Chatta subito con l'assistenza
Chat con il supporto

Recovery Manager for AD 10.3.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Using Management Shell Collecting diagnostic data for technical support Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Ports Used by Recovery Manager for Active Directory Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Renaming Computer Collections

Recovery Manager for Active Directory assigns a default name to a newly created Computer Collection. You can rename a Computer Collection to assign it a more descriptive name.

To rename a Computer Collection
  1. Right-click the Computer Collection and then click Rename.

  2. Type a new name for the Computer Collection and then press ENTER.

When renaming a Computer Collection for which a backup creation task is scheduled, you may be prompted to supply the user name and password of the account under which you want to run the scheduled backup creation operation. This is because Task Scheduler may need to re-create the backup creation task when a Computer Collection is renamed. When creating a scheduled task, Task Scheduler requires that you supply the user name and password of the user account under which the task will run. For more information, see Setting user account for scheduled tasks.

 

Modifying Computer Collection properties

To modify properties for a Computer Collection
  • In the console tree, right-click the Computer Collection, and then click Properties.

The Properties dialog box opens, allowing you to specify what to back up, where to store backups, and what kind of logging to use. In addition, the Properties dialog box allows you to manage the backup creation schedule for the Collection and specify the user account under which the scheduled backup creation operation will run.

All settings specified in the Properties dialog box for a Computer Collection only relate to that Computer Collection. Different Computer Collections may have different properties.

For more information about Computer Collection properties, see Properties for an existing Computer Collection.

 

Deleting Computer Collections

To delete a Computer Collection
  • In the console tree, right-click the Computer Collection you want to delete, and then click Delete.

This only deletes the Computer Collection you selected along with the computer and container shortcuts it includes and the backup creation tasks scheduled for that Computer Collection. The containers, domain controllers, and AD LDS (ADAM) hosts whose shortcuts were added to the Computer Collection are not deleted. Deleting a Computer Collection does not delete the backups that were created for that Collection.

 

Specifying an access account for Backup Agent and backup file storage

For each Computer Collection (applicable to all domain controllers within a collection), you can specify a user account that will be used to access the following:

  • Backup Agent that is manually or automatically installed on domain controllers in the Computer Collection. The account is used for the following operations:

    • backup creation

    • discover Backup Agent instances or update Backup Agent information

    • install, upgrade or uninstall Backup Agent instances

  • Locations on target domain controllers or UNC shares where backup files created for the Computer Collection are to be saved. For more information on how to specify these locations, see Remote Storage tab section in Properties for an existing Computer Collection.

These credentials are also used to connect to Active Directory® in the following cases:

  • Show or refresh the content of collections that contain containers

  • Operate on collections that contain container-items

  • This account is used for backup unpacking only if no account is configured on the Remote Storage tab

For example: modifying an exclusion list for a container; installing the Backup Agent from a collection menu, collecting diagnostic data, etc.

To specify an access account
  1. In the Recovery Manager Console tree, select the Computer Collection for which you want to specify an access account.

  2. From the main menu, select Action | Properties.

  3. On the Agent Settings tab, select the Use the following account to access Backup Agent check box.

  4. Click Select Account, and specify the user name and password of the account with which you want to access Backup Agent, backup storages, and global catalog servers.

  5. When finished, click OK.

Note

Recovery Manager for Active Directory has deprecated support for a group managed service account (gMSA) to be specified as the account to connect to the backup agent for manually triggered backups. Managed service accounts will continue to be supported for scheduled backup tasks. In accordance with Microsoft®, it is recommended to not use a group managed service account (gMSA) for interactively initiated network connections such as Recovery Manager for Active Directory manually triggered backups. To enforce this recommendation and to address the vulnerability CVE-2023-21524 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21524), Microsoft has limited the usages of managed service accounts with a Windows Update. By removing support for a gMSA to connect to the backup agent, this ensures an attacker does not exploit the RMAD backup agent to perform actions or access resources over the network. To utilize the benefits and security provided by a group managed service account (gMSA), we highly recommend that a gMSA account is used for the scheduled backup task. See Setting user account for scheduled tasks

You can also specify a separate account that will be used to access the backup storage on the Remote Storage tab.

If no access account is specified on the Agent tab and no scheduled tasks exist for the Computer Collection, Recovery Manager for Active Directory (RMAD) will use the account under which the Recovery Manager Console is currently running.

If no access account is specified and a backup creation task is scheduled for the Computer Collection, RMAD will use the account under which the scheduled task is run. You can view and change this account on the Schedule tab in the Properties dialog box for a Computer Collection. For more information, see Schedule tab subsection in Properties for an existing Computer Collection.

Note

The scheduled task account is not used to access the Remote Storage from the agent side. The agent uses a local system account on a domain controller for this operation.

For additional information about the account requirements, please refer Permissions required for the Backup operation.

 

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione