fifteen seconds on well connected parts of the network.
Forest corruption is a symptom of a core failure in a distributed directory. Forest corruption is not specific or unique to Active Directory and would apply to any distributed directory system.
Back to the Top
What is AD Forest Recovery
Forest recovery is the complete and total recovery of the Active Directory environment within an organisation. That is, the recovery of all domain controllers in the common Active Directory forest by restoring a healthy and valid system state of at least one domain controller in every domain in the forest and either restoring system state or re-promoting all replica domain controllers in each domain.
Forest recovery is not a typical event that an organisation will be running on a frequent basis, indeed they may never need to be run other than in test. It is not the same kind of failure as restoring a single failed domain controller.
Microsoft report that the primary cause of forest recovery is from not creating system state backups on a responsible number of partitions, domain controllers and remote locations throughout the forest with the frequency necessary to recover them in the event of damage to critical objects in the directory or the store itself on all domain controllers in the forest.
Forest recovery should be a CIO / CEO approved process where information and the accounts / passwords necessary to perform a forest recovery are held in the CIO / CEOs safe. It should not be viewed as a trivial event.
Back to the Top
What is Not Forest Corruption
The following situations do not constitute a forest corruption nor would they warrant a forest recovery:
The accidental, malicious or unexpected changing of application attributes or objects
Example: If an administrator maliciously removed all of the users from within Active Directory.
A replicated accidental, malicious or unexpected change of data where Active Directory has received the data from a master source
Example: If an organisation has meta or master directory feeds and / or replication agreements between other directories and the organisations Active Directory and those feeds or sources instigate unwanted changes. In this example, Active Directory is working by design.
The failure of a percentage of domain controllers in the forest, as the impact is not forest wide
Example: If five, out of ten, domain controllers in an organisation failed, it could be deemed that using Embrionics Forest recovery process would re-align those failed domain controllers quicker than the manual processes in place. This should not be used as an excuse to instigate Forest Recovery.
Back to the Top
Embrionic Solutions
Embrionic have worked for 2 years alongside Microsoft Consulting Services
deploying the largest global Windows 2003 Retail infrastructure and have spent
much of that time focusing on meeting customer requirements to recover nearly
2500 Windows 2003 domain controller services in 4 hours. From
these experiences and our work in other areas we have developed an offering
called the Embrionic Recovery Suite which comprises technology to enable and
fast track recovery procedures from the smallest Active Directory installations
to some of the largest. Check out AD Recovery
to find out more details.
Back to the Top
