In this topic:
About Disaster Recovery for Identity for Active Directory
Disaster Recovery for Identity for Active Directory Module Overview
Before You Start
Backup Considerations and Best Practices
Recovery Considerations and Best Practices
Sign up for Quest On Demand
Configuring Disaster Recovery for Identity for Active Directory
Working with Disaster Recovery for Identity for Active Directory
Forests
Topology
Backup Plans and Backups
Recovery
Recovery Strategies Overview
Recovery Methods
Hybrid Agents and Domain Controller Agents
Compatibility with Recovery Manager for Active Directory (RMAD) FE/DRE
Server Access Credentials
DNS Configuration
Security
Creating and Editing a Recovery Plan
Recovery Plan Details
Editing Domain Configurations
Editing Domain Controller Configurations
Verifying a Recovery Plan
Performing Recovery
Domain Controller Operations
Recovery Plan Tiles
Events Management
Task Management
Recovery Considerations and Best Practices
Recovery Strategies Overview
When planning for Active Directory® forest recovery, ensure that you maintain a detailed topology map of your forest. The map should include all necessary information about each domain controller, such as its name, FSMO roles, DNS configurations, backup status, and the trust relationships between domains.
Disaster Recovery for Identity for Active Directory allows you to restore selected domains or an entire forest to its prior state at the time of the last trusted backup. When creating a Recovery Plan, use the information from the topology map to verify that all essential components are set to be recovered and are configured properly.
In general, full forest recovery is necessary when none of the domain controllers in the forest can function normally or when corrupted domain controllers can spread dangerous data to other domain controllers.
Before you choose one of the recovery strategies described in this section, it is strongly recommended that you read Microsoft’s Active Directory Forest Recovery Guide. When choosing a recovery strategy, note that every recovery is unique, and the strategy might need adjustments to suit your needs.
|
|
IMPORTANT: It is highly recommended that:
|
Forest Recovery Overview
At a high level, the recovery of the entire forest or any of its parts using Disaster Recovery for Identity for Active Directory involves the following steps:
- Ensure that the hybrid agent used for the Disaster Recovery for Identity for Active Directory forest has access to the environment where the restore will be performed.
- Using a new or existing Recovery Plan, set up domain and domain controller configurations according to the Active Directory forest topology map and the combination of the recovery methods available in the product. For more information, see Recovery Methods and Creating and Editing a Recovery Plan.
- Ensure you have specified an appropriate DNS server selection method for each domain. For more information, see DNS Configuration.
- Ensure you are using backups that were created before the forest failure occurred.
|
|
NOTES: |
- Start the recovery using the Recovery Plan, which performs the following actions:
- Restores domain controllers within each domain from backups using the Restore to Clean OS recovery method, utilizing the most reliable backups.
NOTE: The greater the number of domain controllers restored from backups, the more rapid the recovery process will be. For more information on how many domain controllers to restore, see Forest Recovery Strategies.
- Installs Active Directory on the domain controllers that do not have backups using the Install Active Directory recovery method or manually.
NOTE: To reduce replication traffic, you can use the Enable Install from Media option.
- Updates DNS settings in any ignored domains that were not recovered or deletes information about any domains or domain controllers that were not recovered.
- Restores domain controllers within each domain from backups using the Restore to Clean OS recovery method, utilizing the most reliable backups.
- Wait for the domain controllers with installed Active Directory to replicate Active Directory data from domain controllers restored from reliable backups.
After recovery, the Active Directory forest will lose any data that was created or modified after the date of the backup used for recovery. As a result, required changes will need to be performed manually. This includes:
- Objects (such as users and computers) that were added or removed
- Updates to existing objects
- Changes to either the configuration partition or the schema partition in Active Directory (such as schema changes)
Additionally, any software applications that were running on the domain controllers will need to be reinstalled after recovery.
Forest Recovery Strategies
Recovery strategy 1: Restore all critical domain controllers from backups
This strategy is recommended by Quest.
Advantages
- Rapid recovery of the most critical infrastructure allowing to get to business as usual faster.
- Enhanced stability of the recovery process compared to restoring only one domain controller per domain. The use of multiple backups ensures that the entire forest can be recovered, even if the restoration of some domain controllers is unsuccessful.
- The more domain controllers restored from backup, the closer recovered forest resembles its pre-failure state.
Limitations
- The risk of reintroducing corrupted or unwanted data due to the use of multiple backups, there is no guarantee that corrupted or unwanted data from the backups will not be introduced into the recovered forest.
Recovery strategy 2: Restore one domain controller per domain from backups
Advantages
- Recommended by Microsoft - this recovery approach is aligned with Microsoft's best practices as outlined in the Planning for Active Directory Forest Recovery Guide.
- The limited number of backups allows for thorough inspection to ensure they are free of corruption or unwanted data.
Limitations
- Successful recovery of an entire domain relies on the successful restoration of a single domain controller. Active Directory can only be reinstalled on other domain controllers within the domain after the initial domain controller is successfully restored from backup.
- The full forest recovery process may be time-consuming.
- The original forest infrastructure is not preserved - as Active Directory is reinstalled on most domain controllers within the forest, the recovered forest will not be an exact replica of its pre-failure state.
Recovery strategy 3: Restore at least 2 domain controllers per domain from backups
Advantages
- Enhanced stability of the recovery process compared to restoring only one domain controller per domain. The use of multiple backups ensures that the entire forest can be recovered, even if the restoration of some domain controllers is unsuccessful.
Limitations
- The forest recovery process may be time-consuming.
- The original forest infrastructure is not preserved - as Active Directory is reinstalled on most domain controllers within the forest, the recovered forest will not be an exact replica of its pre-failure state.
Recovery Methods
Recovery Methods
This section describes the recovery methods for domains and domain controllers that you can use to restore the forest or specific domains in Disaster Recovery for Identity for Active Directory. Depending on your recovery strategy, a different combination of recovery methods may be needed to perform recovery.
The following recovery methods are available for domains:
Recover Domain
The Recover Domain recovery method enables the restoration of the entire forest or specific domains within the forest. This is the default recovery method assigned to all domains when a new Recovery Plan is created. At least one domain in the Recovery Plan must be recovered, and at least one domain controller in the domain must be restored from a backup (using the Restore to Clean OS recovery method).
|
|
NOTE: If the recovery method for the domain is set to Recover Domain, the Restore to Clean OS recovery method is set by default for all domain controllers in the domain. |
|
|
NOTE: For information on setting a correct DNS configuration for domains, see DNS Configuration. |
Ignore Healthy Domain
Use the Ignore Healthy Domain recovery method to exclude the domain from recovery while keeping it intact in the forest. This option performs configuration changes on domain controllers within the domain to ensure connectivity to the recovered domains.
|
|
NOTE: If the recovery method for the domain is set to Ignore Healthy Domain, the Adjust to Active Directory Changes recovery method is set for all domain controllers and cannot be modified. |
Delete Domain
The Delete Domain recovery method removes the domain from the forest by cleaning up its metadata from all restored and existing domains. This option cannot be used on the forest root domain.
|
|
NOTE: If the recovery method for the domain is set to Delete Domain, the Remove DC recovery method is set for all domain controllers and cannot be modified. |
The following recovery methods are available for domain controllers:
Restore to Clean OS
The Restore to Clean OS method recovers a domain controller from a backup onto a freshly installed Windows machine. At least one domain controller must be restored with this method in order to recover a domain. This method can be used with servers hosted on-premises or virtual machines hosted by a cloud service provider of your choice.
|
|
NOTE: If the recovery method for the domain is set to Recover Domain, the Restore to Clean OS recovery method is set by default for all domain controllers in the domain. |
The target server should comply with the following requirements:
- The operating system version of the target machine must match the version of the failed domain controller.
- The target machine must have sufficient free disk space to accommodate Active Directory and SYSVOL data.
- The account specified to access the target machine must possess local Administrator privileges on that machine.
|
|
IMPORTANT: It is crucial that the Windows operating system version matches the deployed version. The verify operation will issue a warning if a mismatch is detected between the target and backup Windows versions. The specific versions will be reported in the status information. If the Major and Minor versions do not match, indicating that at least one of the operating system versions is prior to 2016, an error message will be displayed. |
The Restore to Clean OS recovery method involves installing the DNS Server role on a domain controller.
- If a domain used AD-integrated DNS infrastructure and is configured in the Recovery Plan to select the DNS server automatically, then during recovery, all domain controllers within the domain will synchronize DNS partitions and continue to function as DNS servers.
- If a domain used external DNS and is configured in the Recovery Plan to use preferred DNS servers, then after recovery, all domain controllers will operate as non-functional DNS servers, which can be uninstalled manually.
For more information on DNS server settings, see DNS Configuration.
Install Active Directory
The Install Active Directory recovery method installs Active Directory Domain Services (AD DS) on the computer and promotes it as a domain controller using the domain and forest name of the original domain controller. After the recovery, the domain controller replicates Active Directory data from domain controllers restored from backups. To reduce replication traffic, you can use the Enable Install from Media option.
The target server should comply with the following requirements:
- Operating system version should be equal to the original DC operating system.
- Operating system should follow organization security best practices (e.g. have latest updates, security software) since this operating system will be used to run the Active Directory Domain services after the restore.
- The physical disks should have enough free space to host the Active Directory® data after recovery.
The Install Active Directory recovery method includes the option to install the DNS server on the domain controller, which is enabled by default. For more information on DNS server settings, see and DNS Configuration.
Remove DC
The Remove DC recovery method isolates the domain controller from other domain controllers and completely removes it from the domain; no actions are performed on the domain controller itself. This method should be used if the domain controller is inaccessible or you do not want to recover the domain controller due to failures. Disaster Recovery for Identity for Active Directory removes all metadata of domain controllers that are set for removal.
|
|
NOTE: If the recovery method for the domain is set to Delete Domain, the Remove DC recovery method is set by default for all domain controllers. |
Adjust to Active Directory Changes
The Adjust to Active Directory Changes recovery method adjusts the DNS and IP configuration of the existing domain controller to ensure connectivity to the recovered domains. For example, in domains with AD-integrated DNS infrastructure, this recovery method automatically updates the DNS configuration of domains that were not restored if the IP address of the primary DNS server in the restored domain has changed, or if the IP addresses of non-restored domain controllers are removed from the DNS configuration.
|
|
NOTE: If the recovery method for the domain is set to Ignore Healthy Domain, the Adjust to Active Directory Changes recovery method is set for all domain controllers in the domain and cannot be modified. |
Hybrid Agents and Domain Controller Agents
Disaster Recovery for Identity for Active Directory uses two types of agents: hybrid agents and domain controller (DC) agents. This section explains their roles, installation requirements, and best practices to ensure secure communication and reliable backup and recovery operations in your Active Directory environment.
Hybrid agents
A hybrid agent is used to securely communicate with any installed on-premises DC agents. To facilitate communication with your environment, a hybrid agent must be manually installed on-premises.
Ensure that the hybrid agent has a stable internet connection during the recovery operation and uses a DNS server that is not affected by the forest failure.
Where should the hybrid agent be installed?
The hybrid agent needs to be installed on a server that can access the Active Directory forest on which backup and restore operations intend to be performed. You can install the agent on either a standalone or domain-joined server; however, the use of a standalone server is recommended to avoid disruptions caused by potential forest malfunctioning.
When setting up a hybrid agent server, ensure it can access Disaster Recovery for Identity for Active Directory even in the case of a disaster. For example, if the server uses an AD-integrated DNS server on a domain controller, and that domain controller becomes unavailable, the hybrid agent will lose access to product and backup or recovery will not be possible. Therefore, it is important to ensure that an alternate DNS is specified to mitigate this risk.
To download the hybrid agent installer, go to Tenants | Hybrid Agents, select the Add agent button, and follow the instructions to install the agent. The account used for installing a hybrid agent must be a member of the local administrator’s group. Only a single hybrid agent per forest is currently supported.
What if the hybrid agent is not available to the new environment?
When restoring a forest into a new environment, the existing hybrid agent might not be available because it was destroyed during the disaster or lacks access to the environment. In this case, you need to deploy a new hybrid agent in the environment. Before starting the recovery, update the forest to use the new hybrid agent. To do so, on the Forests tab, select Edit on the relevant tile, navigate to Connection Settings, and select the new hybrid agent.
Troubleshooting hybrid agent connectivity issues
The hybrid agent may become unavailable and prevent recovery from starting or proceeding if the machine hosting the hybrid agent loses internet connectivity due to a DNS server failure caused by a forest failure or outage. In this case, assign an operational DNS server to the hybrid agent machine.
Domain Controller Agents
A DC agent perform actions such as backup or restore on a single domain controller within your Active directory forest.
Where should the DC agent be installed?
The DC Agent should be installed on each domain controller on which you may need to perform certain operations such as restoring from a backup during recovery.
Before you can install the DC agent on domain controllers, you must first add a forest and run topology discovery. You can install the DC agent from the Topology tab by either:
- Selecting the checkboxes for the relevant domain controllers and then selecting DC Agent | Install Agent, or
- Downloading the DC agent installer by selecting DC Agent | Download Agent and manually installing the agent on the desired machine.
The account used for installing a DC agent must be a member of the local administrator’s group.
For more information about the permissions required for the hybrid agent and DC agent, see Required permissions in the Security section.