Chatee ahora con Soporte
Chat con el soporte

Recovery Manager for AD Disaster Recovery Edition 10.3.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Cloud Storage Secure Storage Server Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Clean OS method Bare metal forest recovery Using Management Shell Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Recovery approach 2: Restore one domain controller from backup in each domain

This recovery approach is recommended by Microsoft® in the Planning for Active Directory Forest Recovery paper. To use this approach, you must have a recent and trusted backup for one domain controller in each domain in the forest. These backups must be created at a similar point in time to mitigate the risk of discrepancy after the forest is recovered.

At a high level, recovering a forest using this approach includes the following stages:

  1. Recovery Manager for Active Directory restores one domain controller in each domain from the recent and trusted backup you specify.

  2. Recovery Manager for Active Directory uses Microsoft® tools (Dcpromo.exe or the Uninstall-ADDSDomainController and Install-ADDSDomainController cmdlets) to automatically reinstall Active Directory® on the domain controllers for which no backups are available.

  3. The domain controllers on which Active Directory was reinstalled replicate Active Directory data from the domain controllers restored from reliable backups.

Approach 2 has the following advantages and limitations.

Advantages

  • Recommended by Microsoft. This recovery approach is recommended in the Microsoft’s best practice paper, Planning for Active Directory Forest Recovery.

  • Safer, healthier recovery as compared to Approach 1. The limited number of backups used in Approach 2 (one backup per each domain) allows you to check them all to make sure they do not include any corrupted or unwanted data.

Limitations

  • Forest recovery may require significant time to complete. Approach 2 requires more time to complete than Approach 1.

  • Recovery of entire domain depends on a successful restore of a single domain controller. A successful restore of one domain controller from backup is required before Active Directory can be reinstalled on all other domain controllers in the domain.

  • The original forest infrastructure is not retained. Because Active Directory is reinstalled on most domain controllers in the forest, the forest infrastructure cannot be restored to its exact pre-failure state.

For a step-by-step procedure on how to perform a forest recovery, Overview of steps to recover a forest

 

Deciding which backups to use

To restore domain controllers from RMAD or BMR backups, use the backups that were taken a few days before the occurrence of the failure. In general, you have to trade off between recentness and safeness of restored data. Choosing a more recent backup recovers more useful data, but it might increase the risk of re-introducing dangerous data into the restored forest.

It is strongly recommended that you keep detailed logs about the health state of Active Directory® on a daily basis, so that in case of a forest-wide failure you could identify an approximate time of the failure.

For more information on the methods you can use to select backups for recovery, see Selecting backups for recovery.

 

Running custom scripts while recovering a forest

You can configure Recovery Manager for Active Directory (RMAD) to automatically run your custom scripts on the RMAD computer before, after, or during the recovery operation.

RMAD is supplied with a Microsoft Windows Script (.wsf) file serving as a template where you can insert your custom scripts written in the VBScript or JScript language. The file name is ConsoleSideScripting.wsf, and you can find it in the RMAD installation folder (by default, this is %ProgramFiles%\Quest\Recovery Manager for Active Directory Forest Edition).

The .wsf file has a number of XML elements where you can insert your scripts. Each XML element in the .wsf file provides a description explaining when the script inserted that element will run. Depending on where you inserted your script, it will run:

  • Before the recovery operation starts in the current project.

  • Each time before the restore from backup operation starts on a domain controller in the current project.

  • After the restore from backup operation completes on all domain controllers in the current project.

  • Before the reinstall Active Directory® operation starts in the current project.

  • Each time before the reinstall Active Directory® operation starts on a domain controller in the current project.

  • Each time the reinstall Active Directory® operation completes on a domain controller in the current project.

  • After the recovery operation completes in the current project.

To configure Recovery Manager for Active Directory to automatically run your scripts

  1. Locate the file ConsoleSideScripting.wsf in the RMAD installation folder, and open the file in a text editor.

  2. In the file, read the descriptions provided for the XML elements to identify the ones where you want to insert your script, then insert your script as appropriate.

 

Overview of steps to recover a forest

To recover your Active Directory forest

  1. Open the recovery project you created for your environment. For more information, see Opening a recovery project.

  2. Use the Active Directory logs to determine the forest failure date.

  3. Select appropriate backups for the domain controllers in your project. Make sure you use backups that were created before the point in time when the forest failure occurred. For more information on how to select backups for the recovery, see Selecting backups for recovery.

  4. Verify the settings specified in your recovery project. For more information, see Specifying recovery project settings.

  5. Verify the recovery settings specified for each domain controller in your recovery project:

    • Use the list of domain controllers in the Forest Recovery Console to select the domain controller whose settings you want to verify.

    • Open the General tab, and then verify the specified recovery settings. If necessary, adjust the settings as needed.

    • Repeat these steps for each domain controller in the project.

    For more information about forest recovery approaches, see Forest recovery approaches.

  6. On the toolbar, click Start Recovery to start the recovery operation on your project.

Important

Before starting a forest recovery, the settings verification must be successfully passed. For more information, see Verifying recovery project settings.

After you start the recovery operation on your project, you can reset the password for users in the following privileged groups on the Reset Passwords step of the wizard. The password resetting option is available only for Forest Recovery and Domain Recovery modes. For more information about privileged groups, refer this link.

  • Enterprise Admins

  • Domain Admins

  • Administrators

  • Account Operators

  • Schema Admins

  • Group Policy Creator Owners

  • Backup Operators

  • Server Operators

  • Print operators

Note

The Domain User Name setting specified on the General tab is excluded from password resetting.

The groups above are also listed in order of priority, from highest to lowest, for users belonging to more than one group, or a nested group to obtain the new password.

  • A user belongs to more than one group: The password with the highest priority will be assigned to the user.

  • A user belongs to a group nested in another one, and so on: The password with the highest priority of all groups in the nested structure will be assigned to the user.

Make sure the new passwords meet your domain password policies, otherwise passwords will not be reset successfully.

Resetting password also enables the account setting "User must change password at next logon". This means users must enter and change the new password the next time they log in.

NOTE

The account setting "User must change password at next logon" will not be enabled for the users who have the setting "Password never expires" enabled.

 

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación