Semperis 'forest' rangers tackle the question of Active Directory safety

An 'undo' button for AD could be the key to saving administrators a lot of time and pain.
Written by David Shamah, Contributor

Despite all the changes in enterprise computing in recent years -- from the rise of the cloud to bring your own device -- it's a fact that most companies, large and small, still host their core computing services on servers controlled by Windows Active Directory. And it's still the case despite the criticism many IT folk have of AD.

Love it or hate it, AD is a fact of enterprise life, and it's not going anywhere any time soon, according to Michael Dubinsky, CEO of Semperis.

"I once heard a very smart comment from a Microsoft colleague," Dubinsky said. "'Active Directory is like electricity,' this person said. 'No one appreciates it while it's there, but the moment it stops working all hell breaks loose.' I think it's the most accurate statement I've heard about Active Directory disaster recovery. As organisations grow, their computing systems grow, and restoring systems as they had been before a problem ensues becomes very challenging."

In the event of an IT emergency -- a corrupt server or directory, a compromised server, a rogue script running around the system -- an administrator would cut out the bad portions of the system and replace them with backed-up data. Recovering objects (specific resources, user and group accounts) is something backup and recovery systems cover sufficiently, as is server recovery.

Things get more complicated when there's a mass failure -- numerous domain servers, mass deletions from a database, and so on. "If a piece of malware gets into your system and compromises the attributes in AD, you don't have many options," Dubinsky said. "You could try to restore that information from snapshots, but getting the right content from the snapshot to the live database is very labour intensive and time-consuming."

Michael Brezniuk (L) and Michael Dubinsky of Semperis. Image: Semperis

Even more complicated, he said, is when multiple domains or an entire forest is shot. The only recourse, in general is forest recovery -- a complicated, lengthy procedure that will keep administrators up for a long night of work, and most likely supply the affected department with a day or two off from work, since the system won't work.

Semperis offers an alternative method of fully restoration a damaged AD structure, one built on taking regularly-timed backups of an AD setup as it is being used in an organization.

Its IDPro product keeps an eye on the doings in Active Directory, setting off alarms when undesirable or unanticipated events occur. When an alarm goes off, an administrator can decide to undo the action that set it off -- whether major or minor -- by returning AD to the state it was before the incident occurred.

As a result, the entire forest is preserved, along with all attributes, relationships between objects, domain structures, and so on. The backups are kept in a private or the public cloud, and can be recalled at any time, with changes implemented by malware immediately undone (ie revoking permissions a piece of malware may have instituted for itself to get access to data).

Databases that have been compromised can be excised and backups installed, with the data automatically taking on the context and relationships of the original, and any security certificates that were there before the event are recertified, ensuring that an invader cannot access the system.

In addition, IDPro allows administrators to sandbox an active AD system, allowing them to install updates, applications, and extensions in 'isolation mode', testing them before they are released to the working environment.

IDPro can also be used to help get a better handle on systems. "We had one customer who found their system malfunctioning, but no alarm went off, meaning that no outside or unplanned force had tried to change the configuration." By rolling back the system until it worked properly, the customer was able to see exactly what had happened: an administrator had implemented a service that was incompatible with scripts that were running. "It's not something you would think of right away in the event of a problem, but with IDPro, the customer was able to clear up the problem and figure out what went wrong within an hour."

Dubinsky, formerly working on AD in Microsoft, started Semperis about a year ago with partners Michael Brezniuk, Matan Liberman, and Guy Teverovsky.

Although rather new on the market (the company just graduated from the latest class of Microsoft Ventures Accelerator in Israel), and competing with several other products that do similar (but not quite the same) work, like Quest, Semperis already has some large enterprise customers.

An official launch is set for early 2014, in which Semperis will offer a cloud-based "recovery as a service" product, which will be available on a subscription basis.

More on Active Directory

Editorial standards