Chatta subito con l'assistenza
Chat con il supporto

Disaster Recovery for Identity Current - for Active Directory User Guide

Creating and Editing a Recovery Plan

To create a Recovery Plan

  1. On the Recovery page, select Add Recovery Plan.
  2. Enter a unique name for the Recovery Plan, or use the default name.
  1. To enable simulation mode, turn on the Enable Simulation Mode toggle. For more information, see Simulation mode below.
  2. Under Backup Selection, use the dropdown list to select the maximum age of backups allowed in the Recovery Plan. This automatically selects the most recent backup for each domain controller that is not older than the specified number of days. If there is no domain controller backup that meets the criteria, a backup must be manually selected for that domain controller; otherwise, the restore will fail. The default value is 14 days.
  3. The table in the Domains section lists all domains within the forest. For each domain, you need to specify a recovery method.

      TIP: Before assigning a recovery method, check the DC Backup Coverage value for each domain. This indicates the number of DCs that have backups matching the selected backup criteria out of the total number of DCs in the domain. If needed, adjust your backup selection or create additional backups..

      1. Select the domain name in the table.
      2. In the Domain Configuration flyout, under Domain Recovery, choose from one of the following recovery methods:
        • Recover Domain – Enables the restoration of the entire forest or specific domains within the forest by recovering one or more domain controllers from a backup. This is the default recovery method assigned to all domains when a new Recovery Plan is created. At least one domain in the Recovery Plan needs to be set to be recovered, and at least one domain controller in the domain must be restored from a backup (using the Restore to Clean OS recovery method).

          NOTE: If the recovery method for the domain is set to Recover Domain, the Restore to Clean OS recovery method is set by default for all domain controllers in the domain.

        • Ignore Healthy Domain – Excludes the healthy domain from recovery while keeping it intact in the forest. This option performs configuration changes on domain controllers within the domain to ensure connectivity to the recovered domains.

          NOTE: If the recovery method for the domain is set to Ignore Healthy Domain, the Adjust to Active Directory Changes recovery method is set for all domain controllers and cannot be modified.

        • Delete Domain – Removes the domain by cleaning up its metadata from all restored and healthy domains in the forest. This option cannot be used on the forest root domain.

        NOTE: The Ignore Healthy Domain and Delete Domain options are not supported at the same time; you cannot include both options in a Recovery Plan.

      3. Specify the server access credentials and DNS configuration (if applicable to the selected recovery method). For more information, see Editing Domain Configurations.
      4. Select the Set button.

  1. Select Save. After saving the Recovery Plan, you will be navigated to the Recovery Plan details page.

To edit a Recovery Plan

On the Recovery Plan details page, select Configure | Recovery Plan. On the Configure Recovery Plan page, you can edit the Recovery Plan configurations as described above.

IMPORTANT: If the Active Directory forest topology is changed on-premises (in other words, new domain controllers have been added or removed, domain controller roles are updated, etc.), the forest needs to be manually re-discovered in the product and a new Recovery Plan needs to be created based on the updated topology.

 

Simulation mode

Disaster Recovery for Identity for Active Directory allows users to run Recovery Plans and verification/recovery operations using simulation mode. This mode runs through simulated verification or recovery operations using topology information from the connected Active Directory forest and its backups. This mode successfully completes verification/recovery operations without utilizing target machines, giving users the opportunity to test the workflow of Recovery Plans and identify issues without risk to their data or forest.

To enable simulation mode for a specific Recovery Plan

  1. When creating or configuring a Recovery Plan, under General Information, turn on the Enable Simulation Mode toggle.
  2. Save the Recovery Plan.

To indicate that a Recovery Plan is in simulation mode, a badge or icon is displayed in the following locations:

  • In the taskbar on the Recovery Plan details page
  • In the taskbar on the domain controller Operations page
  • On the Recovery Plan tile
  • On tasks on the Tasks page
  • On events on the Events page

Recovery Plan Details

After adding a Recovery Plan, you are navigated to the Recovery Plan details page. Here you can view details of the domain controllers within the domains selected in the Recovery Plan.

NOTE: The list of domain controllers is taken from the topology discovered by Disaster Recovery for Identity for Active Directory. If you see missing or additional domain controllers, or an incorrect domain controller type, run a discovery on the Topology page and re-create a Recovery Plan.

 

The table on the Recovery Plan details page displays the following information:

  • Domain – the FQDN of the domain selected for recovery.
  • Domain Recovery Method – The recovery method selected for the domain. To change the recovery method, see Editing Domain Configurations.
  • Domain Controller – The FQDN of the domain controller.
  • Status – The status of the domain controller.
  • Current Operation – The operation currently running.
  • DC Recovery Method – The recovery method selected for the domain controller. To change the recovery method, see Editing Domain Controller Configurations.
  • Selected Backup – The date and time that the selected backup was created.

NOTE: No Backup Available is displayed if there is no backup that meets the backup criteria.

  • Type – The domain controller can be of the following type:
    • GC - Global Catalog
    • RODC - Read-only domain controller
    • FSMO - Flexible single-master operator

Above the action bar, you can see a summary of the verification or recovery task that is currently being performed for the Recovery Plan, including:

  • The FQDN of the forest associated with the Disaster Recovery for Identity for Active Directory forest and overall latest status of the Recovery Plan. For more information, see the Status section below.
  • The overall time for the completed action.
  • The number of domain controllers that have the following statuses: 
    • Completed
    • Completed with Warnings
    • Canceled
    • Pending
      • Not Started
      • In Progress
      • Paused
      • Canceling
      • In Progress with Warnings
    • Failed

You can perform the following actions on the Recovery Plan details page:

NOTE: Individual domain controllers cannot be canceled from this page.

Caution: Canceling a recovery operation may result in a corrupt forest.

 

Status

The status of the Recovery Plan is displayed underneath the forest FQDN in the overall Recovery Plan summary as well as in the Status column for each domain controller. The Status column displays one of the following:

  • Any configuration errors that exist in the Recovery Plan.
  • The status of the ongoing or completed operation.

If a configuration error is displayed, open Domain Controller Operations to view the full message.

By clicking the status of the ongoing or completed operation, you can view the Domain Controller Operations for that domain controller. The status can include the following:

  • Verify
    • Verification Starting – The verification operation is in the process of starting.
    • Verification in Progress – The verification operation is in progress.
    • Verification Completed – The verification operation has been completed.
    • Verification Completed with Warnings – The verification operation has been completed, but one or more operations have warnings. See Domain Controller Operations for more.
    • Verification Failed – The verification operation has failed.
    • Verification Canceling – The verification operation is in the process of being canceled.
    • Verification Canceled – The verification process has been canceled.
    • Verification Paused – The verification operation has been paused.
  • Recovery
    • Recovery Starting – The recovery operation is in the process of starting.
    • Recovery in Progress – The recovery operation is in progress.
    • Recovery Completed – The recovery operation has been completed.
    • Recovery Completed with Warnings – The recovery operation has been completed, but one or more operations have warnings. See Domain Controller Operations for more.
    • Recovery Failed – The recovery operation has failed.
    • Recovery Canceling – The recovery operation is in the process of being canceled.
    • Recovery Canceled – The recovery process has been canceled.
    • Recovery Paused – The recovery operation has been paused.
    • Waiting For Other DCs – The operation is waiting for other domain controllers to finish their operations.

Editing Domain Configurations

To access domain configurations for a Recovery Plan, either:

  1. When creating or configuring a Recovery Plan, select the domain FQDN in the Domains table.
  2. On the Recovery Plan details page:
    • Select the domain FQDN in the Domain column, or
    • Select the row for the relevant domain, then select Configure | Domain.
The Domain Configuration flyout is displayed.
 

To edit domain configurations

You can change the recovery method for the domain to one of the following. In some cases, the recovery method you select for the domain affects the recovery method that is available for the domain controller. Click the link below for the recovery method you want to select or configure and follow the steps in that section.

NOTE: The Ignore Healthy Domain and Delete Domain options are not supported at the same time; you cannot include both options in a Recovery Plan.

NOTE: Before selecting a recovery method, it is highly recommended that you read Recovery Methods in the Recovery Considerations and Best Practices section.

Recover Domain

This method enables the restoration of the entire forest or specific domains within the forest by recovering one or more domain controllers from a backup. This is the default recovery method assigned to all domains when a new Recovery Plan is created. At least one domain in the Recovery Plan needs to be set to be recovered, and at least one domain controller in the domain must be restored from a backup (using the Restore to Clean OS recovery method).

NOTE: If the recovery method for the domain is set to Recover Domain, the Restore to Clean OS recovery method is set by default for all domain controllers in the domain.

If the Recover Domain method is selected, perform the following steps:

  1. Specify or change the server access credentials. To learn more about each credential type, see Server Access Credentials in the Recovery Considerations and Best Practices section. When credentials are specified at the domain level, they are applied to all domain controllers within that domain. If needed, you can change the credentials for individual domain controllers in the domain controller configuration.
    • Domain Username – An Active Directory Domain Admin account that existed when the backup was created.
    • Domain User Password – The password for the domain.
    • Local Username – The username for the local account that has Local Administrator rights on the target.
    • Local User Password – The password for the local account.
    • DSRM Administrator – The username for the DSRM administrator.
    • DSRM Administrator Password – The password that the DSRM password will be set to when the target machine is promoted to the domain controller.
    • Confirm DSRM Administrator Password – Confirm the DSRM administrator password.

NOTE: For the Recover Domain method, you need to specify all credentials here or in the domain controller configuration.

  1. You can change the DNS server configuration. It is highly recommended that you read DNS Configuration in the Recovery Considerations and Best Practices section.
    • Select DNS server automatically – Automatically selects and assigns a DNS server for each domain controller in the domain. This option is selected by default.
    • Use preferred DNS server(s) – Specify the DNS servers manually by entering one or more IP addresses, each separated by a semicolon.
Ignore Healthy Domain

This method excludes the healthy domain from recovery while keeping it intact in the forest. This option performs configuration changes on domain controllers within the domain to ensure connectivity to the recovered domains.

NOTE: If the recovery method for the domain is set to Ignore Healthy Domain, the Adjust to Active Directory Changes recovery method is set for all domain controllers and cannot be modified.

If the Ignore Healthy Domain method is selected, you can change the domain credentials. When credentials are specified at the domain level, they are applied to all domain controllers within that domain. If needed, you can change the credentials for individual domain controllers in the domain controller configuration.

  • Domain Username – An Active Directory Domain Admin account that existed when the backup was created.
  • Domain User Password – The password for the domain.

NOTE: For the Ignore Healthy Domain method, you need to specify domain credentials here or in the domain controller configuration.

Delete Domain

This method removes the domain from the forest by cleaning up its metadata from all restored and existing domains. This option cannot be used on the forest root domain.

NOTE: If the recovery method for the domain is set to Delete Domain, the Remove DC recovery method is set for all domain controllers and cannot be modified.

 

Editing Domain Controller Configurations

To access the domain controller configurations for a Recovery Plan, on the Recovery Plan details page, either:

  1. Select the domain controller FQDN in the Domain Controller column, or
  2. Select the row for the domain controller in the relevant domain, then select Configure | Domain Controllers.

The DC Configuration page is displayed.

To edit domain controller configurations

NOTE: If you update any domain controller configurations, this clears the Status column and removes access to the list of operations run during the last run verification or recovery.

You can change the recovery method of the domain controller to one of the following options. In some cases, the recovery method for the domain controller is set by default depending on the recovery method selected for the domain. Click the link below for the recovery method you want to select or configure and follow the steps in that section.

NOTE: Before selecting a recovery method, it is highly recommended that you read Recovery Methods in the Recovery Considerations and Best Practices section.

Restore to Clean OS

This recovery method restores the domain controller from a backup onto a freshly installed Windows machine.

NOTE: If the recovery method for the domain is set to Recover Domain, the Restore to Clean OS recovery method is set by default for the domain controller.

If the Restore to Clean OS recovery method is selected, perform the following steps:

  1. The Target Server field is empty by default. You must specify a valid Target Server IP for a successful recovery with the Restore to Clean OS method.
  2. Under Backup Selection, specify whether you want backups to be automatically selected or manually selected.
    • Automatic – By default, a backup is selected automatically according to the backup selection criteria configured for the Recovery Plan.

NOTE: If a backup that meets the backup selection criteria does not exist, you can proceed to save the domain controller configuration. However, verification and recovery will not start if a backup is not available for the domain controller. Once a valid backup is available, it will be automatically selected.

    • Manual – To manually select a backup for the domain controller, click Select Backup. In the Select Backup flyout, select a backup to be used for recovery. You can use the Filters button to filter the list of domain controllers by Backup Plans, the schedule type, or the date created.

NOTE: If no backups are available for the domain controller, you cannot use the Manual option.

  1. Specify or change the server access credentials. By default, if server access credentials are specified in the domain configuration, domain-level credentials are used for all domain controllers within the domain and are marked with a badge labeled Inherited credentials. If the domain controller requires different credentials to those specified in the domain settings, you can specify one or more credentials for that domain controller to replace the inherited credentials. For descriptions of each credential type, see Editing Domain Configurations.

NOTE: For the Restore to Clean OS recovery method, you need to specify all credentials here or in the domain configuration.

Install Active Directory

This recovery method installs Active Directory Domain Services on the computer and promotes it to a domain controller. After the recovery, the domain controller replicates Active Directory data from domain controllers restored from backups.

To reduce replication traffic, you can use the Enable Install from Media (IFM) option. The IFM option pre-populates Active Directory and Sysvol on the target domain controller with data from a backup for another domain controller in the same domain. This option is selected by default if there are backups available for the domain.

If the Install Active Directory recovery method is selected, perform the following steps:

  1. The Target Server field is empty by default. You must specify a valid Target Server IP for a successfully recovery with the Install Active Directory method.
  2. Under Backup Selection, use the Enable Install From Media checkbox to turn on or off the option.
  3. If the Enable Install From Media option is selected, specify whether you want backups to be automatically selected or manually selected.
  • Automatic – Selected by default if IFM is enabled. This option automatically selects the most recent backup for a domain controller in the same domain that meets the backup selection criteria configured for the Recovery Plan.

NOTE: If a backup that meets the backup selection criteria does not exist, you can proceed to save the domain controller configuration. However, verification and recovery will not start if a backup is not available for the domain controller. Once a valid backup is available, it will be automatically selected.

  • Manual – To manually select a backup, click Select Backup. In the Select Backup flyout, select a backup for the domain to use for recovery. You can use the Filters button to filter the list of domain controllers by Backup Plans, domain controllers, the schedule type, or the date created.

NOTE: If no backups are available for the domain controller, you cannot use the Manual option.

  1. Under Domain Controller Options, select one or more server roles for the domain controller:
  • Configure as a global catalog server – Use this option if you need to configure the global catalog on the domain controller during Active Directory Domain Services® installation. This option will be selected by default if the original domain controller was a global catalog. Microsoft recommends that all domain controllers provide DNS and global catalog services for high availability in distributed environments. For more information, click here.
  • Install DNS server on the domain controller – Use this option to install the DNS server during the Install Windows features step. This option is enabled by default.
  1. Specify or change the server access credentials. By default, if server access credentials are specified in the domain configuration, domain-level credentials are used for all domain controllers within the domain and are marked with a badge labeled Inherited credentials. If the domain controller requires different credentials to those specified in the domain settings, you can specify one or more credentials for that domain controller to replace the inherited credentials. For descriptions of each credential type, see Editing Domain Configurations.

NOTE: For the Install from Active Directory recovery method, you need to specify all credentials here or in the domain configuration.

Remove DC

This recovery method isolates the domain controller from other domain controllers and removes it from the domain. Use this method if the domain controller is inaccessible or you do not want to recover the domain controller due to failures.

NOTE: If the recovery method for the domain is set to Delete Domain, the Remove DC recovery method is set for the domain controller and cannot be modified.

Adjust to Active Directory Changes

This recovery method adjusts the DNS and IP configuration of the existing domain controller to ensure connectivity to the recovered domains.

NOTE: If the recovery method for the domain is set to Ignore Healthy Domain, the Adjust to Active Directory Changes recovery method is set for the domain controller and cannot be modified.

If the Adjust to Active Directory recovery method is set, you need to specify valid domain credentials. By default, if domain credentials are specified in the domain configuration, domain-level credentials are used for all domain controllers within the domain and are marked with a badge labeled Inherited credentials. If the domain controller requires different credentials to those specified in the domain settings, you can specify one or more credentials for that domain controller to replace the inherited credentials.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione