Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Recovery Manager for AD Disaster Recovery Edition 10.1.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Clean OS Bare metal forest recovery Using Management Shell Creating virtual test environments Using Recovery Manager for Active Directory web portal Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory Descriptions of PowerShell commands
Add-RMADBackup Add-RMADCollectionItem Add-RMADFEComputer Add-RMADReplicationConsole Add-RMADStorageServer Backup-RMADCollection Close-RMADFEProject Compare-RMADObject Convert-RMADBackup ConvertTo-RMADRecycledObject Create-RMADStorageManagementAgentSetup Expand-RMADBackup Export-RMADBackup Export-RMADFERecoveryCertificate Export-RMADFEResult Get-RMADBackup Get-RMADBackupAgent Get-RMADBackupInfo Get-RMADBackupObject Get-RMADBackupSecurityStatus Get-RMADCollection Get-RMADCollectionItem Get-RMADDeletedObject Get-RMADFEComputer Get-RMADFEConsole Get-RMADFEDnsCache Get-RMADFEDomain Get-RMADFEEvent Get-RMADFEGlobalOptions Get-RMADFEOperation Get-RMADFEPersistenceConnection Get-RMADFEProject Get-RMADFERecoveryAgent Get-RMADFESchedule Get-RMADGlobalOptions Get-RMADLicenseInfo Get-RMADObject Get-RMADReplicationConsole Get-RMADReplicationSchedule Get-RMADReplicationSession Get-RMADReplicationSessionItem Get-RMADReportObject Get-RMADReportObjectAttributes Get-RMADReportObjectChildren Get-RMADReportSession Get-RMADSession Get-RMADSessionItem Get-RMADSessionItemEvent Get-RMADStorageServers Import-RMADBackup Import-RMADFERecoveryCertificate Install-RMADBackupAgent Install-RMADFERecoveryAgent New-RMADCollection New-RMADFEProject New-RMADFERecoveryMedia New-RMADSchedule Open-RMADFEProject Publish-RMADBackupSecurityStatus Remove-RMADBackup Remove-RMADBackupAgent Remove-RMADCollection Remove-RMADCollectionItem Remove-RMADFEComputer Remove-RMADFERecoveryAgent Remove-RMADFESchedule Remove-RMADReplicationConsole Remove-RMADReplicationSchedule Remove-RMADReplicationSession Remove-RMADStorageServer Remove-RMADUnpackedComponent Rename-RMADCollection Restore-RMADDeletedObject Restore-RMADDomainController Restore-RMADObject Resume-RMADFERecovery Save-RMADFEProject Set-RMADCollection Set-RMADFEComputer Set-RMADFEDnsCache Set-RMADFEDomain Set-RMADFEGlobalOptions Set-RMADFEPersistenceConnection Set-RMADFERecoveryMode Set-RMADFESchedule Set-RMADGlobalOptions Set-RMADReplicationConsole Set-RMADReplicationSchedule Start-RMADFERecovery Start-RMADFEVerification Start-RMADReplication Start-RMADReportViewer Stop-RMADFEWorkflow Update-RMADBackupAgent Update-RMADFEProject Update-RMADLicense

Uninstalling Backup Agent

You can use the Recovery Manager Console to uninstall Backup Agent preinstalled on a computer added to a Computer Collection. You can only perform this operation on discovered instances of the Backup Agent. For more information, see Discovering preinstalled Backup Agent.

To uninstall Backup Agent
  1. In the Recovery Manager Console tree, select the Backup Agent Management node.

  2. In the right pane, right-click the computer from which you want to uninstall Backup Agent.

  3. From the shortcut menu, select Uninstall Backup Agent and wait for the uninstall operation to complete.

After the uninstallation operation completes, Recovery Manager for Active Directory removes the uninstalled Backup Agent entry from the list in the Backup Agent Management node.

 

Removing a Backup Agent entry from the Backup Agent Management node

You can selectively remove Backup Agent entries from the list provided in the Backup Agent Management node. Removing a Backup Agent entry from that list does not affect the corresponding preinstalled agent instance in any way. Rather, it removes the agent’s registration information from the Recovery Manager Console.

You may want remove a Backup Agent entry from the list when, for example, you have uninstalled the corresponding Backup Agent instance from the computer without using the Recovery Manager Console, and the agent entry remained in the Backup Agent Management node.

To remove a Backup Agent entry
  1. In the Recovery Manager Console tree, select the Backup Agent Management node.

  2. In the right pane, right-click the Backup Agent entry you want to remove from the list.

  3. From the shortcut menu, select Remove from List.

 

Using a least-privileged user account to back up data

You can configure Recovery Manager for Active Directory to back up data in an Active Directory domain under a least-privileged user account. A least-privileged user account is an account that has no other permissions except for those required to back up data with Recovery Manager for Active Directory.

Using a least-privileged account to back up Active Directory offers greater protection from unwanted changes to your Active Directory environment, security attacks, or unsolicited access to sensitive documents or settings.

To run backup operations under a least-privileged user account, in the domain you want to back up, create an Active Directory group named RMAD Backup Operators. Add the least-privileged user account you want to that group, and then preinstall the Backup Agent in the domain. As a result, members of the RMAD Backup Operators group are automatically granted the necessary permissions to back up data in the domain with Recovery Manager for Active Directory.

To use a least-privileged user account for backup operations
  1. In the Active Directory domain you want to back up, create a new Active Directory group with the following name: RMAD Backup Operators

  2. To the RMAD Backup Operators group, add the least-privileged user account under which you want to back up the domain.

  3. On the domain controllers you want to back up, preinstall the Backup Agent version supplied with this release of Recovery Manager for Active Directory.

    Make sure you first create the RMAD Backup Operators group, and then install the Backup Agent in the domain. During its installation, the agent locates that group and saves the group SID in the registry. Then the Backup Agent uses this group SID to check that the user account is a member of the RMAD Backup Operators group.

    If the Backup Agent supplied with this release is already preinstalled, you can repair the agent’s installation so that the agent could locate the RMAD Backup Operators group.

  4. Add the domain controllers on which you preinstalled the Backup Agent to a new Computer Collection.

  5. In the Computer Collection properties, on the Agent Settings tab, do the following:

    • Specify to access the Backup Agent with the least-privileged account you have added to the RMAD Backup Operators group.

    • Select the check box to use preinstalled Backup Agent. For more information, see Agent Settings tab subsection in Properties for an existing Computer Collection.

  6. Back up the Computer Collection.

 

Using Managed Service Accounts

Recovery Manager for Active Directory supports MSA/gMSA accounts for:

  • Scheduled backups - the account can be specified for scheduled tasks in the Computer Collection properties on the Schedule tab or in Task Scheduler.

  • Scheduled replication tasks (Fault Tolerance)

  • Scheduled verification of a Forest Recovery project

  • The Recovery Manager Portal can be run under the MSA/gMSA account. During the Recovery Manager Portal installation, specify the MSA/gMSA on the Specify Web Site Settings step of the wizard.

MSA/gMSA account requirements:

  • You can use Managed Service Account (in Windows Server 2008 or higher) or Group Managed Service Account (in Windows Server 2012 or higher).

  • Add the $ character at the end of the account name (e.g. domain\computername$) and leave the Password field blank.

  • The MSA/gMSA account must be a member of the local Administrator group on the Recovery Manager for Active Directory machine.

  • For more details about account requirements and limitations related to Recovery Manager Portal, see the Install or uninstall Recovery Manager Portal section in Permissions required to use Recovery Manager for Active Directory.

How to create a Group Managed Service Accounts (gMSA)

  1. Create a gMSA account in Active Directory using the following command: New-ADServiceAccount -name @<gMSA account name> -DNSHostName @<DNS host name>

  2. Run Install-AdServiceAccount @<gMSA account name> on each host where you are going to use this gMSA account.

What are the steps to configure a gMSA account for use as the backup agent account using the minimum permissions model?

  1. Create а gMSA and associate its principal with the computer accounts of the member hosts. If you want to manage the service host permission to use a gMSA account by a security group, you can associate the account principal with a security group. And then assign the Recovery Manager for Active Directory server(s) machine accounts as members of the linked security group.

  2. Create the Active Directory group RMAD Backup Operators and add the gMSA account to this group directly.

  3. If using pre-installed agents, uninstall and reinstall the agents. This is required to populate the RMAD Backup Operators group SID locally on the DCs.

  4. Configure the collection properties to set the backup agent access account. When entering the gMSA credentials, input the username as "domain\gMSA$", where gMSA is the service account login name followed by the $ sign, and leave the password fields blank.

Take consideration that some items are not possible to configure when using the minimum permissions group, such as "Ensure Forest Recovery Agent is deployed".
This setting requires that you have DC Administrator access, and access to the admin$ share.
If you want to have this set up, the gMSA will need to be a member of Domain Admins, instead of RMAD Backup Operators.

For more details, see https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts.

 

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation