Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Recovery Manager for AD Forest Edition 10.3 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Using Management Shell Creating virtual test environments Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Descriptions of recovery or verification steps

The next table describes the steps you may encounter in the Recovery Plan or on the Progress tab in the Forest Recovery Console while running a restore or verify settings operation. Some steps are applicable only to Recovery Manager for Active Directory Disaster Recovery Edition.

ID Name Description
EnableGC Add global catalog Adds the global catalog to the DC if:
- The global catalog was removed from DC during recovery.
- The recovery project settings specify to rebuild the global catalog.
If no global catalog servers were successfully restored from backup, the global catalog is added to the DC that was assigned the Schema Master role during the recovery.
AdjustAd Adjust to Active Directory changes Tries to perform the following operations to avoid rebuilding of Global Catalog:
- Removes lingering objects from non-recovering domains
- Unhost\Rehost the recovered domain partitions from non-recovering domains if the previous operation has failed

If all previous operations were unsuccesfull, rebuilds Global Catalog.
BootTargetHost Boot target machine using Quest Recovery Environment image Boot target machine using Quest® Recovery Environment image.
BringDisksOnline Bring all disks online Makes all disks on the recovered domain controller online.
UpdateGCPartitionOccupancyLevel Change global catalog partition occupancy level Sets the appropriate global catalog partition occupancy level to advertise the global catalog servers in DNS according to the recovery project settings.
CheckADInstallationPath Check AD installation paths Checks whether the specified "DIT database path", "Log files path" and "SYSVOL path" are available.
CheckBackupIntegrity Check backup integrity Checks the consistency between the backup data and the checksum in the specified backup file.
ValidateSecondStage Check domain controller recovery settings Checks that Active Directory® backup is newer than Windows backup.
CheckFreeSpace Check free space Checks whether there is a sufficient amount of free disk space on the DC to accommodate the backup file and perform the recovery operation.
CheckBackupAccess Check if backup is available Checks that the backup file specified in the DC recovery settings is accessible.
GetEncryptableVolumes Check if BitLocker is enabled Checks whether BitLocker® Drive Encryption is enabled on the domain controller.
Gets the BitLocker® configuration if BitLocker® is enabled.
EnsureComputerIsDc Check if computer is a domain controller Checks if the computer is a domain controller to ensure that restore from backup is possible.
EnsureComputerIsNotDc Check if computer is not a domain controller Checks if a computer is a standalone server to ensure that Active Directory® can be installed.
If a target computer was not explicitly specified in the project settings, then the source domain controller (Source DC) will be used to verify the project against.
If the project is verified against the "Source DC" a warning message will be displayed.
Attempting to perform a restore operation while targeting the "Source DC" will result in an error.
EnsureRodcIsNotRecovering Check if domain controller is read-only Checks whether the DC is read-only (RODC).
EnsureTargetHostBootIsRequired Check if machine is booted from Quest Recovery Environment image Checks if the machine is booted from Quest® Recovery Environment image.
CheckLogicalDiskConfiguration Check logical disks configuration Checks whether the specified "DIT database path", "Log files path" and "SYSVOL path" point to the existing logical disks on the target server.
CheckOSVersion Check operating system version Checks that the target machine has the same Operating System as the backed-up domain controller.
CheckTargetHardware Check that hardware and firmware of the target machine are compatible with the backup Checks that hardware and firmware of the target machine are compatible with the backup.
ValidateTargetAddress Check whether the automatically selected IP address is not in use Checks if the target IP address does not have conflicts with other DCs.
DnsCleanup Clean up DNS records of removed domain controllers Removes DNS resource records of all domain controllers that were not restored from backup.
This includes the domain controllers whose restore from backup has failed.
RemoveUnrecoveredDomains Clean up metadata for domains that were not restored if necessary Cleans up metadata of the domains in which no DCs were successfully restored from backup or for which you specified to not recover any DCs.
RemoveUnrecoveredDc Clean up metadata of removed domain controllers Removes metadata of all domain controllers that were not restored from backup.
This includes the domain controllers whose restore from backup has failed and those for which a recovery method other than "Restore from backup" has been selected.
RestoreDnsRelations Configure DNS server Updates DNS server delegation and forwarding in accordance with the new IP address of a target machine.
When Active Directory-integrated DNS is used, Recovery Manager for Active Directory® restores DNS Servers from a backup and checks if there are any DNS Servers in different DNS zones.
If there are such DNS servers, Recovery Manager for Active Directory® restores delegation and forwarding between domain DNS zones.
All restored DNS Servers from a particular domain will be configured as delegation and forwarding targets.
ScheduleAgentInstallation Configure Forest Recovery Agent on restored machine Deploys and configures Forest Recovery Agent on the recovered domain controller.
PrepareRestore Copy the backup file to domain controller If a backup was configured, then copies the backup file specified in the DC recovery settings to the DC. If there was no backup configured, this step will be skipped.
PrepareRestoreFromBackupIfThereIsOne Copy the backup file to domain controller, if there is one If a backup was configured, then copies the backup file specified in the DC recovery settings to the DC.
If there was no backup configured, this step will be skipped.
CreateVM Create virtual machine Creates a virtual machine.
DeleteInfrastructure Delete target infrastructure. Deletes target infrastructure.
The following Azure resources will be deleted:
- Network security group
- Virtual network
- Virtual network gateway
- Resource group
DeleteVM Delete virtual machine Deletes a virtual machine after verification.
GetBootMode Detect current boot mode Checks whether the computer is in the Normal mode or DSRM recovery mode.
DisableBitlocker Disable BitLocker Disables BitLocker® Drive Encryption if it is enabled on the domain controller.
DisablePasswordFilters Disable custom filters for passwords Disables any third-party custom password filters enabled on the DC.
This step is required to ensure the filters do not block any password reset operations during the recovery.
DisableWindowsModulesInstaller Disable Windows Modules Installer Disables Microsoft Windows Modules Installer on the DC for the duration of the recovery.
This prevents software updates from interrupting the restore process.
DisableWindowsUpdates Disable Windows Update Disables Microsoft Windows Update on the DC for the duration of the recovery.
EjectImageFromTargetHost Eject Quest Recovery Environment image Ejects Quest® Recovery Environment image.
EnableBitlocker Enable BitLocker Enables BitLocker® Drive Encryption if it was disabled on the domain controller earlier in the recovery process.
EnablePasswordFilters Enable custom filters for passwords Enables the third-party custom password filters that were disabled on the DC earlier in the recovery process.
DisableReplication Enable domain controller isolation Uses IPsec policies to restrict all traffic on the DC except:
- Network traffic to/from the Forest Recovery Console
- Incoming RDP traffic
- Incoming and outgoing ICMP traffic
- Incoming and outgoing DNS traffic
- File share access traffic
- Internal TCP traffic

This step does not delete any existing IPsec policies.
EnableGcCheck Enable the use of global catalog for user authentication Enables the use of the global catalog for user login validation.
EnableWindowsModulesInstaller Enable Windows Modules Installer Re-enables Microsoft Windows Modules Installer on the DC.
EnableWindowsUpdates Enable Windows Update Re-enables Microsoft Windows Update on the DC.
EnsureGcIsActivatedAndAvailable Ensure global catalog is available Performs all necessary operations to ensure a global catalog server is available in the forest and functioning properly.
ApplyGroupPolicy Ensure group policies are applied Updates group policies settings applied to the domain controller.
If necessary, restarts domain controller to execute boot time policies.
EnableReplication Ensure that domain controller isolation is disabled Disables any IPsec policies that were enabled during the recovery. Enables the IPsec policies that were in effect before the recovery started.
Sets certain additional parameters that require a DC that restarts and holds operations master roles to have successful AD DS replication with its known replica partners before it advertises itself as DC.
EnableReplicationForRODC Ensure that domain controller isolation is disabled (if DC is read-only) Disables any IPsec policies that were enabled during the recovery.
Enables any IPsec policies that were in effect before the recovery started.
EnsureAgentIsWorking Ensure that Forest Recovery Agent is installed and running Checks the installed version of the Forest Recovery Agent.
If necessary, installs the agent or upgrades it to the version supplied with the Forest Recovery Console you are using.
EnsureRecoveryMediaIsCreated Ensure that Quest Recovery Environment image is available Checks that the Quest® Recovery Environment image is created for the domain controller.
If it is not found, the recovery environment with corresponding settings will be created for the domain controller.
If the Quest® Recovery Environment network settings, third-party drivers, Recovery Agent, or communication keys are outdated, the Quest® Recovery Environment image file will be recreated.
EnsureDCHasSysvolShare Ensure that the SYSVOL share is available Checks that the SYSVOL share is available on the DC.
ExtractBackup Extract the backup file components Extract backup components data on the target server.
GetComputerInfo Get information about computer Collects the following information from the computer:
- IP addresses of all network adapters
- IP addresses of all DNS servers on all network adapters
- DNS names of all the FSMO role holders in the forest
- Installed Forest Recovery Agent version (if any)
- Current Windows Updates service startup mode
- Whether the computer is a DC, a member server or a stand-alone machine
- Whether the computer is a RODC
- Operating system version
- Current boot mode
GetComputerInfoFromBackup Get information about computer from backup Collects the following information from the backup:
- IP addresses of all network adapters
- IP addresses of all DNS servers on all network adapters
- DNS Zone detail
- Operating system version
- Active Directory installation paths
- Current Windows Updates service startup mode
GetReplicationInfo Get replication data from the DC Collects replication data from DC. The collected data will be used later to determine if lingering objects are present.
InstallAd Install Active Directory Domain Services Installs Active Directory® Domain Services (AD DS) on the computer and promotes it as a domain controller using domain and forest name of the original DC.
If necessary, renames computer to the name of the original DC prior to promotion.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
InstallAdFromMedia Install Active Directory from media Installs Active Directory® Domain Services (AD DS) on the computer and promotes it as a domain controller using domain and forest name of the original DC, and the provided backup data.
If necessary, renames computer to the name of the original DC prior to promotion.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
InvalidateRidPool Invalidate RID pool Invalidates the current RID pool.
This operation prevents the restored domain controller from re-issuing RIDs from the RID pool that was assigned at the time the backup was created.
ResetSYSVOL Mark the SYSVOL to be overridden by the primary SYSVOL Configures replication service to get proper SYSVOL files from authoritatively restored DC.
Disables the use of a global catalog for user login validation. This allows users other than the built-in Administrator to log on during the recovery.
PrepareInfrastructure Prepare target infrastructure. Prepare target infrastructure.
The following Azure resources will be created if required:
- Network security group
- Virtual network
- Virtual network gateway
RaiseRidPool Raise RID pool Raises the value of available RID pools by the value specified in the Forest Recovery Console configuration file (100,000 by default).
CollectRegistryInfo Reading original DC info from backup Reading an original DC logical disks configuration (paths to the DIT database and SYSVOL).
ReinstallAd Reinstall Active Directory Domain Services Demotes domain controller, then installs Active Directory® Domain Services and promotes it as a domain controller again using domain and forest name of the original DC.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
ReinstallAdFromMedia Reinstall Active Directory from media Demotes domain controller, then installs Active Directory® Domain Services and promotes it as a domain controller again using domain and forest name of the original DC, and the provided backup data.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
DisableGC Remove global catalog Removes the global catalog from DC if all of the following is true:
- The DC is a global catalog server
- You selected an option in the recovery project settings to rebuild the global catalog to ensure no lingering objects are present.
CleanupGcDataIfRequired Remove global catalog if necessary Removes the global catalog from DC if necessary, provided that the DC is a global catalog server.
CleanUp Remove temporary files Deletes the backup file from DC if the file was copied to the DC during the recovery.
InitialReplication Replicate FSMO role owners Replicates Active Directory® configuration:
- Recalculates replication topology with Knowledge Consistency Checker (KCC)
- Replicates FSMO role owners
- Replicates configuration naming context and waits until replication is completed at least for one partner
SetAccountPasswords Reset computer account passwords Resets computer account passwords twice to an automatically-generated value. The passwords are reset for the current DC and all other DCs in the project.
By default, the automatically-generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.
SetDsrmPassword Reset DSRM administrator password Resets the DSRM administrator password to the value specified in the DC recovery settings.
ResetAdminPwd Reset password for users in privileged groups Resets password for domain users in the privileged groups.
SetKrbtgtPassword Reset the Krbtgt password Resets the krbtgt password twice to an automatically-generated value to isolate domain controllers that were not recovered.
By default, the automatically-generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.
SetTrustPasswords Reset trust passwords Resets the trust passwords twice to a generated value.
By default, the automatically-generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.
This operation is performed for all implicit and explicit trusts between this domain and all other trusted domains in the forest. Trust passwords for any external trusts are not reset.
RebootDsrmAfterFullRestore Restart domain controller in DSRM Reboots recovered domain controller into Directory Services Restore Mode and resets the password for the domain administrator account.
RebootToDsrm Restart domain controller in DSRM Restarts the DC in DSRM.
RebootToDsrmIfRequired Restart domain controller in DSRM if necessary If DSRM is not the current mode, this step restarts the domain controller in DSRM and resets the DSRM password.
RebootToNormalModeAfterRestore Restart domain controller in normal mode Restarts the DC in normal mode.
Then, resets the user password to the value specified in the DC recovery settings.
This password reset is required to overwrite the old password restored from backup.
RebootToNormalMode Restart domain controller in normal mode Restarts the DC in normal mode for the changes to take effect.
When performing this step on a DC restored from backup, Recovery Manager for Active Directory® also resets the user password to the value specified in the DC recovery settings.
This password reset overwrites the old password restored from backup.
RebootToNormalModeIfRodc Restart domain controller in normal mode if necessary Checks if the domain controller is read-only (RODC). If so, restarts the RODC for changes to take effect.
Restore Restore data from backup Restores the Active Directory® database (.dit file), SYSVOL, and system registry entries from
the backup specified in the DC recovery settings.
Disables the use of a global catalog for user login validation. This allows users other than
the built-in Administrator to log on during the recovery.
RestoreFromBackupIfThereIsOne Restore data from backup, if there is one If a backup was configured, restore SYSVOL from the backup.
If a backup was not configured, configures the replication service to get SYSVOL files from authoritatively restored DC.
FullServerRestore Restore disks from a BMR Backup Performs bare-metal recovery of the machine from BMR Backup.
RestoreGCPartitionOccupancyLevel Restore initial global catalog partition occupancy level Sets the global catalog partition occupancy level to the value that existed before the recovery started.
RestoreWindowsServices Restore start types of Windows services Restore start types of Windows services that were changed during recovery.
RunMalwareRemediation Run advanced actions Runs advanced actions.
ValidateReinstall Run pre-recovery checks Checks the following:
- That the DSRM password specified in the DC recovery settings meets the password complexity criteria.
- Whether a preferred DNS server is specified for the DC in the recovery settings. If this is true, then the DNS server validity is checked.
ValidateRestore Run pre-recovery checks Checks the following:
- The DSRM password specified in the DC recovery settings meets the password complexity criteria.
- The backup file specified in the DC recovery settings is accessible (mandatory requirement for domain or forest recovery).
- There is a sufficient amount of free disk space on the DC to accommodate the backup file (mandatory requirement for domain or forest recovery).
- A preferred DNS server is specified for the DC in the recovery settings. If this is true, then this step checks the validity of the DNS server.
- Whether Kerberos Distribution Center (KDC) and Base Filtering Engine (BFE) services are enabled.
ValidateFullServerRestore Run pre-recovery checks Checks the following:
- Whether the BMR backup specified in the DC recovery settings is accessible.
- If the recovery from the Active Directory® backup option is selected, checks whether the Active Directory® backup is accessible.
SaveWindowsServices Save start types of Windows services Saves start types of Windows services that can be changed during recovery.
PerformMalwareScan Scan the backup with the antivirus software Scans the backup for malware threats.
The antivirus software that is installed on the Forest Recovery Console machine and specified in the antimalware configuration is checking the remote backup.
Depending on the size and speed of the network, this process can take from several minutes to more than an hour.
All volumes in the backup will be scanned.
SetFsmoRolesMasters Seize FSMO roles Seizes FSMO roles for the DCs automatically selected for each role.
SetPrefferedDns Select preferred DNS server Selects a properly functioning DNS server for all network adapters on the DC.
This step uses the following order of priority to select a DNS server:

1. Preferred DNS server specified in the DC recovery settings.
2. Primary and alternate DNS servers that were selected for the DC before the recovery.
3. DNS servers selected for other DCs in the same domain.
4. All other DNS servers in the forest.

AD-integrated DNS servers hosted on DCs that were not successfully restored from backup are excluded from the list of possible DNS servers.
SetReplicationServiceMode Set initial SYSVOL replication mode if applicable Forces authoritative SYSVOL restore if the Forest Recovery Console machine was explicitly or automatically selected as an authoritative SYSVOL source.
SetSysvolRoot Sets the new path to the SYSVOL share if it has been changed Updates the AD database if the path to the SYSVOL share has been changed.
DemoteAd Uninstall Active Directory Domain Services Demotes the DC to a member server joined to the workgroup named WORKGROUP.
Resets the local Administrator password to the value specified in the “Set DSRM password” option in the DC recovery settings.
UpdateProject Update Forest Recovery project with the collected data Updates Forest Recovery project with the collected data.
CheckGcAvailability Wait for a global catalog server to become available Waits for at least one global catalog server to become available in the forest.
This step may take a significant time to complete.
EnsureTargetHostIsBooted Wait until the target machine becomes accessible Waits until the target machine is booted from Quest® Recovery Environment image.
If a source domain controller is accessible during the project verification, it will be contacted instead.
CleanDisks Wipe all disks on the target machine Wipes all data on remote machine disks before restoring backup.

 

Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition)

This section provides information about the communication ports required to work with Recovery Manager for Active Directory.

Resources/Images/8_RMADFE_DG_Working scheme-01.png

 

Resources/Images/8_RMADFE_DG_Working scheme-02.png

 

Resources/Images/8_RMADFE_DG_Working scheme-03.png

 

Backup Wizard

The Backup Wizard helps you create backups of domain controllers' Active Directory® components, including Active Directory® and Group Policy data. With this wizard you can select domain controllers whose Active Directory® is to be backed up, specify where to store backups, run backup immediately or schedule it for later, view and modify backup options.

The wizard has the following steps:

 

What to Back Up

Use this page to select computers whose Active Directory® components you want the wizard to back up. You can back up selected computers or computers that reside in a specific container.

  • Selected objects. The Selected objects list includes the names and descriptions of computers and containers the wizard will process. You can modify the list using the Add and Remove buttons.

  • Add. When you click Add, the wizard presents you with these commands:

    • Domain Controller. Selects and adds domain controllers by name.

    • Container. Selects and adds a container. The wizard will back up all computers that are in that container.

    • AD LDS (ADAM) Host. Selects and adds AD LDS (ADAM) hosts by name.

    • Import Computers. Use a text file, one computer name per line, to add computers to the list.

  • Remove. Removes the selected entries from the Selected objects list.

To add a Domain Controller by name
  1. Click Add and then click Domain Controller.

  2. In the Select Computers dialog box, supply the name of the Domain Controller you want to add to the list.

With the Select Computers dialog box, you can select multiple computers. The Select Computers dialog box only allows you to add computers by computer account name. If you want to add computers by IP address, DNS name, or NetBIOS name, use an import file.

To add a container
  1. Click Add and then click Add Container.

  2. In the Domain box, select or type the DNS name of a domain. If you typed the DNS name, click Connect to refresh the tree in the Containers box.

  3. In the Containers box, select the container that contains any Domain Controllers to add.

If you select computers or containers before starting the Backup Wizard, the Selected objects list includes the objects you have selected.

To add AD LDS (ADAM) Host
  1. Click Add and then click AD LDS (ADAM) Host.

  2. In the Select Computers dialog box, supply the name or browse to the computer containing the AD LDS (ADAM) instance to add.

To add Domain Controllers using an import file
  1. Create a text file that contains the Domain Controller names, one name per line.

  2. Click Add and then click Import Computers.

  3. Use the Open dialog box to locate and open the text file.

 

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation