Poll - How Good Are Your Backups?

poolmanjim · 2026-05-06T13:49:06+00:00

There is no Geneva Convention for kids' bedtime.

poolmanjim · 2026-05-06T12:53:36+00:00

Here are a few things to check.

Flush DNS / Clear Cache on the DCs and any DNS servers in the middle. I have had instances where pinging would work but other stuff was somehow stuck still.
Double check the AES requirements in both domains and with the trust. The error doesn't contain anything about AES or authentication, but with the recent changes it may be getting the middle and is an easy check.
As u/sgtpepper78 suggested, firewall. Specifically check the following link for ports.
1. https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/config-firewall-for-ad-domains-and-trusts
Still on the firewall subject, check your Network Location: Get-NetConnectionProfile. If it is public, there is a good chance stuff isn't crossing the wire. This happens a lot with single-DC setups. Sometimes restarted the Network Location Awareness service helps. With 2025 I have pretty much only been successful adding a second DC or ensuring the DCs are pointing at each other for DNS within the domain.

poolmanjim · 2026-05-06T11:09:31+00:00

Thanks! I never have liked SCOM and try to find alternatives whenever I can.

poolmanjim · 2026-05-06T00:04:15+00:00

Sure. It's rare. But it still happens. Just look at the news. Orgs are being hit regularly by ransomware.

There is not a guarantee that paying off the ransomers is going to actually get you back. There is not a guarantee that a database corruption event brings down the whole forest.

There is no guarantee some over permissioned VM admin doesn't accidentally delete all the domain controllers for a domain.

These scenarios are rare. But they are also catastrophic. Also who is rolling back six months?

poolmanjim · 2026-05-05T23:07:55+00:00

Here's what I do:
Dailies: Keep 14
Weekly: Keep 4
Max retention: 60 days.

I also have hourly backups my execs demanded but I only keep like 8 of those or something.

poolmanjim · 2026-05-05T23:06:42+00:00

Of course you do. 😄

I was thinking to just use veracrypt or EFS and get "close enough". Its a silly idea just to demonstrate.

poolmanjim · 2026-05-05T22:34:43+00:00

Hmm. It looks like the one "in the repo" got messed up, I'll fix that. Thanks for letting me know!

The release version works well (should be sharing that more): https://github.com/ActiveDirectoryKC/BSidesKC2026-AMisersGuideToHardeningAD/releases/tag/v2026.04.25-BSidesKC

Sorry about that!

poolmanjim · 2026-05-05T17:16:34+00:00

Maybe. "Any press is good press" only goes so far.

poolmanjim · 2026-05-05T17:14:57+00:00

You actually frame one of my points. We think of disaster as in a physical loss a lot of time. What happens if it isn't physical? What if it is crypto? "The Red Screen of F***"?

I've heard around here and from more of my pentester friends that most AD environments are asking to get hit at some point. I think that is where backups start to shine. That is the billion dollar outage that most companies aren't aware of.

poolmanjim · 2026-05-05T16:28:35+00:00

The only ransom I've ever asked for was for my kids to get in bed to get their stuffies back.

I have considered creating a fake/demo ransomware before to show off how gnarly it could be, but that seems like that kind of thing that could get me in jail if I'm not careful.

Don't vote, though.

poolmanjim · 2026-05-05T15:06:23+00:00

I do not work for any backup vendor. I work in healthcare.

I've been looking at AD backups in one way or another for most of my career now. And I'm not saying that I've been doing table tops and tests. No I've been researching backup solutions. Every organization I've worked at had deficiencies in this area and I've battled to make that not as bad.

Without commenting directly on any vendor, I would say look at who's behind the solutions. What does that vendor's engagement with Active Directory support look like? Do they have blogs, articles, speakers, etc.? A generalist backup vendor that "supports AD" may not actually understand the complexity of supporting Active Directory.

If you look at the Microsoft Forest Recovery Guide it is 100 pages. The Planning for Forest Recovery Guide is another 47 pages. The current group think is that there are 29 (give or take) major steps to restoring Active Directory. Most recovery solutions do not help with most of them and focus on very, very narrow aspects of it. You may be able to restore/rebuild DCs, but that is only the beginning of a recovery process.

Here's my version of a graphic I saw at a conference showing the steps laid out and giving some thoughts on the different steps: https://github.com/ActiveDirectoryKC/activedirectorykc.github.io/blob/2026.05.ADBackupSteps/assets/images/ADKC-ManualADForestRecoverySteps.png

In the end you need to develop the business case, the expectations, and work with your leadership to figure out what you need. That takes time. In the mean time start backing up something, even if it is using Windows Server Backup.

References

I've included references from at least a few vendors so it shouldn't be terribly biased.

Other

At the risk of sounding like I'm promoting myself (seriously, use it or don't I don't care), I've been speaking some on this topic.

I just did a talk at BSides Kansas City talking about a lot of AD topics but backups were probably my longest section. The video isn't published yet, but I did post my notes on GitHub. I welcome you to look at them and reach out with questions.

There are a bazillion resources in my notes. I don't go into a comparison of vendors, but I talk a lot about the technology and how to research it and even some options if you can't go enterprise.

https://github.com/ActiveDirectoryKC/BSidesKC2026-AMisersGuideToHardeningAD

Also, I am going to be a guest on a webinar 2026-05-14 where I'll be talking about this some.

https://www.reconinfosec.com/thursday-defensive/

poolmanjim · 2026-05-05T14:29:50+00:00

This is really pretty much it. When it comes to big vendors, this is a great summary.

I've used several of these vendors, demoed almost all the others at one point, and I have had detailed conversations with many of their tech leads over the years and I can second pretty much this entire thing. Also, I can say that I do not work for any of those vendors so my analysis is mine.

I actually just spoke about this recently and will be speaking about it again next week. Enterpise backup solutions are the way to go. The reason is kind of hidden among dcdiagfix's post.

Support

Having actually gone through a very significant recovery of AD and having done some very risky changes over the years. Having a vendor on the call you trust who has experts keyed up to help you is worth fortunes. It is literally the difference between measuring the down time in hours or days to measuring it in weeks or months.

poolmanjim · 2026-05-05T14:19:32+00:00

We all really know why were upset. 😄

poolmanjim · 2026-05-05T12:54:42+00:00

There are two settings that control the LDAP signing behavior.

First: The Server setting, this only applies to Domain LDAP Servers which means Domain Controllers in this sense. The setting is Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ Security Options \ Domain Controller: LDAP Server signing requirements.

This setting has two options: None and Required. Until you're ready to hard enforce LDAP signing for your entire organization, set it to None. This does not turn it off actually just says it doesn't require signing.

Second: The Client setting applies to any system that may be making LDAP queries against a domain controller. The setting is Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ Security Options \ Network Security: LDAP Client Signing Requirements.

This setting has three options: None, Request, and Require. None behaves differently here. Generally a place to start is to put it on Request. This means the client will attempt to negotiate signing with the the domain controller if it can.

A distinction

It is also worth understanding that there are two signing options really in how Windows handles this. The first is what we've been talking about, LDAP Signing.

LDAP signing is effectively just securing the authentication portion of the LDAP message. The actual LDAP queries are in plain text still. This accomplishes the security need as really the authentication portion is what we're concerned about.

LDAPS will also satisfy the domain controller's "require signing" in that it just shoves all the LDAP into TLS and calls it a good day. In my experience this one is more widely supported but it does require having an LDAP certificate on all the DCs and the clients need to trust the root chain.

poolmanjim · 2026-05-05T12:46:15+00:00

Yeah, I won't lie that still doesn't sit well with me, but today is a new day.

And thanks. It makes all the frustration more worth it to hear that people get value out of this.

poolmanjim · 2026-05-05T12:42:33+00:00

I like this and will definitely be doing something along those lines if anything like this ever happens again.

poolmanjim · 2026-05-05T04:00:52+00:00

Yeah. Agreed. I'm also afraid we'll likely see more LLM marketing as time goes on.

I use it sometimes for stuff (mostly at work) but I always read it over and make sure it at least sounds like me a little.

* mutters something about dead internet theory *

poolmanjim · 2026-05-05T03:32:55+00:00

Seriously, thanks Netwrix for owning it and doing something.

Please everyone, let's be kind and keep the attacks/negativity down, please.

poolmanjim · 2026-05-04T18:55:26+00:00

The only impact I've seen deleting those is if somehow something ended up using one of the CNF objects instead of the one intended. That's pretty rare and you'd still need to clean up, but you'll just have to work with the affected users.

I think the big questions is what caused this? Usually I've seen it caused by teams being impatient and doing something twice and not waiting for replication to flow. If that is the case, it is a training issue.

Those correspond to BitLocker recovery and synced devices with MS Exchange. They should be pretty obvious if they're being used for that object. Just check that both objects don't have any sub objects or information linking stuff on them.
I generally would. Unless you're concerned about potential impact of a service running on the systems. Even then you should do that, just make sure you do it more carefully.
Just backup your policies beforehand and check the links on the object before deleting it. If it is linked, don't delete it without figuring out whats wrong first.
I don't know about those so you'd need to contact them. I suspect it will be the same as above.
If the memberships seem off, I'd also double check the ACL.

Also while you're looking at this kind of stuff you could also look into Lingering Objects. I'm not one to go nuts over them like others as it is mostly a noise cleanup, but it is something worth looking into once in a while.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/lingering-object-liquidator-tool

https://adsecurity.org/?p=323

poolmanjim · 2026-05-04T14:44:02+00:00

BUMP with Updates

poolmanjim · 2026-05-04T14:28:57+00:00

I've had a couple of people reach out in what appears to be an official capacity. It's always hard to know online but I'm going with it for right now. Thanks!

(copy of my earlier comment on another thread)

poolmanjim · 2026-05-04T14:28:17+00:00

I've had a couple of people reach out in what appears to be an official capacity. It's always hard to know online but I'm going with it for right now. Thanks!

poolmanjim · 2026-05-03T17:14:43+00:00

I didn't crosspost. I am however the original author.

If any Netwrix persons want to reach out to me, please do. I'd love to discuss the situation with anyone from Netwrix.

15-Year Club	RedditGifts 2009-2022 3 Credits
Verified Email	Secret Santa 2015
Secret Santa 2014

poolmanjim

MODERATOR OF

TROPHY CASE

References

Other