Thomas Leduc

Most IT departments have no issue admitting the high importance of a highly available Active Directory. It’s become clear that while Active Directory downtime is rare when it does happen, it’s devastatingly costly. Most modern enterprises live and die by their identity infrastructure, and Active Directory is primarily at the core of that infrastructure. And still, when asked, more than half of IT team members say that they are not entirely happy with the Active Directory Disaster Recovery (AD DR) solution they have in place. Which raises the question, if everyone knows AD uptime is critically important, why do so many experts agree to live with an under-performing AD DR plan? It is akin to skydiving without a life insurance policy.

Related reading

Implementing the optimal AD DR solution isn’t so easy. There is a diversity of expectations and prioritizations that may lead IT staff down the wrong path. Since nobody wants to wake up to a multi-day headache caused by domain or forest downtime, we compiled a list of factors you should consider before deploying your chosen disaster recovery solution. It’s a short list, but it will help you prioritize what’s important in an IT world of limited time and budget. So here are some factors you should consider:

1) Level of expertise needed to recover

It seems like the biggest disconnect between IT teams’ expectations and the AD DR solution they deploy is the level of expertise needed to achieve full recovery from a disaster. In many cases, it is realized (too late) that existing technologies designed to automate or orchestrate a recovery from a disaster don’t fully automate the process at all, and are still relatively complicated. Sometimes, it’s even necessary to hire an AD expert to help with the recovery process. The result is longer-than-expected downtimes, stressed and drained teams trying to recover, angry management, unproductive end users, and a good amount of frustration all around.

It’s important to have solid expectations on what your AD DR solution can and cannot do. Even if you choose to use native tools, you should prepare well in advance for a disaster scenario and know that it may take up to several days to recover so that expectations match business reality. It’s likewise critically important to communicate to management the implications of using the tools you have in place. If your in-house expertise isn’t enough to handle the recovery process, you communicate that to your executives and make them fully aware of what that means in terms of AD availability.

In an ideal scenario, you will be able to deploy a disaster recovery solution that fully automates the process of domain or forest recovery from a disaster. In such a case, the expertise of the staff will come into play less and the recovery process will be executed quickly and without the possibility of human error. It goes without saying that not every AD DR solution can do this. But if you have a solution that does, recovering should require nothing of you beyond knowing which past state you would like to recover to.

2) Regulatory compliance

Excellent AD security and uptime have a clear impact on every company. But not all companies are required to deliver under the same compliance regulations. Usually, depending on your organization’s location and industry, you will know what results you should deliver, in what accuracy, with what intactness, etcetera. This is quite an issue for IT departments worldwide and even more so for regulated industries, such as healthcare or financial services. The tolerance for downtime or impaired security will be close to zero, and it will become the responsibility of the CIO, CISO, and their departments to deliver results.

To avoid future frustrations, you must make sure well in advance that the AD DR solution you choose to use will enable your company to be fully compliant with the rules and regulations imposed on it. Making sure you can always deliver on your regulatory “promises” of uptime and the integrity of your identity system will leave you with enough peace of mind to know that your department has done its part in an important regulatory aspect.

3) Business continuity and time to recover

In the case of Active Directory, a critical infrastructure in most businesses, there is really no substitute technology you can fall back on in case of a disaster. Unlike many systems in the organization, Active Directory downtime necessarily means you need to get your AD back up and running. Therefore, a critical factor that you should consider while assessing the right AD Disaster Recovery solution is the time it will take you to recover. Time to recover influences the obvious: business revenue loss, reduced employee productivity, and the cost of the actual recovery process. But it could also cause some problems that are hard to assess in advance: damaged company reputation or customer satisfaction, angry management, or outraged investors.

If possible, you should choose the AD DR solution that could get you up and running the fastest from any type of disaster. The outcome of a one-hour downtime is not ideal, but it is usually manageable and your company will recover quickly. Statistically, an AD downtime of 1-2 days bears a high chance of causing irreversible damage, and result in significant business loss. Before committing to a technology, you should verify it can get you back on track quickly – and in this case, even the difference between two hours and four hours can have a big impact on your business.

4) Active Directory Backup

There are many backup solutions for AD out there, including the one in Windows Server. Most companies have already deployed some backup solution for AD. Backup solutions that are not specific to Active Directory are not ideal in this case, because Active Directory restoration poses a few unique challenges. If you are considering choosing an AD Disaster Recovery solution, you need to verify that the solution offers an Active Directory backup that will satisfy your business recovery needs because these backups will be where your recovery process begins in case of a disaster. If you want to deep-dive into what this means, we’ve created a 20-minute AD Backup video tutorial for you to view. But in a nutshell, you need to ensure you have the following in place:

  • Backups take place automatically once you set up your preferences
  • Backups are frequent enough, or take place when changes are made
  • Your system can be set to delete older backups that you cannot or should not use
  • You don’t have to rely on a collection of system state DC backups. These will not serve you well if you require a full forest recovery (think about application partitions, domain partitions, AD-integrated DNS, etc.)
  • Use AD Aware backup products, and don’t rely on snapshots or disk, which are not AD Aware and not supported by Microsoft.

5) Necessary maintenance

Different AD DR solutions require different levels of maintenance. If you choose to pay for a technology to help you recover from a disaster, you want to make sure it will not:

  • Clog your work schedule with additional tasks you don’t have time for
  • Demand that you remember to take periodic actions that could be otherwise automated
  • Require manual maintenance of any component

When you choose an AD DR technology, you do so for more than the peace of mind and knowledge you can quickly and easily recover from any disaster. You also want the solution you choose to rid you of some of your workload and free you to deal with your other priorities.

6) Cost and ROI

For many organizations, a single hour of possible AD downtime could be more expensive than some of the AD DR technologies available in the market today. Nevertheless, we’re going to touch on the aspect of cost. Deploying the most effective, easy-to-use AD DR solution does not mean you need to break the bank.

Recent surveys put the cost of downtime for critical components such as AD at between $25,000 and $150,000 per hour. Gartner believes that these estimates are somewhat optimistic, and the true cost of downtime exceeds that by a lot– reaching as high as $300,000. While the probability of a domain or full forest disaster are rather low – it’s easy to see why it’s much cheaper to pay for the fast-recovery “insurance policy” provided by a solid AD DR solution.

Choosing the right solution for your company’s Active Directory disaster recovery needs isn’t simple. But once you take all the necessary information into account, it should be easy to show management how deploying such technology could more than pay for itself in the long run. As an added benefit, it could also make your life a lot easier in case of a disaster. Semperis provides the leading solution for Active Directory disaster recovery today – Semperis Active Directory Forest Recovery. It offers a fully automated backup and recovery solution at under the reported cost of a one-hour downtime. If, however, you must rely on native tools and manual recovery – the other end of the spectrum of AD DR plans – be sure to read and prepare using the Microsoft step-by-step guide. If you look at it for the first time only after a disaster occurs, it may be overwhelming and difficult to follow.