It’s easy to make Active Directory (AD) administrators uncomfortable. Just ask them about their disaster recovery plan. When faced with this question, most AD administrators will only tell you about their object recovery plan. Only a few are better prepared and have a recovery plan for their domain controllers as well.
One major reason administrators don’t have a disaster recovery plan at the top of their priority list is because of how stable AD is as an infrastructure service. However, this can provide a false sense of security, and is more reason to have a proper disaster recovery plan. This blog will list some best practices to secure your AD environment.
Creating your disaster recovery plan
When formulating a disaster recovery plan, you should keep the following aspects in mind:
- At least one domain controller per domain should be backed up.
- The most recent domain controller backup shouldn’t be older than half of the tombstone lifetime. By default, the tombstone lifetime in AD is 60 days, so you should make at least one full backup of your domain controller every 30 days.
- If an administrator changes the tombstone lifetime, perform a full backup immediately.
- Ensure that you always have a secondary copy of the backup in a different location.
Backups aren’t the problem
Most of the time, the problem with recovery isn’t about the backup, but the restoration. A disaster recovery plan isn’t meaningful unless you have tested the system to make sure you can restore your AD from the available backups.
To ensure restoration will be effective, you should periodically check your restoration software in a test environment. Additionally, always make sure the newest available backup is used for recovery. This is especially important since all the information created since the last backup will be lost if the newest backup isn’t used. However, worries about missing information between backups can be overcome if your backup system can incrementally backup between full backups.