Recovery Manager for AD Forest Edition 10.0.1 - Deployment Guide

Introduction

This document provides information about deploying Quest® Recovery Manager for Active Directory Forest Edition. It also includes some best practice recommendations for using Recovery Manager for Active Directory to back up and restore Active Directory data.

Recovery Manager for Active Directory Forest Edition is a comprehensive, next-generation solution that helps you back up and restore Active Directory data. Recovery Manager for Active Directory dramatically reduces the time required to restore Active Directory and Group Policy data to minutes on average. This improves the availability of corporate networks and reduces network downtime.

For information about how to install the application components, refer to the Quick Start Guide supplied with this release of Recovery Manager for Active Directory Forest Edition.

Permissions required to use Recovery Manager for Active Directory

The table below lists the minimum user account permissions required to perform some common tasks with Recovery Manager for Active Directory.

Table 1: Minimum permissions

Task Minimum permissions
Install Recovery Manager for Active Directory

The account must be a member of the local Administrators group on the computer where you want to install Recovery Manager for Active Directory. If during the installation you specify an existing SQL Server instance, the account with which Recovery Manager for Active Directory connects to that instance must have the following permissions on the instance:

  • Create Database
  • Create Table
  • Create Procedure
  • Create Function
Open and use the Recovery Manager Console

The account must be a member of the local Administrators group on the computer where the Recovery Manager Console is installed. The account must also have the following permissions on the SQL Server instance used by Recovery Manager for Active Directory:

  • Insert
  • Delete
  • Update
  • Select
  • Execute
Preinstall Backup Agent manually The account you use to access the target computer must be a member of the local Administrators group on that computer
Upgrade Backup Agent
Discover preinstalled Backup Agent instances

The account used to access the target domain controllers must:

  • Have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory that is located on the Recovery Manager for Active Directory computer.
  • Be a member of the Backup Operators group on each target domain controller.
Uninstall Backup Agent
Update information displayed about Backup Agent in the Recovery Manager Console
Automatically install Backup Agent and back up Active Directory data

To automatically install Backup Agent, the account must have:

  • Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory located on the Recovery Manager for Active Directory computer.
  • Local Administrator permissions on the target domain controller.

To back up data, the account must be a member of the Backup Operators group on the target domain controller.

Back up Active Directory using preinstalled Backup Agent

The account used to access the target domain controllers must:

  • Have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory that is located on the Recovery Manager for Active Directory computer.
  • Be a member of the Backup Operators group on each domain controller to be backed up.
Perform a complete offline restore of Active Directory by using the Repair Wizard

If you restore data to a domain controller where User Account Control (UAC) is not installed or disabled:

  • The account you use to access the domain controller must be a member of the Domain Admins group.

If you restore data to a domain controller where User Account Control (UAC) is enabled:

  • The account you use to access the domain controller must be the built-in Administrator on that computer.

In both these cases, the account you use to access the domain controller must have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory located on the Recovery Manager for Active Directory computer.

Perform a selective online restore of Active Directory objects

Agentless restore

The account used to access the target domain controllers must have:

  • Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory that is located on the Recovery Manager for Active Directory computer.
  • Reanimate Tombstones extended right in the domain where objects are to be restored.
  • Write permission on each object attribute to be updated during the restore.
  • Create All Child Objects permission on the destination container.
  • List Contents permission on the Deleted Objects container in the domain where objects are to be restored.

For more details, see the Agentless method section in User Guide.

Agent-based restore

  • The account used to access target domain controllers must have domain administrator rights.

For more details, see the Agent-based method section in User Guide.

Restore a Group Policy object

The account used to access the target domain controller must:

  • Be a member of the Group Policy Creator Owners group.
  • Have Full Control privilege on the Group Policy object.
  • Be a member of the Backup Operators group.
  • Have sufficient permissions to read/write Active Directory objects linked to the Group Policy object.
Automatically install Backup Agent and back up an AD LDS (ADAM) instance

The account used to access the computer hosting the instance must:

  • Have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory that is located on the Recovery Manager for Active Directory computer.
  • Be a member of the local Administrators group on the computer hosting the AD LDS (ADAM) instance
Back up an AD LDS (ADAM) instance using preinstalled Backup Agent

The account used to access the computer hosting the instance must:

  • Have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory located on the Recovery Manager for Active Directory computer.
  • Be a member of the local Administrators group on the computer hosting the AD LDS (ADAM) instance.
Restore an AD LDS (ADAM) instance

The account used to access the computer hosting the instance must:

  • Have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory located on the Recovery Manager for Active Directory computer.
  • Be a member of the local Administrators group on the computer hosting the AD LDS (ADAM) instance.

Permissions required to use Forest Recovery Console

The table below lists the minimum user account permissions required to perform some common tasks with Forest Recovery Console.

Table 2: Minimum permissions

Task Minimum permissions
Start and use the Forest Recovery Console

Have Read access to the Recovery Manager for Active Directory backup registration database.

Access domain controllers in the recovery project

Have either domain administrator rights or all of the following permissions:

  • Reanimate Tombstone control access right (or be a member of a group that has this access right).

By default, the Reanimate Tombstone control access right is only granted to domain administrators. Domain administrators can delegate the permission necessary to restore deleted objects to other users and groups by granting the user or group the Reanimate Tombstone control access right. A security risk can be introduced by delegating this permission to a user, because it allows the user to restore an account that may have a level of access greater than that of the user. By restoring such an account, the user in effect gains control of that account. This is because the LDAP API does not provide the capability to restore the backed up password, and so the user can set the initial password on the account.

  • Write access to each mandatory attribute that needs to be updated.
  • Write access to the Relative Distinguished Name (RDN) and other attributes that need to be updated.
  • Child-creation rights on the destination container for the object class that is to be restored.
  • Write access to universal and domain local groups in all domains in the forest.
Install or uninstall Forest Recovery Agent Be a member of the local Administrators group on the target domain controller.

Сheck forest health if the User authentication; RID Master and GC operation option is selected on the Settings tab in the Check Forest Health dialog.

Have either domain administrator rights or all of the following permissions on the container for the test user account:

  • Create/Delete user objects
    Applies to: This object and all descendant objects
  • Full Control
    Applies to: Descendant User objects

For information about using the Forest Recovery Console, see Forest Recovery Console section of User Guide.

Permissions required to use Recovery Manager Portal

The table below lists the minimum user account permissions required to perform some common tasks with Recovery Manager Portal.

Table 3: Minimum permissions

Task Minimum permissions
Install or uninstall Recovery Manager Portal Be a local administrator on the target computer.
Access Recovery Manager Remote API Access service

To access a Recovery Manager for Active Directory instance, the Recovery Manager Portal requires the Recovery Manager Remote API Access service to be installed and running on the Recovery Manager for Active Directory computer. This service enables the following Recovery Manager for Active Directory features: integration with Recovery Manager Portal, RMAD console fault tolerance and support for hybrid environment.

For information about minimum permission requirements for the service, refer Step 1: Install Recovery Manager Remote API Access Service in User Guide.

Start and use the Recovery Manager Portal

From version 8.7, Recovery Manager Portal can be run under Managed Service Account (in Windows Server 2008 or higher) or Group Managed Service Account (in Windows Server 2012 or higher). If you specify the MSA or gMSA account, add the '$' character at the end of the account name (e.g. domain\computername$) and leave the Password field blank (on the Specify Web Site Settings step of the wizard).

  • The Managed Service Account (in Windows Server 2008 or higher) or Group Managed Service Account (in Windows Server 2012 or higher) must be a member of the local Administrator group on the Recovery Manager for Active Directory machine.
  • In case of MSA or gMSA account, Recovery Manager Portal supports only Windows authentication to access the SQL Server databases.
To perform restore or undelete operation

User must be a member of the "Recovery Manager Portal - Recovery Operators" security group on the computer where the Recovery Manager Portal is installed.

If you want to use the agentless recovery method, select the Configure a list of delegates that can perform the restore and undelete operations option on the Portal Settings tab. For more information about delegation, see the Delegating restore or undelete permissions section in User Guide.

To perform the undelete operation

User must be a member of the "Recovery Manager Portal - Undelete Operators" local security group on the computer where the Recovery Manager Portal is installed.

If you want to use the agentless recovery method in Recovery Manager Portal, select the Configure a list of delegates that can perform the restore and undelete operations option on the Portal Settings tab. For more information about delegation, see the Delegating restore or undelete permissions section in User Guide.

To modify the Recovery Manager Portal configuration and delegate restore permissions to other Recovery Manager Portal users User must be a member of the "Recovery Manager Portal - Configuration Admins" local security group on the computer where the Recovery Manager Portal is installed.
To view the health summary and backup creation history for the Recovery Manager for Active Directory instances User must be a member of the "Recovery Manager Portal - Monitoring Operators" local security group on the computer where the Recovery Manager Portal is installed.
Outils libre-service
Base de connaissances
Notifications et alertes
Support produits
Téléchargements de logiciels
Documentation technique
Forums utilisateurs
Didacticiels vidéo
Nous contacter
Obtenir une assistance en matière de licence
Support Technique
Afficher tout
Documents connexes