Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

PowerBroker Recovery for Active Directory Takes the Pain and Uncertainty out of AD Recovery

Posted March 19, 2012    Morgan Holm

I remember back in school working on an essay for days, saving it to my local 5 ¼ inch floppy just to find a disk error when trying to print it the day before it was due. Remembering all that I wrote, and then actually doing the work, gave me an unsettling feeling in my lower stomach. I am sure we have all been there. Well, having more than a decade of experience with Active Directory I can tell you I have come across a fair share of administrators who have come across a similar scenario.

The thought of a blown away OU or massive disruption caused by an automated script “gone bad” is definitely not fun for an administration team and can greatly affect a business’s bottom line. When rewriting my lost essay it was just me making additions and changes to the source, and therefore foreseeable that I could remember most of the additions and edits that I had made. However, in Active Directory there could be dozens of administrators, help desk staff, users, and automated processes making changes to the directory objects. When a malicious or inadvertent change affects the health of the directory, restoring it is not only a daunting administrative task, it is also an expensive and timely exercise that includes:

Backup Identification and Verification: The administrators need to find and verify the last “good” backup from which to start their recovery operations.

Data Loss Discovery and Validation: The administrators need to identify the good changes, and inform the business that these changes made will need to be reapplied. The volume of these changes and potential for data loss could be significant. Take for example a scenario where the directory troubles are discovered at 3:00 PM and the last good backup was the previous evening—say 1:00 AM. In this example there are 14 hours of potential user and system driven changes that may have been applied to the production Active Directory, but not reflected in the backup source. This could include user and group changes dictated by help desk and HR processes. Not only do these changes need to be re-applied, but also any supplementary documentation to support compliance and security initiatives may also need to be updated to reflect these issues and remediation efforts.

Data re-application: Once the source backup and good changes have been identified, they need to be re-applied to the directory. This could be done manually, but it is preferred that these changes can be applied in an automated way to speed recovery and reduce errors. This may involve re-running automated processes, creating and running some scripts. However, when performing the recovery you need to ensure that you are only applying the good changes in a way that does not affect other objects and attributes—again, not a trivial process.

While these steps are somewhat generalized, they outline some of the high-level steps required to recover from a domain and object level directory issues and outages. Finding a good backup is typically not that difficult, assuming that you are performing and verifying Active Directory backups within your environment. But, that is only a small component of the recovery operation. Reducing data loss, verifying the final directory state, and ensuring that all supporting documentation and processes have been updated can take a significant amount of time and resources.

This is why Active Directory recovery solutions have become a staple for many organizations in which their AD environment has become a critical component of their IT and business processes.

PowerBroker eliminates and automates much of the recovery process to reduce errors, eliminate data loss and ensure the business is up and running as quickly as possible.

Backup Identification and Verification
PowerBroker Recovery for Active Directory eliminates the need to find and load various backup files by providing a single-instance online change log, which enables organizations to quickly review and compare directory objects back to previous point-in-time backups from a single interface.

Data Loss Discovery, Validation and Re-application
PowerBroker Recovery for Active Directory also provides online object and attribute level comparisons and rollbacks to target only those specific changes that need to be rolled back. This greatly reduces possible data loss and errors, as well as the labor cost of locating and reapplying specific changes from a point-in-time backup.

Ensuring Zero Data Loss
In addition to point-in-time backups, PowerBroker Recovery for AD is the only solution to provide a continuous change log for Active Directory. This online log protects directory content up to the point of the error or malicious event. If a user, or even an entire OU, is deleted, the change log will enable the user to recover all object and attribute data up to the point of the deletion event, resulting in ZERO data loss with a few clicks of the mouse. The continuous audit log also features an “UNDO” button that enables changes to objects and attributes to be rolled back with a single mouse click.

If you’re organization is serious about Active Directory and concerned about the potential impact of outages, you may want to have a look at our award winning solution

, , , ,

Leave a Reply

Additional articles


A Quick Look at MS14-068

Posted November 20, 2014    BeyondTrust Research Team

Microsoft recently released an out of band patch for Kerberos.  Taking a look at the Microsoft security bulletin, it seems like there is some kind of issue with Kerberos signatures related to tickets. Further information is available in the Microsoft SRD Blogpost So it looks like there is an issue with PAC signatures.  But what…

, , , ,
Password Game Show

Managing Shared Accounts for Privileged Users: 5 Best Practices for Achieving Control and Accountability

Posted November 20, 2014    Scott Lang

How do organizations ensure accountability of shared privileged accounts to meet compliance and security requirements without impacting administrator productivity? Consider these five best practices…

, , , , , ,
Triggering MS14-066

Triggering MS14-066

Posted November 17, 2014    BeyondTrust Research Team

Microsoft addressed CVE-2014-6321 this Patch Tuesday, which has been hyped as the next Heartbleed.  This vulnerability (actually at least 2 vulnerabilities) promises remote code execution in applications that use the SChannel Security Service Provider, such as Microsoft Internet Information Services (IIS). The details have been scarce.  Lets fix that. Looking at the bindiff of schannel.dll, we see a…

, , , , ,