Chatee ahora con Soporte
Chat con el soporte

Recovery Manager for AD Disaster Recovery Edition 10.3.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Cloud Storage Secure Storage Server Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Clean OS method Bare metal forest recovery Using Management Shell Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Recovering read-only domain controllers (RODCs)

Recovery Manager for Active Directory supports recovering read-only domain controllers (RODCs) from backups.

The full list of recovery methods that can be applied to the RODCs in your recovery project:

  • Restore SYSVOL

    This method allows you to perform the non-authoritative restore of RODCs

  • Reinstall Active Directory or Reinstall Active Directory from Media on the RODCs

  • Install Active Directory or Install Active Directory from Media on the RODCs

  • Uninstall Active Directory from the RODCs.

  • Do not recover the RODCs.

If you want to recover a read-only DC, you need to select the Install the domain controller as a read-only option on the General tab for the Install Active Directory (with IFM option) or Reinstall Active Directory (with IFM option) method in Forest Recovery Console. A read-only DC can be installed using a backup created only from the RODC.
Depending on whether the option is selected or not, you can only choose backups that DC Type corresponds to the type of domain controller (ReadOnly, Writable).

Note

DC Type of backups that were created in the version 10.0 or earlier, and was registered manually, will be shown as Unknown. Such backups can only be selected manually, and the user must make sure that the type of domain controller being restored matches the type of domain controller for which the backup was created, otherwise, recovery of the domain controller will fail.

 

Checking forest health

The Forest Recovery Console provides a tool that allows you to check the health of your forest. You can use the tool to run tests to ensure that domain controllers, Active Directory® replication, domain trusts, user authentication, RID Master, and global catalog are working properly in your Active Directory® forest.

The Forest Recovery Console automatically prompts you to check the forest health after the forest recovery has succeeded, so that you could ensure the forest works exactly the way you want. If necessary, you can manually run a health check on your forest at any time before or after the forest recovery operation.

NOTE

Recovery Manager for Active Directory uses the domain controller access credentials to perform the forest health checks. Make sure, that the credentials are valid. For more details see the General tab section.

What does Recovery Manager for Active Directory check?

Domain controllers

  • Verifies that every domain controller in a forest is accessible and running using the LDAP bind request to the directory root (RootDSE) of a domain controller.

  • Checks that Forest Recovery Agents are installed on domain controllers and accessible using the RPC call to get information about agents and domain controller states.

Active Directory replication

  • Forces the replication for one random object on every replication partner for every partition of a domain controller using the replicateSingleObject operation.

Domain trusts

  • Checks that all trust relationships between domains configured in Active Directory forest are fully established.

User authentication; RID Master and GC operation

  • Verifies that a user account is created in the default or specified container on each domain controller. Then, LDAP authentication is performed using this account to check that the Global Catalog server is available for the domain controller.

To run a forest health check

  1. Open your recovery project.

  2. In the Forest Recovery Console, from the main menu, select Tools | Diagnose | Check Forest Health.

  3. In the dialog box that opens, on the Settings tab, select the check boxes next to the items whose health you want to check.

  4. When finished, click the Check Health button.

When the check health operation completes, use the Details tab to view information about the health of the selected items.

If you select the User authentication; RID Master and GC operation option on the Settings tab, you can specify a container for the test user account on the domain controller.

For the list of required permissions, see Recovery Manager .

To specify a container for the test user account

  1. Close the Forest Recovery console.

  2. Open the project (.frproj) file that was created by the Console and edit the '<Domains>' section, as shown in the following example.

You can specify different containers for different domains.

<Domains>
  <Domain DomainName="rmad.local" HealthCheckContainer="OU=test1" />
  <Domain DomainName="second.rmad.local" HealthCheckContainer="OU=test2” />
</Domains>

To specify the same container for different domains, you can use the asterisk wildcard (*), for example:

<Domains>
  <Domain DomainName="*" HealthCheckContainer="OU=test1" />
</Domains>

You should specify the relative container distinguished name for the HealthCheckContainer attribute. For example, if the full DN of the container is OU=test1,DC=rmad,DC=local, specify the DN name as OU=test1.

 

Collecting diagnostic data for technical support

There may be a situation where technical support requests you to gather and supply diagnostic data from your computer collection. For this purpose, you can use a special tool provided in the Forest Recovery Console called Diagnostic Data Collector.

NOTE

From version 8.7, the diagnostic data can be collected for the Recovery Manager Console as well.
When gathering diagnostic data, the Diagnostic Data Collector collects the following:

  • From Forest Recovery Console machine

    • Collects the data saved in the current Recovery Project (.frproj) file, except for the passwords stored in that file.

    • Collects the Forest Recovery Console log

    • Collects the Recovery Manager for Active Directory event logs

    • .db3 database files

    • Recovery Manager for Active Directory

  • From Domain Controller

    • Collects Backup and Restore agent logs

    • Collects system event logs

    • Windows debug logs

    • Runs Microsoft Netdiag, Dcdiag, Nltest, MsInfo32 and Repadmin tools (in diagnostic mode only), and then collects the output provided by these tools. The tools are started by Collectdcdata.cmd and you can modify the list of collected logs.

To gather diagnostic data for your recovery project by using the Diagnostic Data Collector, you need to complete the following steps:

  • Step 1: Use Diagnostic Data Collector to automatically gather data. In this step, you use the Diagnostic Data Collector to automatically gather diagnostic data from each domain controller in your recovery project and save the data to the folder you specify. You can perform this step regardless of whether or not a recovery operation is currently running on the recovery project. If this step completes successfully for all domain controllers, Step 2 is not needed.

  • Step 2: Gather remaining data manually. You need to perform this step only for those domain controllers from which you could not successfully collect data in Step 1. In Step 2, you copy several files supplied with Recovery Manager for Active Directory to the target domain controller, and then run one of the copied files. As a result, diagnostic data is collected from the domain controller and saved to a new folder created in the location from which you ran the file.

Technical Note

There have been some changes in the way data is collected from domain controllers.

The log collector now first attempts to connect to the forest recovery agent, and if it's available, the log collector uses RPC to send a request to collect data, and then RPC pipes to retrieve the collected files from the domain controller back to the console. If a recovery agent is not available, the log collector uses the original approach of deploying a separate log collector service on a domain controller and using a network share to copy the collected files from the domain controller to the console.

By default, the log collector uses certificate-based SCHANNEL authentication, so no credentials are required to communicate with the forest recovery agent. If for any reason the SCHANNEL authentication between the console and the forest recovery agent is broken (for example, the certificate is missing), it will use NEGOTIATE authentication with the credentials provided in the Collect diagnostic data dialog. If no credentials are specified, the log collector will use the credentials from the General tab (both normal mode credentials and DSRM credentials).


The next sections provide instructions on how to complete each of these steps.

 

Step 1: Use Diagnostic Data Collector to automatically gather data

To automatically gather diagnostic data
  1. In the Forest Recovery Console, open the recovery project you want to collect diagnostic data.

  2. Make sure you specify credentials to access each domain controller in the project. To check whether you specified access credentials for a particular domain controller, do the following:

    • Select that domain controller in the list of domain controllers.

    • Open the General tab.

    • Make sure you specify the correct credentials in the Domain Controller Access option.

    The Forest Recovery Console will use the specified credentials to access the domain controller and gather diagnostic data from it.

  3. From the menu bar, select Tools | Diagnose | Collect Diagnostic Data.

  4. Use the Drop folder text box to specify the local or UNC path to the folder where you want to save the diagnostic data to be collected. The collected data is saved to a .zip, e.g. CollectedLogs_10_20_2015 07_23_25.zip

  5. You can change credentials to access the domain controllers that were specified on the step 2.

  6. Select the Delete collected logs from domain controllers option to delete collected RMAD\RMADFE logs from domain controllers.

  7. Click the Collect button and wait for the operation to complete.

If you successfully collected data from all the domain controllers in this step, you can submit the .zip file to Quest® technical support. Otherwise, complete Step 2: Gather remaining data manually.

 

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación