Introduction

Exchange relies on Active Directory (AD) as its enterprise directory, storing configuration, user and routing data. Therefore, it is imperative that Exchange specific data be secured at the directory level. This Article will explore a number of factors to consider, when securing your directory from disaster.

Active Directory Partitions & its Data
 
Most of us have experiences some kind of downtime, mostly however from storage outages. The other side of the coin is, what do we do if AD breaks, or there's a large "oops" and mail attributes are lost for one or many users?

In this article we’re going to expel the factors and some solutions around backing up and recovering Exchange configuration data quickly.

Exchange specific data is stored in three AD partitions:

Domain Partition: Hosts users and the mail attributes for those users
Configuration Partition: Hosts Exchange specific configuration data
Schema partition: Hosts the definition of mail attributes
 
All three partitions are normally backed up as part of a Domain Controller backup, however when we’re talking about quick recovery, backing up once a night isn't the only factor to consider. A number of other factors may come into play, including:

Number of domains
Number of sites
Link speed and latency
Frequency of AD updates
User/object Churn
Exchange deployment in a multi domain forest
Other applications hosting their data in AD
MIIS or ADAM

Disaster Recovery Planning

Disaster recovery or the definition thereof is highly subjective to each organization; here are a few scenarios that might affect you:

Total outage/total loss,
Partial outage/loss (attribute loss is a good one),
Stolen/failed hardware
Loss of physical site/building

Also, in defining an SLA (Service Level Agreement) to the business, what are your guaranteed timescales to recovery?

These factors will help dictate where/how and how often you want to backup, including how many backup methods you employ.

Things to mention here is that a backup is not a backup unless you can restore it, this means if you're using tape, then test the tape. At least you can see if what on the tape will make sense.

Depending on your Forest design, having at least one lag site, i.e. a separate site containing at least one Domain Controller (DC) that is a few hours up to 24 hours behind the rest of the forest in terms of replication schedule.

Virtualization of one or more DC's – i.e. running those DC's as virtual servers on a supported virtualization platform, can provide the benefits when it comes to recovery, including being able to take a DC offline and copy it into a lab for Disaster Recovery (DR) scenario testing.

Third party AD recovery tools add huge value to this space – a number of these tools allow a backup to take place several times a day  per domain/DC or site, the schedule here depends on how often your forest updates. A word of caution here is that recovery tools should augment your AD backup strategy; they shouldn't be your backup strategy.

Lag sites are well documented, so is the virtualization of Domain controllers, so I won't cover those here. The other factors I mentioned will come into play based on lab experience, talking to the business, object and attribute owners (Exchange Administrator, Unix schema extensions, group owners, etc), since you are looking to preserve the objects, linked relationships (groups, managers, exchange), plus the services AD and Exchange provide LDAP, GC's,  lookups, authentication, mail routing etc.

Summary

Disaster recovery is a huge subject for most companies, it helps to have a multi disciplined approach and a follow on plan for the things affected by a directory outage.  Research (Forrester), shows that 35% of all backup tapes do not contain what people expect. An eyebrow raising statistic!  Best practices would suggest that while you are testing your DR plan you perform a number of test restores to ascertain the reliability of your backup set.

Related Links

Exchange Server 2003 Technical Documentation Library
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.mspx

Active Directory Disaster Recovery for Branch Office Environments
http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory

Windows Server 2003 Active Directory Diagnostics, Troubleshooting, and Recovery
http://www.microsoft.com/technet/community/events/windows2003srv/tnt1-80.mspx

Choosing your backup options
http://www.messagingtalk.org/content/171.html

Discuss/Post to digWin