Comparing Flexible AD Recovery Options

Welcome. This is Quest Unscripted. --A vlog series on trending topics-- --and Quest solutions related to Active Directory-- --Office 365-- --oh, and don't forget Azure AD. You are here because you have questions. We're here because we have answers. I think. We will address questions we've received from customers-- --experiencing the same challenges as you. All with the goal of helping you confidently move-- --manage-- --and secure-- --your Microsoft environment. We call the show Quest Unscripted because-- --except for this intro-- --nothing we say is scripted or rehearsed. And we're pretty sure you'll notice that right away. All right, Brian, we can do BMR, Bare Metal Recovery, we can do clean operating system. Why would you ever want to do bare-metal recovery? Oh well, that's a great question. So I think the primary reason is that you're not Microsoft-centric, or you're not Active Directory-centric on your domain controllers. So a couple-- there's probably political reasons too. Let's say for example, if you're a large corporation there's a lot more segregation in what's going on, and so maybe the server build teams are separate from the Active Directory Teams. So I've got a few clients like that. And they want that ability to recover their domain controllers completely and not rely on the server build team to get them new servers. Because the one thing you do need for Clean OS, that you don't necessarily need for bare metal, is Windows servers already installed. That's where we start. So that's one reason why you'd do it. Another is maybe you're running DHCP or you've got DNS zones that are not AD integrated zones running on your DCs, hosted on your DCs. Or you're running something else like a certificate authority or some other Microsoft service or role that's not an Active Directory role or Active Directory related role. Those won't be recovered with Clean OS recovery. We only back up Active Directory components, and we only recover Active Directory. So I could see a lot of small, medium businesses that are doing multipurpose servers having that view. Yeah, and that's really where the problem begins is multi-purposing your servers. But if you're clean, a Clean OS is definitely the way to go. And maybe we can talk about the difference in backups, and we can bring that up to light. Yeah, please. So let me just go ahead and share a couple of slides. Yeah, what are the requirements for BMR? So this slide kind of explains things. So here's my original domain controller, and I've backed that up. And we do just use Windows Server Backup. But we back up every disk, every partition, I should say, that has something to do with Active Directory. So that's boot level, Windows level and of course, the Active Directory parts into, yes, the DIT, the Logs. You can see them listed here. Brian, I see original DC. Does it have to be the same hardware? That's a great question. No, it doesn't have to be the original hardware. You can actually include drivers for new hardware when you build out your Windows RE environment. We do that automatically for you. You can just take the drivers and put them in a folder and we bring those in. But your disk layout needs to be the same. So and I'll just grab a pen here, Bryan, so I can draw a little bit. You'll notice I've got three physical disks here. If I have that I need the same three physical disks to restore the partitions to. Because I'm going to lay down the entire partition, so this is probably some system reserved without a letter but this is probably C. That makes sense. This is maybe D. Is that a D? It's something. This is E and maybe F, right? So these drive letters-- we back up the entire partition. And we need to have the same amount of space or more on the physical disk for your blank host, your target host, which, by the way, doesn't need an OS installed, so that we can lay down those partitions in the same way. And you get the same kind of layout over here at the end. Now, again, we're backing up the partition. So let's say SYSVOL's only taking up, I don't know, 20% of my drive. That's SYSVOL. But I have other stuff on this drive. Maybe I've got PerfMon data, or maybe I backed up my music collection to there. I'm just kidding. But whatever it is, I'm backing that up too. And it's going to be in the backup I restore, and it's going to be on the restored machine because there's no way for us to separate it. Like a tainted malware, could be hiding. Well, that's a really big point, Bryan, because when you get into your boot volume or your system volume, wherever Windows is, or your program files directory, there's a lot of binaries that get backed up. Do you need those? Well, with Clean OS you don't. So let's talk about Clean OS. So here I've got the same server. You can see the drive layout's pretty close to the same. When I back things up I'm not backing up partitions. I'm only backing up files. So I grab the NTDS and the Logs and the SYSVOL Volume, the SYSVOL files themselves. And in the Windows Directory I grab parts of the registry. Not the whole registry, just things like HKLM. Wow, I just had a screen go blank. That was weird. I'll pause for a minute. Just things like the HKLM and system partitions, not things like user hives in other parts of the registry that you don't really need. And we take those files and we back them up into their own compressed file, and we get roughly 60% compression. But if there was extra stuff like that SYSVOL partition, we didn't bring that over, that's not in our backup. And