This month we are sharing a blog originally written by our technology partner Semperis.
Active Directory® is heavily relied upon by many organizations and in today’s world dominated by technology it is important to always have a plan B if ever technology lets you down.
Here is a question, if everyone knows AD® uptime is critically important, why do so many experts agree to live with an under-performing AD Disaster Recovery plan? Most modern enterprises live and die by their identity infrastructure, and Active Directory is primarily at the core of that infrastructure.
Implementing the optimal AD DR solution isn’t so easy. There is a diversity of expectations and prioritizations that may lead IT staff down the wrong path. To save you the headache caused by domain or forest downtime, we wanted to compile a list of factors you should consider before deploying your chosen DR solution:
1. Level of expertise needed for AD Disaster Recovery
It seems like the biggest disconnect between IT teams’ expectations and the AD Disaster Recovery solution they deploy is the level of expertise needed to achieve full recovery from a disaster. For many, they realize too late that the technologies currently in place aren’t designed to orchestrate a full recovery. As a result, they end up hiring an AD expert to aid with the full recovery process. This leads to downtime, stressed employees, a halt in productivity and all-round frustration.
It’s important to have solid expectations on what your AD DR solution can and cannot do. As the old saying goes, ‘prepare for the worst, hope for the best’. This couldn’t be more relevant, prepare in advance for a disaster scenario, expecting it to take up to several days in recovery. It is important you communicate to management the implications of using the tools you have in place. If your in-house expertise isn’t enough to handle the recovery process, then you should communicate that to your executives and make them fully aware of what that means in terms of AD availability.
In an ideal scenario, you will be able to deploy a disaster recovery solution that fully automates the process of domain or forest recovery from a disaster. In such a case, the expertise of the staff will come into play less and the recovery process will be executed quickly and without the possibility of human error. It goes without saying that not every AD DR solution can do this. But if you have a solution that does, recovering should require nothing of you beyond knowing which past state you would like to recover to.
2. Regulatory compliance
Excellent AD security and uptime have a clear impact on every company. Not all companies share the same compliance regulations, there are many factors that influence this. This presents yet another issue for IT teams around the world and even more so for regulated industries such as financial services. The tolerance for downtime or impaired security will be close to zero, and it will become the responsibility of the CIO, CISO, and their departments to deliver results.
To avoid future frustrations, you must make sure well in advance that the AD Disaster Recovery solution you choose to use will enable your company to be fully compliant with rules and regulations imposed on it. Making sure you can always deliver on your regulatory “promises” of uptime and the integrity of your identity system will leave you with enough peace of mind to know that your department has done its part in an important regulatory aspect.
3. Business continuity and time to recover
In the case of Active Directory, a critical infrastructure in a business, there is really no substitute technology you can fall back. Unlike many systems in the organization, Active Directory downtime necessarily means you need to get your AD back up and running. Therefore, a critical factor that you should consider while assessing the right AD DR solution is the time it will take you to recover. Time to recover influences the obvious: business revenue loss, reduced employee productivity, and the cost of the actual recovery process. But it could also cause some problems that are hard to assess in advance like damaged company reputation or customer satisfaction.
A speedy recovery is key. Statistically, an AD downtime of 1-2 days bears a high chance of causing irreversible damage, and result in significant business loss. Before committing to a technology, you should verify it can get you back on track quickly – and in this case, even the difference between two hours and four hours can have a big impact on your business.
4. Active Directory backup
If you are considering choosing an AD Disaster Recovery solution, you need to verify that the solution offers an Active Directory backup that will satisfy your business recovery needs, because these backups will be where your recovery process begins in case of a disaster. In a nutshell, you need to ensure you have the following in place:
- Backups take place automatically once you set up your preferences
- Backups are frequent enough, or take place when changes are made
- Your system can be set to delete older backups that you cannot or should not use
- You don’t have to rely on a collection of system state DC backups. These will not serve you well if you require a full forest recovery (think about application partitions, domain partitions, AD-integrated DNS, etc.)
- Use AD Aware backup products, and don’t rely on snapshots or disk, which are not AD Aware and not supported by Microsoft.
5. Necessary maintenance
Different AD DR solutions require different levels of maintenance. If you choose to pay for a technology to help you recover from a disaster, you want to make sure it will NOT:
- Clog your work schedule with additional tasks you don’t have time for
- Demand that you remember to take periodic actions that could be otherwise automated
- Require manual maintenance of any component
When choosing an AD Disaster Recovery technology, you want the solution to rid you of some of your workload and leave you free to deal with your other priorities.
6. Cost and ROI
Deploying the most effective, easy to use AD Disaster Recovery solution does not mean you need to break the bank. Recent surveys put the cost of downtime for critical components such as AD at between $25,000 and $150,000 per hour. Gartner believes that these estimates are somewhat optimistic, and the true cost of downtime exceeds that by a lot– reaching as high as $300,000. While the probability of a domain or full forest disaster are rather low – it’s easy to see why it’s much cheaper to pay for the fast-recovery “insurance policy” provided by a solid AD DR solution.
Choosing the right solution isn’t a decision to be rushed, there are lots of influencing factors that should be taken into account. Deploying this solution will make your life easier if a disaster were to occur and it is clear that the correct solution will more than pay for itself in the long run.
Visit Active Directory Backup & Recovery to find out more about restoring your AD in the event of a breach.
This article first appeared on the Semperis blog, 31 July 2017 and was authored by Meytal Burstein, Director of Marketing at Semperis.