Hey everyone! Hope you're all doing well. I have a couple of questions regarding maintaining the health of our Windows Active Directory environment and creating a disaster recovery plan. Firstly, what kind of regular checks or tasks do you perform weekly, monthly, or yearly to ensure your Active Directory is in good shape? The only thing I usually do is manually check the replication health between domain controllers and ensure that the Windows backup for the NTDS file is running properly. Secondly, we don't currently have a disaster recovery plan for Active Directory in place. Are there any resources or guidelines that outline what files and information we should back up for AD disaster recovery? I'd love to hear your thoughts!
4 Answers
Make sure you have an AD health checklist ready. If your disaster recovery plan is just 'call Microsoft and pray,' you might want to reconsider, as you're just one small issue away from needing a new job.
We use Azure AD connectors to keep tabs on any issues with domain controllers or AD synchronization. For recovery, we usually just restore from our backups when needed.
You can start with the official guide on Active Directory forest recovery. It has a lot of useful information on the steps you need to take to prepare for a disaster and keep your AD healthy.
For regular maintenance, I recommend running dcdiag and repadmin tools weekly. Monthly, it's a good idea to boot one of your DCs from backup on an isolated VLAN to check if it crashes—if it does, that could spell trouble for your recovery plan.
That's interesting! I wasn't aware that Azure AD connectors also monitor sync issues between DCs. Good to know!