Saturday, April 14, 2018

Active Directory recovery - 3rd party tools - Recovery Manager Plus - 3

In my previous blog post, I attempted to recover certain objects and was successful in 2 of 3 cases (please refer to that blog post for details). However, I was not able to recover the members of a group, probably because I was not selecting the correct backup version. In the following lines, I'll attempt the recovery operation again.

***


In this second attempt, I will use the "HR" group once again but with different members:




And once again, I delete the group:





The group has obviously been deleted:





In Recovery Manager Plus (RMP), I perform a backup (which takes into account recent changes), go to the Active Directory tab, and then look at the the column "Groups" where I can see that 1 group has been deleted and 4 users modified (probably a reference to the change in group membership): 




I'll now do what I did last time and indicate what I think was the error. Still under the Active Directory tab, I select the "Restore" option (to the left of the screen but not shown in the screenshot below) and observe, here as well, the deleted group and the modified users. I select a backup (red dot in screenshot)...




And then click on Restore:




The restore apparently completes but the result is the same as before (and the group is not restored in Active Directory):




Now, I could recycle the group as in my previous blog post but that did not restore the group membership.

So what is the problem?

We have to make sure we select the correct backup (by date and time) and in particular NOT the backup that we initiate manually so the most recent changes are displayed. That backup takes place AFTER the group was deleted and does not allow us to restore it.

We need to select the previous backup in which the group was still "undeleted":



Note: the icon representing the group is black here and not red.


If we peform the restore now, and look at the restore details, we see an attribute name ("Members") with the restored value: 






That is more promising. Better yet, if I go back into Active Directory (Users and Computers), I see that the group is restored with its 4 members:




***

In this blog post, I've made some more progress leaning about the third party Active Directory recovery tool "Recovery Manager Plus". We've now restored users and groups as well as attributes of these objects. In my next blog post, I'll attempt to restore a DNS zone and a Group Policy Object (GPO). While the product does allow other recovery operations (bare metal and virtual machine), I will not explore those options in this serie of blog posts.

Friday, March 30, 2018

Active Directory recovery - 3rd party tools - Recovery Manger Plus - 2

After installing and configuring Recovery Manager Plus (RMP), and restoring a simple user object in my previous blog post, I wanted to evaluate some other recovery scenarios: group membership of a deleted user, members of a deleted group and content of an organizational unit (OU). That's what I'll do in the following paragraphs, with no further ado.

***


Restore group membership of a deleted user?

If I delete a user object, will the groups of which it is a member also be restored in the members property?

John Thompson is a member of the Domain Users and Accounting groups:



I delete John Thompson:




I go to RMP and recycle him:



Note: I have to check "John Thompson" and then click on "Recycle" (not shown in the screenshot).

I confirm the operation:




And John Thompson is no longer in the recycle bin:




On the other hand, he does reappear in Active Directory - with his former group membership:





*

I discovered two things when attempting to recover the account.

First, the deleted object does not appear in the RMP recycle bin immediately, I have to perform a manual backup for RMP to compare what has changed:



If we schedule backups often enough, we may not need to perform a manual backup to see what object was deleted. Otherwise, if we are shocked to discover that an object was accidently deleted AND does not appear in the RMP recyle bin, we should perform a manual backup before concluding the object is lost forever.

Second, we use the recycle option rather than the restore option. If I attempt to restore John Thompson, I procede as follows and encounter a strange message:



Note: although the screenshot does not show each and every step, I check "John Thompson" and then click on the restore button - a green button just under the list of users and that I seem to have managed to omit in my screenshots.




This looks good...


But then I see this (and John Thompson is not restored in Active Directory either):



This puzzles me because I was able to use the restore option in my first blog post for Anne Schubert. On the other hand, in a demonstration on YouTube, Derek Melber does use the recycle option (and does have to perform a manual backup for the object to appear in the recycle bin):

ManageEngine ADSolution - Recovering Deleted Active Directory Objects and All Properties

Note: the video was available at the time I composed this blog post - which may or may not be the case when you read it.



Restore members of a deleted group?

Now I'll delete a group and see if I cannot only restore (or recycle...) the group itself but also the members. I will use the group "HR" which includes the members shown below:  



I delete the group...



And then recycle the group:





The group is restored but the members are not:



This is strange. Is another action required to complete the restore (?). In any case, for the time being, I want to test my last scenario: deletion of an organizational unit (OU) with all its content.



Restore OU and child objects


I have a regional OU called "Nice" with several objects inside (two users and a group):




I attempt to delete the OU...



But the attempt fails:



If we want to delete (or move) a OU, we have to uncheck the protection from accidental deletion first (under the object tab - Advanced View) and then try again - and confirm our intentions:



Note: I could have left this part out but thought it could serve as a reminder to protect key objects in Active Directory against accidental deletion. Some (like organizational units) are by default.


So I delete the OU and there is no longer anything between "My V Security Groups" and "Program Data":



As before, I go to the recycle bin, select the OU "Nice" and click on Recycle (not shown in the screenshot but very evident in the actual interface):










The OU is restored with the objects shown above and even a third user that I had deleted before:




***

So far, the tool has proved to be much more efficient than a native Active Directory authoritative restore which would require rebooting a domain controller (into recovery mode), restoring the entire Active Directory database, and then marking the object (or objects) to be restored as "authoritative".

There does seem to be a distinction between "restore" and "recyle" (the latter was possible, the former was not) and probably "rollback" for that matter.

We may have to perform a manual backup for changes - and deleted objects in particular - to appear in the RMP recycle bin.

The only "miss" was the failure to restore/recycle the members of our HR group. At this point, I do not master the product well enough to determine if that is a shortcoming or if such a restore requires additional steps.

Wednesday, March 21, 2018

Active Directory recovery - 3rd party tools - Recovery Manager Plus - 1

Perhaps the most significant shortcoming of traditional Active Directory backups was the inability to restore individual objects without resorting to an authoritative restore. The Active Directory Recycle Bin (ADRB), first available with Server 2008 R2, changed this but was limited to the command line. This article explains the concepts well (isDeleted, isRecyled, tombstone, etc.) and demonstrates many of the command line options:

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting

Those that would have nothing to do with the command line had to wait for Windows 2012 which provided a graphic interface for recyle bin operations. I experimented with that in a previous blog post here:

Windows Server 2012 - Active Directory - Backup and Restore, Part 2: Recycle Bin


In this present blog post (and perhaps others to follow), I want to take a look at a third party Active Directory recovery product. Several vendors offer such products: Dell/Quest, ManageEngine, Netwrix and BeyondTrust to name some of the best known. Some of these auditing products were reviewed by Eric B. Rux is this article from 2011:

Comparative Review: Active Directory Auditing Tools

Another blogger took a closer look at Manage Engine's AD Audit Plus tool here (2015):

Active Directory auditing - 3rd party tools - the example of AD Audit Plus


Of course, technology changes quickly and some comments may no longer be exact. However, it is true that the ManageEngine products have the advantage of a rather simple installation, using their own integrated database (although in some cases, an external database can apparently be used as well). That advantage may not be a decisive factor in the choice of a product but is rather compelling when the objective is to install the product in a small test environment for evaluation - or simply satisfy personal curiosity.

In my case, I'm going to evaluate the ManageEngine product "Recovery Manager Plus". I will first install and configure the product, then delete and attempt to recovery various objects. Indeed, Recovery Manager Plus (that I'll abbreviate as  'RMP" here) is supposed to be able to recover not only users and groups but also Group Policy objects and DNS zones.


 ***

Installation

First of all, I downloaded the trial version of RMP here:


After 30 days, it converts to the  "free version" with all the limitations presented in the "Compare Editions" chart (all this can be found on their website).

I'm going to install the product on a Windows 2016 server (also a trial version). Let's see what happens...


We start by running the downloaded installer:




We simply click "Next" on the welcome page...




 Accept the (evaluation) license agreement:




And select the location where RMP will be installed:



One word of caution! In my experience, the database can become quite large so it is preferable to place it on another volume. Since this is simply a first look at the product, I'll just install it in the default location.

We manage RMP via a web interface and at this point must either accept the default port (8090) or enter another: 




We can register for technical support (optional). I'll skip for now:




If we're ready, we click on "Next" for the installation to begin...




And if all goes well, we should see this:




This is where the first problems start. When RMP opens, I first see the page about content being blocked by Internet Explorer Enhanced Security Configuration. I add the page to the exceptions (and even disable ESC later - not shown in screenshots):







At that point, I'm able to logon, apparently with success, but I then encounter another error and can go no further:




Note: once again, I'm using Windows Server 2016 and IE 11. 


After different attempts to resolve this (even disabling the host firewall), I opt to try another browser: Firefox:




That allows me to access the web interface without a problem (so I know the firewall was not the obstacle - an unlikely scenario anyway on the "localhost").


***


Configuration

We can open RMP as a simple application using an account with sufficient rights to Active Directory but for optimal use (as with other ManageEngine products) we configure it to run as a service. That is not the case as this point: 




In the RMP folder (Start Menu), we can configure the application to run as a service by clicking on "Install RecoveryManager Plus Service":







That configures RMP to run as a service (compare to the previous screenshot of services.msc):



However, the local system account will not have sufficient access to Active Directory so we will normally create a domain service account that does and configure RMP to run in that context:






We'll see the following messages, the second indicating that we need to restart the service for changes to take effect:







***


Basic test restore

Although RMP seems to discover the domain automatically, we have to add the domain user accounts that will manage the application under the Admin tab ("Technicians" section):






We can then logon with our domain credentials rather than as the local RMP default administrator:




Note: at first, I was not able to accomplish that. Apparently (?), you have to run a backup first.


As far as backups go, we can run a "Quick Backup" after initial configuration. Afterwards, we need to configure a schedule, although we can still perform on-demand backups as needed. Under the Dashboard tab, we select "Quick Backup" and can configure some options (you may have to scroll down or over to see all of them):




So besides selecting OUs, we can decide to include all objects or only certain objects in the backup:




There are numerous other elements displayed on the dashboard but my objective is to test the backup and restore capacities of the product rather than present every single feature. I may test other scenarios later, in additional blog posts, but for now I will delete a simple user object and attempt to restore it.

First, I delete the user object "Anne.Schubert":



The object is gone:




With native Active Directory backup, I would have to perform an authoritative restore of the user object. I will not describe the process in detail here but it is a rather complex operation. With RMP, I can go to the "Restore" section under the Active Directory tab and search for the deleted user object:





I select the object (note that there is room for multiple objects - below) and click on the Restore button:




I confirm...




And if all goes well, Anne Schubert should be restored:





As we can verify in Active Directory (Anne Schubert is back where she belongs):




***

So, to conclude this blog post, I was able to install the Recovery Manager Plus application with ease and after a rather simple configuration process, perform a successful (albeit simple) restore operation. I had some problems accessing the web interface with IE 11 but was able to use Firefox without a problem.