Location of Customer Data
All data, application logs and computations are performed on server(s) provided by the customer.
Backups created with Recovery Manager for Active Directory can be stored in multiple locations. Primary storage of backups allows backup files to be saved on a distributed network or on selected computers with physically restricted access. Recovery Manager considers these locations as primary storage, referred to as Tier 1 storage.
Primary Storage (Tier 1)
Recovery Manager for Active Directory provides options for primary storage in both local and remote locations. Local storage refers to storage on the Recovery Manager console computer, while remote storage refers to storage on the backed-up domain controller or other remote servers on network shares. These locations are considered remote because they are not on the Recovery Manager console computer.
For both local and remote storage locations, a primary backup path can be provided, along with an alternate backup path.
Primary storage is used for saving the original backup files to a safe location. For primary storage, the backup agent creates the backup file, compresses the data, and then saves the file to the configured storage locations. In the diagram below, refer to lines numbered 1 to view the process that is followed to save the backup file to primary storage locations. The RPC protocol is used to save backup files to the console computer. For saving to remote storage locations, the SMB protocol is used.
Figure 2: Primary Storage for Backups
The figure above illustrates how Recovery Manager for Active Directory creates and saves backup files to primary storage locations.
| NOTE |
Some components in figure, may not apply to your edition of Recovery Manager for Active Directory. Refer to User Guide for your edition. |
Privacy and Protection of Customer Data
Recovery Manager for Active Directory provides protection for customer sensitive data both in transit and at rest.
Recovery Manager for Active Directory uses encryption algorithms to do the following:
- Encryption of backup files
- Encryption of Forest Recovery project files
- Encryption of data (passwords, scripts) in the Recovery Manager configuration database (rmad.db3)
- Encryption of credentials for AD and AD LDS (ADAM) instances
- Encryption of reporting database credentials
- Encryption of password in email settings
- Encryption of password for persistence database
- Encryption of passwords for configuration backups
Also, Recovery Manager uses signing algorithms for communication with the following components:
- Hybrid Connect Service – data signing is done in communications via WCF transport security.
- Agents – data signing is done in communications via RPC transport security, including RPC over Schannel mode.
Network Communications
The architectural diagram of the product with all the components is shown in Figure 1. Figures 5, 6 and 7 provide information about the communication ports required to work with Recovery Manager for Active Directory.
This section provides information about the communication ports required to work with Recovery Manager for Active Directory.
Figure 5: Ports used by Recovery Manager for Active Directory Console to work with Active Directory
Figure 6: Ports used by Recovery Manager for Active Directory Console to work with AD LDS (ADAM)
Figure 7: Ports used by Forest Recovery Console
Authentication of Users and Services
Recovery Manager for Active Directory relies upon Windows Authentication and Active Directory group membership to authenticate users.
In scenarios where Windows Authentication may be unavailable due to Active Directory failures, Recovery Manager uses certificate-based SCHANNEL authentication to establish secure connection between Forest Recovery Console and the Forest Recovery Agent.