Failover Disaster Recovery (Ransomware Attack / Hardware Failure) Small 2 Mid-Sized Company’s.

In this simplified guide I’ll show you the basics of a failover disaster recovery scenario.

What we are going to do is:

  • Install VMWare Hypervisor on a Desktop
  • Attach disks for a workgroup server host
  • Copying the directory structure with permissions
  • In case of a needed restore, deploy the OS Images
  • Attach the preconfigured disks to your Failover scenario.
  • Share the shares again.

And go Live again.

 

Let's start:

In order to switch to this failover you first need to identify the root cause of the ransomware attack or determine what was causing the hardware failure or at least confirm the cause and decide on its impact.

If you have isolated the cause you could restore to a live environment with below configuration/setup.

Please read the following scenario and decide if it fits your needs. 

 

 

 

  • Let’s say, install 3 Desktops with VMWare Hypervisor with 32GB RAM (these are old Desktops) and a 512 SSD (130 euro) for OS Disks (bootstore – os disks) and 4TB Disks (165 euro) for your Data (thus depending on your needs).
    • Prepare one machine per VMWare HyperVisor and attach disk with thin provisioning to the max and attach all disk you can spare your free space in combination with RAM available (calculate each server) to this machine.
    • So install the machines, keep them in WORKGROUP and patch them (by means automatic or a patch engine client) and Initialize the disk and partition them.
    • Here comes the interesting part. We’re going to Back-up the Data either from your Backup Storage or your Live servers once a week, in the weekend. This script copies the permissions as well, for a neat mirror action.

 

<copylive.bat>


@Echo Off

netsh interface set interface "Ethernet0" ENABLED

timeout /t 10

robocopy \\BCKSTOR\SRV1\ F:\ /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:F:\Robocopy.log /XD "\\BCKSTOR\SRV1\D$\System Volume Information\

robocopy \\BCKSTOR\SRV2\ G:\ /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:G:\Robocopy.log /XD "\\BCKSTOR\SRV2\D$\System Volume Information\

robocopy \\BCKSTOR\SRV3\ H:\ /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:H:\Robocopy.log /XD "\\BCKSTOR\SRV3\D$\System Volume Information\

robocopy \\BCKSTOR\SRV4\ E:\ /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:E:\Robocopy.log /XD "\\BCKSTOR\SRV4\D$\System Volume Information\

robocopy \\BCKSTOR\SRV5\ i:\ /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:i:\Robocopy.log /XD "\\BCKSTOR\SRV5\D$\System Volume Information\

robocopy \\BCKSTOR\SRV6\ j:\ /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:j:\Robocopy.log /XD "\\BCKSTOR\SRV6\D$\System Volume Information\

netsh interface set interface "Ethernet0" DISABLED

 


<end script: note the extra enter to disable the Ethernet adapter>

 

Schedule this task, during weekday’s for nightly sync or only in weekends where you might be more sure an attack has not taken place, since the possibility of an attack is smaller, ugh, relatively yeah since employees are not at work, yourself included).

  1. Next: Prepare one machine with your Back-up, Back-up host solution, or in some methods, your pxe boot environment, such as and ISO for Windows Boot, to restore Windows Images, or another solution which is able of booting with PXE to restore the images.
  2. Next, make a VM for each host, and define the settings for each host, meaning no DVD drive, because you want your newly attached disk to be D:\
  3. Prepare with the PXE Image / ISO / Back-up of the OS Image
  4. You could, Back-up the Host Images in advance to restore rapidly, just make sure you don’t boot them under normal circumstances or you will face Kerberos ticket issue’s which might cause your current running live server to disassociate from your Domain Controller.
    1. If you just couldn’t bare to resist, shutdown the VM and rejoin your server to the domain, by means of: unjoin domain, reset computer (server) account in AD, join domain and reboot.
  5. When you would actually restore the image in case of a disaster scenario, all you need to do is to Detach the Disk from the WORKGROUP Host machine which is backing up and attach it to the VM you’ve created for Disaster Restore.
  6. After you have booted the VM Host of your choice, say SRV1, all you need to do is Share the Shares once again. Mind you, this can also be scripted, referenced article:
    1. https://www.windows-commandline.com/list-create-delete-network-shares/
  7. After this, you could sync from your backuplocation from last night, if the scheduled task would have run weekends only.

 

  • Little tip: do keep, if you have 2 DC’s, on separate VM hosts. Just in case.
  • Tip 2: If you got backup storage, and it’s in no need of connections outside the backup scheme: Disable the Network Adapter between those times and make sure you have physical access of some sort. Limit the possibilities of an attack.

 

Brought to you by an improviser of cost efficiency

Kind regards,

Martijn Kamminga