Organizations need to ensure they are well protected as it pertains to Active Directory disaster recovery. The sheer fact is, when Active Directory fails, your entire business goes down with it. Employees can no longer log into workstations, third-party federated applications no longer have a centralized location to authenticate users so they are simply turned away, modifications to critical Groups and Group Policy Objects are no longer possible leaving over and under-provisioned access to information. The point is, without Active Directory, business is pretty much at a standstill - it’s crucial to ensure you have the tools in place to restore Active Directory in the most efficient manner.
Don’t get me wrong, Active Directory has plenty of redundancy built directly within - being a distributed application, data is replicated between domain controllers to provide high availability. In the end, you are left with a multi-master architecture where changes and modifications can happen on any participating domain controller and are then replicated throughout the domain. At times, this makes recovery as simple as spinning up a new Windows host and promoting it to a domain controller within the existing domain. That said, no two recovery scenarios are the same, and with domain controllers providing key foundational services such as DNS, DHCP, and Certificate Services, recovery can become very complex. Those of us that have had the experience of seizing Flexible Single Master Operation (FSMO) roles due to an entire site failure, be it the result of corruption or from a ransomware attack, might argue that the process isn’t quite so “simple”. Recovering Active Directory using native methods can be a time-consuming, complex process, and point solutions are often bound to ensuring a production environment still exists - and remember, all the while you are building new hosts to run DCs, the business is down, your applications are down, and your data is held hostage
Enter Rubrik Active Directory Protection
Rubrik understands that when protecting Active Directory, simplicity equals efficiency, which is why we are announcing Active Directory support as an official workload within Rubrik Security Cloud (RSC), protecting against entire domain-level failures as well as individual object-level recovery for your Users & Groups.
It will start with the addition of one of your domain controllers (DC) to RSC, upon which Rubrik will automatically discover and inventory all the other DCs participating in the respective domain. Aside from simply inventorying host names, RSC will also discover and label critical FSMO roles within the UI such as Schema Master, Infrastructure Master, Domain Naming Master, and PDC Emulator. Those DCs providing critical domain services such as DNS and DHCP are also identified, and information is bubbled up to the RSC interface. Rubrik understands that during an Active Directory recovery, it’s key to understand exactly where these services are located, allowing organizations to easily prioritize and orchestrate their recovery efforts.
Once inventoried, protecting Active Directory with RSC will utilize the same simplistic and unified approach as protecting any other workload within the platform. Simply assign Global SLAs at either the domain or domain controller level and Rubrik will ensure that backups adhere to the constructs set forth within the policy such as RPO and retention. In addition, critical zero trust features within the Rubrik platform such as immutability, archival, replication, encryption, and retention lock can be applied to your Active Directory backups, ensuring that backup availability and integrity are not compromised. Furthermore, Rubrik adheres to Microsoft recommendations and best practices by leveraging wbadmin to backup Active Directory in an application-consistent manner, while enabling many options as it pertains to recovery.
Speaking of flexible recovery options…
Let’s face it - all the backups in the world won’t help us if we can’t recover them in the way we want to. Rubrik has always placed a major focus on providing fast and efficient recovery options to solve various different restoration scenarios - and Active Directory is no exception. Restoring Active Directory with Rubrik Security Cloud can be broken down into two main categories; Complete Domain/Domain Controller Recovery and Individual Object Level Recovery.
Entire domain/domain controller recovery
This is the worst-case scenario - either your entire domain needs to be restored or an individual domain controller needs to be recovered. Either way, utilizing native tools to accomplish this can be complex and time-consuming, adding to your organization's downtime. Rubik simplifies this process by automating many of the trivial and tedious tasks behind the scenes to provide recovery supporting the following scenarios.
Recovery to the same host
When you simply need to roll back a somewhat functioning domain controller, Rubrik can restore a point-in-time backup directly back to your production environment. The domain controller is rebooted in recovery mode and data and system state are automatically recovered from the immutable backups on the Rubrik platform.
Recovery to a new host with the same base configuration
There are times where ransomware or some other form of a cyber event affects our domain controllers - and often this results in the original DCs being untrusted. In this case, customers can leverage their pre-built templates to create virtual instances containing the same base configuration as their source domain controller. Rubrik can then be utilized in the same fashion as recovery to the same host, restoring both data and system state, allowing organizations to recover existing domain controllers to entirely new virtual host.
Recovery to an entirely new bare-metal host
Unfortunately within today’s cyber landscape, there are times when organizations need to restore or rebuild entire production environments on new hardware. Active Directory is often one of the first pieces of infrastructure that needs to be stood up to support this. Utilizing the Windows Recovery Environment (WinRE), Rubrik will support restoring domain controller backups to entirely new bare-metal servers. This is accomplished by exporting a share path to the domain controller via a Live Mount, booting from WinRE, booting into recovery mode, and pointing to the secure SMB share.
Individual Object-Level Recovery
While entire domain/domain level controller recovery is useful, and quite frankly a requirement for most organizations, the fact of the matter is that most of the day-to-day administration of Active Directory focuses on those individual objects such as Users & Groups. We’ve all been there at some point, whether it's by complete accident or some automation that went wild, with the end result of having a user or group of users being deleted and removed from our directory services. In the past, this required an entire restore of a domain controller to occur only needed to pull out a handful of users or groups to place them back into production.
With Rubrik, this is as simple as either searching across all of your backups or drilling into a specific point-in-time, selecting the users or groups you’d like to restore and Rubrik will handle the rest - pulling out the data for the specific objects and placing them back into production. Furthermore, aside from simply restoring the individual object, Rubrik also will recover relationships to other entities that the object had. For instance, recovering an individual user will also ensure that the users' assigned groups are also restored and upheld.
Protecting Active Directory is not just an IT concern, but a critical component businesses need. The impact of an Active Directory failure can be felt throughout the entire organization, resulting in lost productivity, lost revenue, and overall reputational damages. Rubrik Security Cloud is building in support to provide robust, policy-driven Active Directory protection with immutable backups, and flexible, efficient restore options, all through a simplistic, unified interface.
Don’t wait until it’s too late, check out Rubrik Security Cloud today for all your data protection needs across SaaS, Cloud, and data center workloads. Join us at Forward, Rubrik’s annual user conference, to learn how to achieve complete cyber resilience with Rubrik. Register for Forward here.
SAFE HARBOR STATEMENT: Any unreleased services or features referenced in this document are not currently available and may not be made generally available on time or at all, as may be determined in our sole discretion. Any such referenced services or features do not represent promises to deliver, commitments, or obligations of Rubrik, Inc. and may not be incorporated into any contract. Customers should make their purchase decisions based upon services and features that are currently generally available.