I remember back in school working on an essay for days, saving it to my local 5 ¼ inch floppy just to find a disk error when trying to print it the day before it was due. Remembering all that I wrote, and then actually doing the work, gave me an unsettling feeling in my lower stomach. I am sure we have all been there. Well, having more than a decade of experience with Active Directory I can tell you I have come across a fair share of administrators who have come across a similar scenario.
The thought of a blown away OU or massive disruption caused by an automated script “gone bad” is definitely not fun for an administration team and can greatly affect a business’s bottom line. When rewriting my lost essay it was just me making additions and changes to the source, and therefore foreseeable that I could remember most of the additions and edits that I had made. However, in Active Directory there could be dozens of administrators, help desk staff, users, and automated processes making changes to the directory objects. When a malicious or inadvertent change affects the health of the directory, restoring it is not only a daunting administrative task, it is also an expensive and timely exercise that includes:
Backup Identification and Verification: The administrators need to find and verify the last “good” backup from which to start their recovery operations.
Data Loss Discovery and Validation: The administrators need to identify the good changes, and inform the business that these changes made will need to be reapplied. The volume of these changes and potential for data loss could be significant. Take for example a scenario where the directory troubles are discovered at 3:00 PM and the last good backup was the previous evening—say 1:00 AM. In this example there are 14 hours of potential user and system driven changes that may have been applied to the production Active Directory, but not reflected in the backup source. This could include user and group changes dictated by help desk and HR processes. Not only do these changes need to be re-applied, but also any supplementary documentation to support compliance and security initiatives may also need to be updated to reflect these issues and remediation efforts.
Data re-application: Once the source backup and good changes have been identified, they need to be re-applied to the directory. This could be done manually, but it is preferred that these changes can be applied in an automated way to speed recovery and reduce errors. This may involve re-running automated processes, creating and running some scripts. However, when performing the recovery you need to ensure that you are only applying the good changes in a way that does not affect other objects and attributes—again, not a trivial process.
While these steps are somewhat generalized, they outline some of the high-level steps required to recover from a domain and object level directory issues and outages. Finding a good backup is typically not that difficult, assuming that you are performing and verifying Active Directory backups within your environment. But, that is only a small component of the recovery operation. Reducing data loss, verifying the final directory state, and ensuring that all supporting documentation and processes have been updated can take a significant amount of time and resources.
This is why Active Directory recovery solutions have become a staple for many organizations in which their AD environment has become a critical component of their IT and business processes.
PowerBroker eliminates and automates much of the recovery process to reduce errors, eliminate data loss and ensure the business is up and running as quickly as possible.
Backup Identification and Verification PowerBroker Recovery for Active Directory eliminates the need to find and load various backup files by providing a single-instance online change log, which enables organizations to quickly review and compare directory objects back to previous point-in-time backups from a single interface.
Data Loss Discovery, Validation and Re-application PowerBroker Recovery for Active Directory also provides online object and attribute level comparisons and rollbacks to target only those specific changes that need to be rolled back. This greatly reduces possible data loss and errors, as well as the labor cost of locating and reapplying specific changes from a point-in-time backup.
Ensuring Zero Data Loss In addition to point-in-time backups, PowerBroker Recovery for AD is the only solution to provide a continuous change log for Active Directory. This online log protects directory content up to the point of the error or malicious event. If a user, or even an entire OU, is deleted, the change log will enable the user to recover all object and attribute data up to the point of the deletion event, resulting in ZERO data loss with a few clicks of the mouse. The continuous audit log also features an “UNDO” button that enables changes to objects and attributes to be rolled back with a single mouse click.
If you’re organization is serious about Active Directory and concerned about the potential impact of outages, you may want to have a look at our award winning solution https://www.beyondtrust.com/Home/AllProducts/

Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.