Disaster Planning and Recovery

Businesses are becoming increasingly dependent on directories, to the point where they will simply be unable to function if the directory becomes unavailable. What happens if the data-processing center of your organization falls victim to a fire, a flood, or sabotage ? How will you restore critical directory services?

Developing a comprehensive recovery plan is the best way to anticipate and prepare for business continuity in the face of a disaster. Numerous books cover this subject, and there are some disaster recovery vendors (also known as business continuity services ), including SunGard Availability Services and IBM Business Continuity and Recovery Services. These vendors and others like them can help you plan and implement disaster recovery procedures.

In this section we provide a brief overview of disasters and disaster recovery planning, and we discuss how planning for directory disasters differs from other types of disaster planning. Then we discuss specific issues that can help you design and implement your directory disaster recovery plan.

Types of Disasters

A disaster is any occurrence that destroys your computing infrastructure or makes it inaccessible for an extended period. Examples include the following:

• Fires

• Severe weather, such as hurricanes, tornadoes, and severe storms

• Earthquakes

• Extended electrical power outages

• Hardware or software errors that cannot be fixed within a reasonable time period

• Floods

• Burst pipes

• Explosions

• Chemical spills

• Airplane crashes

• Riots

• Sabotage

• Security breaches

• Terrorist attacks

Developing a Directory Disaster Recovery Plan

When you develop a plan for directory disaster recovery, follow a methodical process similar to this:

Step 1. Perform a risk assessment, ranking risks from most likely to least likely.

Step 2. Understand the business implications of each type of risk.

Step 3. Design and implement the recovery solution.

Step 4. Periodically review and update the plan.

Each of these steps is explained in detail in the following sections.

Step 1: Perform a Risk Assessment, and Rank the Risks from Most Likely to Least Likely

When planning for disaster recovery, the first questions to ask yourself are, What risks does the computing infrastructure face? and How likely is each risk? For example, if your data center is located on a hill, flooding is probably unlikely . On the other hand, if the data center is in the San Francisco Bay area, earthquakes are a risk that must be taken into account.

Ranking your risks allows you to make rational decisions about whether you should attempt to protect against a particular risk. Although it would be nice to provide protection against every conceivable risk, it's probably not economically possible. Understanding which risks are more important to address allows you to allocate your disaster preparedness resources wisely.

For some risks you may decide that preemptive measures are appropriate. For example, if your location is subject to frequent electrical storms and power failures, you may decide to invest in a generator that can provide an alternate power source during extended power failures.

Step 2: Understand the Business Implications of Each Type of Risk

For each type of disaster, think through its implications and how it will affect your organization's business processes. For example, assume that your directory service is destroyed by a fire and that it takes three business days to obtain replacement hardware and restore the directory data from backup tapes. What are the business implications of this three-day delay? What business processes are halted by the unavailability of the directory? Such impeded processes might include

• Delivery of e-mail. (Inbound mail from the Internet will typically be returned to the sender if your electronic mail servers are continuously unavailable for three or more days.)

• Any processes that depend on the timely delivery of e-mail.

• Login to your intranet and extranet applications.

• Any intranet or extranet applications that use the directory for authentication.

Next you need to understand the implications of directory failure ”and what they mean for your bottom line. In other words, if the directory is unavailable, how much money will the business lose as a direct consequence of the failure? Will customers switch to an alternate vendor because you cannot provide the goods or services they require? Are there contractual obligations that you must meet even in the face of a disaster? With this information you can determine the recovery times you need to target.

For example, you might determine that the maximum acceptable directory downtime is 24 hours before the business begins to suffer significant losses. When you know the potential costs of not having a disaster recovery solution, you can begin to weigh them against the costs of a recovery solution.

Step 3: Design and Implement the Recovery Solution

The next step is to design the actual recovery solution and understand its costs. You can design and implement the recovery plan yourself, or you can use the services of a disaster recovery vendor to design and/or implement the plan.

Disaster recovery vendors typically offer both "hot" and "cold" recovery solutions. A hot site is kept up-to-date with your latest data and application software, and it can be put into service quickly. A cold site contains sufficient equipment to meet your computing needs, but it is not kept up-to-date; your computing environment must instead be re-created at the cold site after the disaster recovery plan goes into effect. Disaster recovery vendors also offer mobile recovery solutions, in which a portable data center can be driven to your site in the event of a disaster.

Hot sites and cold sites each have advantages and disadvantages. Whereas a hot site can be put into service relatively quickly because all the data is up-to-date and ready to go, with a cold site data must be transported to the remote site, the needed software must be installed, and the data must be restored. As you might expect, it is much more expensive to maintain a hot site, especially if you contract with a disaster recovery provider. Assuming that not too many customers experience simultaneous disasters, a disaster recovery provider can use a single cold site to support multiple businesses, thereby lowering the cost for the customers. A hot site, on the other hand, must be dedicated to a single customer, which makes it much more expensive.

Consider also what happens if your directory data is damaged, perhaps by a malicious hacker. If the bad data has replicated everywhere, your only recourse may be to restore from the most recent backup. In this case it doesn't matter whether you have a hot site standing by. You need to close the security hole that allowed the hacker access, find and remove any backdoor access methods that may have been installed, and restore your data from the most recent backup. More information on handling security breaches can be found in Chapter 20, Troubleshooting.

Step 4: Periodically Review and Update the Plan

Finally, after the recovery plan is implemented, it must be periodically reviewed and updated as your business requirements change and as new applications are developed and old ones retired . The plan should be reviewed at least annually, and more often if your organization deploys new applications frequently.

The disaster recovery procedures should also be tested and repaired if they are found not to work anymore. Some organizations even go so far as to simulate a disaster to exercise the recovery procedures. Your disaster recovery tests should be in line with your disaster recovery needs; very stringent needs dictate more rigorous testing.