Chat now with support
Chat mit Support

Recovery Manager for AD Forest Edition 10.2.2 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Using Management Shell Creating virtual test environments Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Using Managed Service Accounts

Recovery Manager for Active Directory (RMAD) supports MSA/gMSA accounts for:

  • Scheduled backups - the account can be specified for scheduled tasks in the Computer Collection properties on the Schedule tab or in Task Scheduler.

  • Scheduled replication tasks (Fault Tolerance)

  • Scheduled verification of a Forest Recovery project

MSA/gMSA account requirements:

  • You can use Managed Service Account (in Windows Server® 2008 or higher) or Group Managed Service Account (in Windows Server® 2012 or higher).

  • Add the $ character at the end of the account name (e.g. domain\computername$) and leave the Password field blank.

  • The MSA/gMSA account must be a member of the local Administrator group on the RMAD machine.

How to create a Group Managed Service Accounts (gMSA)

Although the following instructions will configure gMSA accounts in your Active Directory® Forest, we recommend you first review the Microsoft® article: Getting Started with Group Managed Service Accounts

Note

Even with the -EffectiveImmediately switch shown below, you must wait 10 hours after issuing this command before continuing. This ensures that the key has replicated throughout the domain so that all domain controllers can generate a password for your gMSA account.

  1. If you have never used gMSA accounts before, you must prepare Active Directory® by creating a KDS Root Key with one of the following PowerShell® commands on a domain controller:

    In production, issue the command:

    Add-KdsRootKey -EffectiveImmediately

    In a test lab with minimal domain controllers, it’s safe to issue this command:

    Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

    Run this command once in each Domain of the Forest.

    NOTE: For more information, see Create the Key Distribution Services KDS Root Key and this Microsoft Blog post.

  2. (Optional) If you plan to use the same gMSA account on more than one host (for example, you have more than one RMAD server), then it may be easier to create a group for the hosts you plan to use it on. We suggest a Domain-Local Security group for this purpose. The following PowerShell® commands will create the group in the default Users container, then add your RMAD server as a member:

    Add-ADGroupMember -Identity <GroupName> -Members <RMADServer$>

    Repeat the command above for each RMAD server you want to use the gMSA account.

    NOTE: If you use a group, then you must either restart the host(s) you added as members or run the command klist purge –li 0x3e7 on each host before performing step 4 below. This is to refresh the computer’s Kerberos ticket so it will include the new group SID in its NT Token.

  3. Create the gMSA account using the following PowerShell command:

    New-ADServiceAccount -Name <gMSAName> -DNSHost <gMSAName.domain> -PrincipalsAllowedToRetrieveManagedPassword <AccountName>

    Where:

    • <gMSAName> is the name of your gMSA account. For example: “gMSABackup”

    • <gMSAName.domain> is the gMSA account followed by the domain. For example: “gMSABackup.contoso.com”

    • <AccountName> is either <RMADServer$>, or the group name you created in step 2 above.

  4. After the gMSA account is created, you must install it on each host it will be used on (for example; on your RMAD server). Do this by running the following PowerShell® command on each host:

    Install-ADServiceAccount -Identity <gMSAName>

  5. (Optional) You can test that the gMSA account can be used by running the following PowerShell® command on each host where you installed the gMSA account:

    Test-ADServiceAccount <gMSAName>

    A result of True shows the gMSA account is ready to be used.

What are the steps to configure a gMSA account for use as the backup agent account using the minimum permissions model?

  1. Create а gMSA account and associate its principal with the computer accounts of the member hosts. If you want to manage the service host permission to use a gMSA account by a security group, you can associate the account principal with a security group. And then assign the RMAD server(s) machine accounts as members of the linked security group.

  2. Create the Active Directory® group RMAD Backup Operators and add the gMSA account to this group directly.

  3. If using pre-installed agents, uninstall and reinstall the agents. This is required to populate the RMAD Backup Operators group SID locally on the DCs.

  4. Configure the collection properties to set the backup agent access account. When entering the gMSA credentials, input the username as "domain\gMSA$", where gMSA is the service account login name followed by the $ sign, and leave the password fields blank.

Take consideration that some items are not possible to configure when using the minimum permissions group, such as "Ensure Forest Recovery Agent is deployed". This setting requires that you have DC Administrator access, and access to the admin$ share. If you want to have this set up, the gMSA account will need to be a member of Domain Admins, instead of RMAD Backup Operators.

For more details, see Getting Started with Group Managed Service Accounts.

 

Active Directory backups vs Windows System State backups

The Active Directory and Windows System State backups are very similar. The key components that Recovery Manager for Active Directory (RMAD) backs up as part of the AD system state are the Registry, the NTDS.dit file, and SYSVOL.

What differences do they have?

  • Windows System State backup is a full backup of the Windows operating system; Active Directory® backup contains only pieces of Active Directory® that allow you to restore the domain controller on a clean operating system.

  • Windows System State backups contain more components - not all of these components are necessary for Active Directory recovery, e.g. IIS Metabase, Cluster Services, etc.

  • Windows System State backup may contain viruses in the components of the operating system.

  • Windows System State backups are larger than Active Directory® backups.

For the list of Windows System State backup components, see Microsoft documentation.

RMAD enables the backup and restoration of the following Active Directory® components on domain controllers:

  • DIT Database

  • SYSVOL

  • Registry, including all registry hives and the file NTUSER.DAT

RMAD Disaster Recovery Edition also supports Bare Metal Recovery (BMR) backups. With BMR backups, you can completely rebuild the server if necessary.

 

Creating BMR and Active Directory backups

Recovery Manager for Active Directory (RMAD) allows you to create backups of system-specific data known as the Active Directory® and BMR backups. Note that RMAD creates Active Directory® backups for Active Directory® domain controllers only.

NOTE

If you are going to store backups on the Recovery Manager Console machine, check that the Administrative Share "DriveLetter$" exists and is accessible on this host. Otherwise, the backup operation will fail. For more information, see Installing Backup Agent automatically.

You can use Computer Collections to create backups for multiple computers. For more information, see Using Computer Collections.

 

Creating Active Directory backup

NOTE

When the backup is triggered and any specified backup path is not available, no backup is created, neither in the remote storage nor in the local storage. The backup creation session will fail.

To create backups of all computers in a Computer Collection
  1. In the console tree, select a Computer Collection, and then click Create Backup on the Action menu.

  2. If prompted, confirm the operation.

You can also use the Backup Wizard to start a backup job:

  1. In the console tree, click the root node, and then click Create Backup on the Action menu.

  2. Follow the instructions in the Backup Wizard.

  3. On the When to Back Up page click Now, and then click Next.

  4. Click Advanced to view backup options. You can modify the options as needed. When finished, click OK to close the Properties dialog box.

  5. Click Finish to start the backup job.

Note

By default, the wizard uses the default settings. You can view and modify the default settings using the Collection Defaults command that appears on the Action menu when you select the Computer Collections node in the console tree.

With the Backup Wizard, backup jobs can be scheduled to run at a specific time. For more information, see Scheduling backup creation subsection of Task scheduler overview.

While a backup job is running, you can examine the progress of the operation and, if needed, stop the backup job. After a backup job is completed, you can view backup creation results:

  1. In the console tree, click Sessions.

  2. In the details pane, click the backup-creation session, and then click Properties on the Action menu.

  3. In the Properties dialog box, click the Progress tab, and examine the displayed information.

  4. By clicking Abort on the Progress tab, you can stop the selected session.

 

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen