doctoravios

That's the tricky thing. No system can ever be 100% perfect. The law of diminishing returns is quickly reached given the exorbitant cost of building in multiple redundancy. One approach is to invest a huge amount as a sunk cost and the other is to invest very little (which is what I suspect BA have done) and hope everything just goes OK.

r00ty

But that's not how it works at all. Unless you're referring to the weird world of AD DNS. Which is another matter. Normal real world DNS doesn't work that way.

I have a domain. me.com. And I have a load of hosts. here.me.com, there.me.com, and I delegate a whole subdomain de.me.com for my German operation. Which has a primary server in Germany instead of the UK.

The main domain has primary DNS in the UK, German subdomain has it in Germany, we both secondary for eachother, and I have an extra secondary running in France and say one in the USA. All secondaries pull the entire domain whenever there are changes. If the main server fails, the secondary servers are able to provide authoritative answers for any query with no problem.

Now, if we're talking internal DNS, the same system works fine. They put their main DNS in head office, and have secondary servers in multiple locations, all on the internal network space.

Same applies for AD. Even the modest small multinational I work for has AD backups spread across the globe. If my local office exploded tomorrow, I could VPN into a server in say the USA and authenticate fine. Albeit, I wouldn't be able to access any local resources.

It's not that I'm saying it can't happen, clearly it has, and we've seen it happen elsewhere. It's just that this kind of redundancy failure isn't acceptable. Any way you look at it.

r00ty

My experience of the corporate world would put this front and centre as the root cause. Not that any company would ever admit that :P

dakaix

Never truer than when talking about enterprise IT!

For a moment I was tempted to suggest that in a modern design you'd plan to expect and contain failure... you architect it into the applications so they can work around the underlying infrastructure issues.

Then I came to my senses and realised this was a legacy airline we're talking about.

SW7London

Most large companies have DR plans, and test regularly. I'd wager internal and external audit teams in all FTSE 250 companies would be very interested in the DR plans and test results of their IT departments!

Datacenter isolation tests are common too, however as Banana4321 states their is a limit. I used to work a UK high street bank and preparations and planning were extensive but even then we've had a few occasions where cash points would fail once we've isolated a datacenter. Good learning experience all round! As it was a controlled isolation, we could recover quickly.

As for todays issue, affecting such a wide variety of systems and talk of internal BA staff not being able to access Outlook/email unless they were already logged in I'd wager a big part of the issue would have been DNS and or Authentication(AD)

Both services would be widely distributed, however if somebody pushed out a configuration change across the entire system(or inadvertently deleted records in those systems!) then it'll be pretty hard and time consuming to recover.

However, BA are saying they had power issues today which - to my humble mind at least! - doesnt make sense given some of the symptoms.

lorcancoyle

Selfishly I'm wondering whether or not I'll have to claim for my LHR-HEL-TLL flights today on AY. Given everything else has been banjaxed I'm not hopeful...

Banana4321

Depends when the power issue happened. It may have happened as they were activating DR. In which case....ouch.

Geordie405

Dealing with a large-scale IT outage is never easy. On the one hand you need to restore services as quickly as possible, but equally you may need to troubleshoot what has caused the issue in the first place. Activating your disaster recovery plan as a first step in this process is never a good idea - the response of last resort should not be the first step!

Unless you have multiple data centres running in an active - active setup there will by necessity be some degree of delay in bringing the backup systems online. This can be caused by multiple factors: recovering data from backups or snapshots, checking the integrity of the data, bringing systems online in the right order (so database servers, application servers, web servers), validating that everything is running correctly, all dependencies are in place, that DNS is updated so that servers and services can talk to one another and so on.

Usually you may be dealing with an outage of one system at any one time but where you have a total outage of all systems at the same time it becomes massively more complicated to bring everything back online. You would be looking at core network systems (so backbone switches, routers, firewalls etc.) followed by network and authentication services (Active Directory and DNS), then you'd look to bring up your storage area networks and storage systems so you can access your data. Once this is up and running you can start to look at application services - so database servers, then application level servers, web servers etc.

You also have to ensure you have sufficient resources available - so staff with the relevant expertise, that you have support contracts in place with your vendors so you can call on 24/7 support from them etc. You are also looking at your disaster recovery plan, recovery point objectives, recovery time objectives in order to prioritise which systems are brought back online first etc.

Clearly a power outage should not bring down your entire infrastructure. You would expect all equipment to be fed from at least two independent sources with UPS / battery backup and generator backup in place. These systems should in themselves be redundant so the failure of a single piece of infrastructure doesn't lead to an outage, and you'd expect to be regularly maintaining and testing this. In a co-location / data centre environment this would be undertaken by the data centre provider.

I have to say that while it's easy to be critical of BA and say that this outage should never have happened I would spare a thought for the IT staff who will have been sorting out this mess and getting systems back online. Having been on the front line in outages for my company I can say it is stressful beyond words and you really do feel the pressure!

Hopefully this little summary will give an indication of what's involved in dealing with a large-scale outage. I don't work for BA so have no idea of their IT infrastructure but my experience comes from data centre management for a global law firm with 30+ offices worldwide.

SW7London

True. I would have thought from an application perspective especially so. Not so much from an infra/dns/ad perspective given the nature of those systems. i.e. you dont fail over AD. Its up, its distributed. And pretty resilient.

From the symptoms I've read today, I cant reconcile a datacenter power issue with people being able to use their email only if they were already logged in. Seems like something is cached enabling access but its all speculation as we've got limited visibility at the moment about what happened!

funkyfreddy

Stuxnet? or variant of perhaps?

Worcester

Aren't airports classed as critical infrastructure by the government? Perhaps they should force this Spanish airline (BA) to have higher standards of IT infrastructure if they have so many airport slots.

Banana4321

I assumed from the symptoms that (and I know little about O365, but it appears we do have a resident expert on FT) MS caches the credentials for a period of time i.e. if you logged-in to O365 then BA's authentication servers in BA data centres are called and if they give the OK then the user can use O365 for a few hours, maybe a day even. However after those authentication servers disappear then no-one can login to O365 for the first time 'today' as their previous credentials would have expired.

doctoravios

Absolutely. To be fair, BA aren't the only ones. There are so many organisations running outdated software on outdated hardware and network infrastructure who've just been lucky not to experience a serious failure while in operation.

The fact is that humans have great difficulty understanding an existential threat and forumulating a plan to deal with the consequences. We tend to look at the odds and if they are favourable just roll the dice and ignore the possibility that improbable events will ever be realised.

funkyfreddy

yep, and perhaps all the kind of things you assume are distributed but may not notice if something goes wrong with the distribution / fail over potential.

Fitch

What happened to your AY flights then ? Were they affected as well ?