Chat now with support
Chat mit Support

Recovery Manager for AD Disaster Recovery Edition 10.3.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Cloud Storage Secure Storage Server Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Clean OS method Bare metal forest recovery Using Management Shell Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Cloud Storage

Recovery Manager for Active Directory Disaster Recovery Edition provides the ability to set up and use dedicated cloud storage locations for backups. Cloud Storage, in combination with primary (Tier 1) storage options, ensure that your critical backups are always available in case of disaster.

By using Cloud Storage you can store your AD and BMR backups in the cloud ensuring that your backups are always accessible and protect your backup files with storage account properties such as immutability policies, and redundancy with different types of replication.

IMPORTANT

Use of Cloud Storage requires a Recovery Manager for Active Directory Disaster Recovery Edition license.

Requirements

  • Internet access available on the Recovery Manager for Active Directory console. A standard outbound HTTPS port 443 is used to upload data to Azure® Blob and Amazon S3 buckets.

  • Azure and/or Amazon S3 subscription(s) to create and manage both Azure Storage accounts and containers and/or Amazon S3 Storage accounts and buckets.

  • A method of creating and managing Azure and/or Amazon S3 Storage accounts, containers, buckets, and policies for the storage account (lifecycle, immutability and replication policies).

note

Recovery Manager for Active Directory does not create or provide management features of the storage account.

Best Practices

  • Recommend using immutable storage for your business-critical backups. By using immutable storage you can protect your backups from being overwritten or deleted. For further guidance on configuring immutability policies for containers reference Microsoft Azure documentation: Configure immutability policies for containers and for Amazon S3 documentation: Use Immutable Storage.

  • For high availability of your critical backups it is highly recommended to use geo-redundancy. For Azure Storage accounts there are two options: Geo-zone-redundant storage(GZRS) and Geo-redundant storage(GRS): Change how a storage account is replicated and for Amazon S3 Buckets there are two options: Cross-Region Replication (CRR) and Same-Region-Replication (SRR) Setting up replication.

  • To help identify immutable storage, a message will appear below the selected container, which if immutable states, Backups uploaded to an immutable storage container cannot be modified or deleted for a user-specified interval. By configuring immutable policies in (Azure Portal or AWS Management Console), you can protect your backups from overwrites and deletes.

  • Recommend minimum TLS version 1.2

NOTE

When an immutable S3 bucket is provisioned, it’s important to enable default retention for newly placed objects as immutability is not going to work immediately out of the box. There are two different retention modes which can be selected depending on project requirements:

Governance - Users with specific permissions, for example “s3:BypassGovernanceRetention”, can still delete data.

Compliance - No users can overwrite or delete data.

Once enabled, the setting will then apply to all files uploaded into the bucket.



User Scenario

Backup data for all domain controllers can be accumulated on primary storage, and at the same time, you can make a copy of your backup on Cloud Storage. If disaster strikes, you could lose your backups on the primary (Tier 1) storage and even your installation of Recovery Manager for Active Directory but your Cloud Storage will remain in place.

 

Adding Microsoft Azure Cloud Storage

To add Azure® Cloud Storage

Access to Azure Cloud (Blob) Storage container is accomplished using a storage account connection string or Shared Access Signatures (SAS). A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources.. This can be done with account level SAS or container level SAS. Using the account level SAS, you are able to see a list of containers for given storage account. Using the container level SAS you are able to only see the selected container in the list of containers.


  1. In the Recovery Manager for Active Directory console, expand the Storage node and click the Cloud Storage node.

  2. Click on the Add Storage button at the bottom of the Cloud Storage pane. The Add Cloud Storage dialogue box will now appear in the user interface.

  3. In the Storage Provider dropdown, select the Azure Blob Storage.

  4. Type an identifying name in the Display Name field. This name is used in the Recovery Manager console for the registered Azure cloud storage account and selected container.

  5. To register a cloud storage in Recovery Manager for Active Directory, specify the storage account connection string in the field Connection String or Shared Access Signature URI. The connection string will be protected and will not be displayed.

    To retrieve your Azure® storage account connection string:

    • Log in to the Azure® portal.

    • Select your Storage account and navigate to Access keys under the Security + networking section.

    • Click on the Show button and copy the Connection string.

    • In the Recovery Manager for Active Directory console, paste the Connection string in the Connection String or Shared Access Signature URI.

  6. To register a cloud storage in Recovery Manager for Active Directory using account level SAS URI, specify the account level SAS URI in the field Connection String or Shared Access Signature URI. The connection string will be protected and will not be displayed.

    To retrieve your Azure® storage account connection string using account level SAS URI:

    • Log in to the Azure® portal.

    • Select your Storage account and navigate to Shared Access Signature under the Security + networking section.

    • Select all Allowed services.

    • Select all Allowed resource types.

    • Under Allowed permissions select Read, Write and List.

    • Optional to enable Blob versioning permissions (not required for storage upload).

    • Optional to enable Allowed blob index permissions (not required for storage upload)

    • Ensure the Start and expiry date/time is set to something other that the default 8 hours or your backups will fail due to the Blob service SAS URL expiring.

    • Click Generate SAS and connection string.

    • Copy the Blob service SAS URL.

    • In the Recovery Manager for Active Directory console, paste the Blob service SAS URL in the Connection String or Shared Access Signature URI.

  7. To register a cloud storage in Recovery Manager for Active Directory using container level SAS URI, specify the container level SAS URI string in the field Connection String or Shared Access Signature URI. The connection string will be protected and will not be displayed.

    To retrieve your Azure® storage account connection string using container level SAS URI:

    • Log in to the Azure® portal.

    • Select your Storage Account and select Containers under the Data Storage Section.

    • Select the Container you require the container level SAS URI string for.

    • Navigate to Shared access tokens under Settings.

    • Select Read, Write and List permissions under the Permissions drop-down.

    • Ensure the Start and expiry date/time is set to something other that the default 8 hours or your backups will fail due to the Blob SAS URL expiring.

    • Click on the Generate SAS Token and URL button and copy the Blob SAS URL.

    • In the Recovery Manager for Active Directory console, paste the Blob SAS URL in the Connection String or Shared Access Signature URI.

  8. Select the Container. The available containers in the Azure® Cloud Storage will be displayed in the drop down list for the connected storage account. Containers protected with an immutability policy will be displayed with (immutable) after the container name.

    note: To validate the connection to the correct Azure® storage account, compare the available containers in the drop down field on the Add Cloud Storage dialog with the created containers in the Azure® portal. In the Azure® portal, the Containers are listed under Data storage. RMAD support only with Container types. In the case a storage account has no containers, the dialog box will prompt you to create at least one container in the Azure® Portal, or specify a connection string to another storage account.

  9. Select one or more computer collections by selecting the checkbox by the computer collection name in the section Backups from selected collections will be copied to the cloud storage.

    Once a backup is created, the Active Directory® and BMR backups on primary storage (Tier 1) are copied to the registered and configured cloud storage container (Tier 2).

  10. Click OK.

NOTE

If Email is configured, then email notifications are sent for both Errors or Successful upload sessions to Cloud Storage. If the Send notification upon errors or warnings only setting is selected, then a notification will only be sent if the backup failed.


 

Adding Amazon Web Services (AWS) Cloud Storage

To add an Amazon Web Services® (AWS®) Cloud Storage

  1. In the Recovery Manager for Active Directory console, expand the Storage node and click the Cloud Storage node.

  2. Click on the Add Storage button at the bottom of the Cloud Storage pane. The Add Cloud Storage dialogue box will now appear in the user interface.

  3. In the Storage Provider dropdown, select the Amazon S3 Storage.

  4. Type an identifying name in the Display Name field. This name is used in the Recovery Manager console for the registered AWS® cloud storage account and selected bucket.

    Note: An AWS Identity and Access Management (IAM) user account will be needed in advance to create and finalize the AWS bucket location. See IAM Access Keys for more information.

    To Create an IAM account:

    • Create an IAM user, see Creating an IAM user in your AWS account for details

    • Create or add a policy for the IAM User created above, that has at least the LIST and WRITE access to the S3 bucket where the RMAD backups are to be stored. This allows the account to see the intended bucket in the list and is able to write to that bucket. This ensures that the account has the minimum permissions necessary to perform the backups.

    • Note the user's access key ID and secret access key

    Note: To manage an IAM account or to generate a new access key for an existing user account see Managing access keys for IAM users for more information.

  5. In the Access Key ID enter the ID for the AWS® Cloud Storage IAM account you are using. See Access Key ID and Secret Access Key for more details.

  6. In the Secret Key enter the key to access the AWS® Cloud Storage. See IAM Access Keys for more details.

  7. Select the Region. The available regions will be displayed in the drop down list for the connected storage account.

  8. Select the Container. The available buckets in the AWS® Cloud Storage will be displayed in the drop down list for the connected storage account. Containers protected with an immutability policy will be displayed with (immutable) after the container name.

  9. Select one or more computer collections by selecting the checkbox by the computer collection name in the section Backups from selected collections will be copied to the cloud storage.

    Once a backup is created, the Active Directory® and BMR backups on primary storage (Tier 1) are copied to the registered and configured cloud storage container (Tier 2).

  10. Click OK.

NOTE

If Email is configured, then email notifications are sent for both Errors or Successful upload sessions to Cloud Storage. If the Send notification upon errors or warnings only setting is selected, then a notification will only be sent if the backup failed.


 

Viewing Registered Cloud Storage

To view all registered Cloud Storage in Recovery Manager for Active Directory

  1. In the Recovery Manager for Active Directory console, expand the Storage node.

  2. Select the Cloud Storage node in the console tree.

  3. All registered cloud storage will be displayed in the Cloud Storage pane. The storage name, the assigned storage container or bucket, all associated computer collections, the storage type, and an indicator of the upload sessions success or fail will be displayed.




To export a list of all registered Cloud Storage to a text file

  1. In the Recovery Manager for Active Directory console, select the Storage node, then Cloud Storage and right click.

  2. In menu shown click on Export Servers…

  3. In the Export storage servers dialog, select a location to save the file, enter a file name, and click Save .

 

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen