Came across this article today, which though a little sensationalistic was not far from the mark regarding your IT department.
Monday, 3 February 2014
Tuesday, 28 January 2014
Thinking about Active Directory Recovery
Probably the most utilised and under considered software
component in your organisation. Microsoft Active Directory underpins almost
every authentication activity.
- Workstation login
- Printer
- Email Access
- Federation to external resources
- File access
- Delegated access to resources
- SharePoint
- Office Communications server/Lync
- SQL server
- IIS websites
When Active Directory fails the fallout will be enormous and
most likely its not currently in scope for your Business Continuity Plans for
major application failure or when it is, it is poorly considered.
In my experience with customers even if it is in scope
Active Directory recovery will be a restore from tape and follow the Microsoft
recovery guide here:
Unfortunately the steps contained in that document are not a
recovery process at all but rather a set of steps that you will need to
undertake when the problem occurs.
Recovery is also not a simple Backup and restore system
state process when there are multiple DC’s and worse when there are constraints
on expertise and/or WAN.
Two types of constraint come to mind when a significant
Active Directory issue occurs that might require a full recovery of AD.
1. Political/People/Management
a.
‘War room’ committee will require invocation and
plans for recovery process commence
b.
People need to be mobilised
c.
The right skills need to be available to perform
the recovery, as it’s a complex task
d.
The recovery process needs to be current and
valid
e.
Every 60 minutes management will want an update
on progress
2
2 2. Technical
a.
If running multiple Domain controllers, each
domain controller needs to be isolated from all others to ensure bad data doesn’t
replicate
b.
Recovery may require multiple backup versions to
ensure the recovery doesn’t recover a previous ‘bad’ backup.
c.
AD health needs to checked and confirmed to ensure
all services are back up and operational.
d.
Recovery
process might have to pause recovery of various servers to ensure the correct
restore process occurs
e.
Rolling the RID forward needs to occur to ensure
there isn’t an issue with old corrupt data becoming authoritative and
overwriting good recovered data.
My experience with business disasters has been that as a
problem becomes larger more people are involved and the process of recovering
the failed system slows down due to people becoming involved and without a good
rollback position, people are more reluctant to attempt the recovery without
more time and additional people becoming involved. This becomes a nightmare of
epic proportions.
Recently we were invited to prove a recovery of Active
Directory against Microsoft Professional Services for a customer of ours to
highlight the difference in TTTR (Total Time To Recover).
Microsoft PSO and their recovery process required 17 hours to
restore AD
Our Software approach was 1 hour and 5 minutes and we proved
this 3 times.
In addition to the recovery our software creates the recovery
process and automates it. It also allows the business to test full AD recovery
without risk.
Whether your organisation needs to be able to recover
quickly is down to the business leaders but in many cases the business doesn’t
understand the implications of a full forest outage and just how much business
may be affected and inoperable.
Wednesday, 22 January 2014
Configuring 'Fusion IO' without a specialised 'Hybrid Hard Drive'
My main PC hard drive recently failed leaving me data less and with no PC to run Steam games from. Luckily most of my data was already replicated to a central NAS and other critical data shared between "Google Drive" and "Microsoft SkyDrive" so the loss was restricted to save games .... noooooooo ...... Skyrim and many many hours of playtime all gone.
Anyway, I have purchased a 2 TB hard Drive to replace the failed drive and I happened to also have a 120 GB SSD which was a OEM replacement for another SSD that failed on me last year.
Reading further about Fusion IO, I pondered whether I could actually use this SSD and the 2 TB hard disk together as a Hybrid drive and it seems as though I can. Intel provide a configuration with the recent 6 and 7 series chipsets for a RAID configuration that supports a Hybrid setup. I will update my experiences after I have installed Windows again.
http://www.pcworld.com/article/248828/how_to_setup_intel_smart_response_ssd_caching_technology.html
Update:
It seems that the Motherboard I'm using doesn't support the Hybrid drive :-(
Anyway, I have purchased a 2 TB hard Drive to replace the failed drive and I happened to also have a 120 GB SSD which was a OEM replacement for another SSD that failed on me last year.
Reading further about Fusion IO, I pondered whether I could actually use this SSD and the 2 TB hard disk together as a Hybrid drive and it seems as though I can. Intel provide a configuration with the recent 6 and 7 series chipsets for a RAID configuration that supports a Hybrid setup. I will update my experiences after I have installed Windows again.
http://www.pcworld.com/article/248828/how_to_setup_intel_smart_response_ssd_caching_technology.html
Update:
It seems that the Motherboard I'm using doesn't support the Hybrid drive :-(
Tuesday, 14 January 2014
Interesting Vulnerability in Office 365
Stumbled across this interesting link today regarding Microsoft Office 365, http://adallom.com/blog/severe-office-365-token-disclosure-vulnerability-research-and-analysis/
Its expected that all software has inherent flaws as its impossible to code for every possibility without many iterations. The scary aspect of this problem though is that as organisations move towards Cloud based solutions for storing business critical and sensitive data, the likelihood of data being stolen increases dramatically.
The 'Old World' corporation stored data within their own organisational boundaries, this in itself added a 'castle wall' where a hacker had to get past the corporate firewall before security could be breached. even exploiting a credential did not necessarily mean a hacker had access to any data.
Vulnerabilities will continue to be found and exploited of many years to come (just look at patches for the software and OS versions we all use everyday) and possibly there is a case for storing sensitive intellectual property within the companies walls.
Gmail Delete All
Marking all email as 'read' in Gmail? My issue has been the huge number of unread emails displayed on the IOS Gmail icon. There is a great article here on how to remove the annoyance of email status without opening each and every message.
http://www.zdnet.com/blog/btl/how-to-mark-all-unread-emails-as-read-in-gmail-and-more/80754
Tuesday, 7 January 2014
Intuitive Windows Error message #1
Intuitive Microsoft Windows 7 error message #1
Working on my laptop this morning I discover an issue with
VMware Workstation 9 having uninstalled without any prompting from me. Whats odd is that my laptop was
disconnected from power and in sleep mode when this uninstall occurred as
starting up VMware was the first activity attempted this morning and the
application was no longer available.
No problem because our trusty corporate software share is
where I found the installer yesterday and can find the installer for the second
time, or can I……
Descriptive Microsoft
error message….
 |
| Error clearly shows I have an existing drive mapping to Y: and as its already in use I can’t ‘double click’ and access the Y: drive. |
This is of course 100% accurate, I do want to open the Y:
and run the installer? Hang on a minute? This message tells me I can’t open the
Y: drive because the device name is in use already?
Existing drive mappings:
 |
Drive mappings show that Y: is present but disconnected
|
Mikes takeaway:
Don’t believe everything that you read in an error message. At best its useful and at worst misleading :-)
Sunday, 17 July 2011
Single Label Active Directory configuration
Its recently come to light that many of the new Microsoft products will not support configuration in a Single Label Active Directory (SLD), this configuration is where Active Directory domains and DNS name is simply named ‘Customer’ rather than ‘Customer.Com’ or ‘Customer.local’ - this is a fairly common practice for older Active directory implementations where the AD design may not have followed best practise.
The following products don’t work well/at all with an SLD
· Microsoft Exchange 2010, supports currently but does not like SLD’s http://support.microsoft.com/kb/2269838/en-us
Renaming the SLD to a proper namespace will not work, Migration solutions like the ones from Quest Software are the only valid way to migrate a non conformant SLD domain into one that will be supported with modern Microsoft server products http://support.microsoft.com/kb/300684/en-us, as many Microsoft server products will not function after a domain name change to fix the above problem.
At the current time there is no solution to this issue other than to use a Migration solution such as Quest Migration Manager for Active Directory.
With the release of Windows 2008 R2, Microsoft have prevented the creation of Single label Directories which will help in the future http://technet.microsoft.com/de-de/library/ee681710(WS.10).aspx.
Subscribe to:
Posts (Atom)