Overview
About Recovery Manager for Active Directory Disaster Recovery Edition
Features and benefits
Getting started
Comprehensive Active Directory recovery options
AD LDS (ADAM) recovery
Granular, selective restore
Group Policy recovery
Restore on Clean OS
Antimalware checks for backups
Centralized remote administration
Secondary Storage for backups
Audit of objects and operations
Integration with Change Auditor for Active Directory
Management Shell
Scheduling and automation
Scalability and performance
Simplified restoration of an Active Directory forest
Bare metal forest recovery
Granular, domain-level recovery
Integration with On Demand Recovery
Automation of manual operations
Creation of virtual test environments
Remote quarantine
Fault tolerance
Simultaneous system recovery
Support for Windows tools for restoring domain controllers
Recovery pauses
Recovery plan
Running custom scripts
Technical overview
Permissions required to use Recovery Manager for Active Directory
Recovery Manager Console
Getting and using help
Configuring Windows Firewall
Using Computer Collections
Backing up data
Creating Computer Collections
Renaming Computer Collections
Modifying Computer Collection properties
Deleting Computer Collections
Specifying an access account for Backup Agent and backup storage
Adding domain controllers to a Computer Collection
Adding containers to a Computer Collection
Adding AD LDS (ADAM) hosts and instances
Removing items from a Computer Collection
Cloud Storage
Adding Azure Cloud Storage
Viewing Cloud Storage
Editing Cloud Storage
Removing Cloud Storage
Cloud Storage Backup
Secure Storage servers
Hardening a Secure Storage server
Accessing a Secure Storage server
Adding a Secure Storage server
Upgrading a Secure Storage server
Secure Storage server with Multiple Consoles
Configuring Allowed Volumes for a Secure Storage server
Viewing Secure Storage backups
Secure Storage server backups
Configuring backup retention policy for Secure Storage server
Managing Recovery Manager for Active Directory configuration
Preparing for working with Active Directory or AD LDS (ADAM) backups
Settings
Default properties for Computer Collections
Properties for an existing Computer Collection
Licensing
Backup tab
Local Storage tab
Remote Storage tab
Secondary Storage tab
Agent Settings tab
Schedule tab
Alerts tab
Performance tab
Advanced tab
Unpacked Backups tab
Container and site properties
Properties for a domain or organizational unit
Properties for an Active Directory site
Properties for an AD LDS (ADAM) site
Sessions node properties
Forest properties
Domain properties
Domain controller properties
AD LDS (ADAM) partition properties
AD LDS (ADAM) instance properties
Showing or hiding AD LDS (ADAM) partitions
Showing or hiding domains
Showing or hiding sites
Permissions required for the Backup operation
Managing Backup Agent
Restoring data
Installing Backup Agent automatically
Preinstalling Backup Agent manually
Discovering preinstalled Backup Agent
Updating Backup Agent information
Upgrading Backup Agent
Uninstalling Backup Agent
Removing a Backup Agent entry from the Backup Agent Management node
Using a least-privileged user account to back up data
Using Managed Service Accounts
Active Directory backups vs Windows System State backups
Creating BMR and Active Directory backups
Using the Backup Wizard
Retrying backup creation
Enabling backup encryption
Backing up AD LDS (ADAM)
Method 1: Back up AD LDS (ADAM) from the Recovery Manager Console
Method 2: Schedule backup creation for AD LDS (ADAM)
Backing up cross-domain group membership
Backing up distributed file system (DFS) data
Backup scheduling
Setting performance options
Setting advanced backup options
Using Forest Recovery Agent
Unpacking backups
Configuring default settings to unpack backups
Configuring Computer Collection-specific settings to unpack backups
Unpacking a backup manually
Deleting data unpacked from a backup
Using e-mail notification
Viewing backup creation results
Getting started with Active Directory recovery
Full Replication
Consolidating backup registration data
Monitoring Recovery Manager for Active Directory
Active Directory recovery options
Implications of the online restore
Using agentless or agent-based method
Managing deleted or recycled objects
Restoring backed up Active Directory components
Integration with Change Auditor for Active Directory
Using granular online restore
Restoring AD LDS (ADAM)
Method 1: Restore an AD LDS (ADAM) instance from a backup created with Recovery Manager for Active Directory
Method 2: Restore an AD LDS (ADAM) database from a backup created with third-party software
Selectively restoring Active Directory object attributes
Restoring objects in an application directory partition
Restoring object quotas
Restoring cross-domain group membership
Performing a restore without having administrator privileges
Reports about objects and operations
Reports about Active Directory objects
Reports about AD LDS (ADAM) objects
Reports about Group Policy objects
Data about who modified Active Directory objects
Using complete offline restore
Offline restore implications
Restoring SYSVOL authoritatively
Performing a granular restore of SYSVOL
Recovering Group Policy
Restoring data from third-party backups
Using the Extract Wizard
Creating a Windows Server 2008 R2-based domain controller from a backup
Creating a Windows Server 2012-based or higher domain controller from a backup
Restoring passwords and SID history
Supported versions of Microsoft Operations Manager
Importing Management Pack
Rules provided in Microsoft System Center Operations Manager
Health dashboards
Recovering an Active Directory forest
Forest recovery overview
Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition)
Permissions required to use Forest Recovery Console
Forest Recovery Console
Restore Active Directory on Clean OS
Bare metal forest recovery
Toolbar
Project summary
List of domain controllers
Domain controller recovery settings and progress
Configuring advanced settings
Managing a recovery project
Creating a recovery project
Opening a recovery project
Saving a recovery project
Updating a recovery project
Specifying recovery project settings
Verifying recovery project settings
Scanning backups for viruses
Scheduling project verification
Specifying recovery settings for a DC
Selecting backups for recovery
Using recovery alerts
Using recovery pauses
Copying a backup file to a new location
Recovery methods
Restore Active Directory from backup method
Install Active Directory method
Reinstall Active Directory method
Uninstall Active Directory method
Restore SYSVOL
Restore Active Directory on Clean OS method
Bare Metal Active Directory Recovery method
Do not recover method
Do nothing method
Adjust to Active Directory changes method
Phased recovery
Managing Forest Recovery Agent
Installing or upgrading Forest Recovery Agent
Viewing installed Forest Recovery Agent version
Uninstalling Forest Recovery Agent
Rebooting domain controllers manually
Resetting DSRM Administrator Password
Purging Kerberos Tickets
Managing the Global Catalog servers
Managing FSMO roles
Manage DNS Client Settings
Configuring Windows Firewall
Developing a custom forest recovery plan
Backing up domain controllers
Assigning a preferred DNS server during recovery
Handling DNS servers during recovery
Forest recovery approaches
Recovery approach 1: Restore as many domain controllers from backups as possible
Recovery approach 2: Restore one domain controller from backup in each domain
Deciding which backups to use
Running custom scripts while recovering a forest
Overview of steps to recover a forest
Viewing forest recovery progress
Viewing recovery plan
Viewing a report about forest recovery or verify settings operation
Handling failed domain controllers
Adding a domain controller to a running recovery operation
Selectively recovering domains in a forest
Step 1: Select domains to recover
Step 2: Specify recovery settings for domain controllers
Step 3: Start recovery
Recovering SYSVOL
Deleting domains during recovery
Resuming an interrupted forest recovery
Recovering read-only domain controllers (RODCs)
Checking forest health
Collecting diagnostic data for technical support
Bare metal recovery requirements and limitations
Preparing backups
Restoring from standard Active Directory backup
NIC teaming support
Disaster recovery workflow
Boot from the ISO image automatically
Using Management Shell
Creating virtual test environments
Dell Remote Access Controller (iDRAC)
HP ProLiant iLO Management Engine (iLO)
VMware ESXi
Microsoft Hyper-V
Custom host controllers
Creating a virtual test environment using Disaster Recovery Edition
About Active Directory Virtual Lab
Permissions
Communication ports
Support for VMware DRS Clusters
Deployment
User interface
Using Recovery Manager for Active Directory web portal
Toolbar
List of source computers
Virtual machine creation settings and events
Virtual lab project default settings
How to create a virtual test environment
About Recovery Manager Portal
Installing Recovery Manager Portal
Connecting to Recovery Manager Portal
Administering Recovery Manager Portal
Appendices
Configuring portal for working with Recovery Manager for Active Directory
Viewing health summary for Recovery Manager for Active Directory instances
Viewing backup creation history
Recovering data using Recovery Manager Portal
Step 1: Install Recovery Manager Remote API Access Service
Step 2: Configure Recovery Manager for Active Directory
Step 3: Add Recovery Manager for Active Directory instances
Step 4: Configure recovery settings for Active Directory domains
Modifying recovery settings for domains
Assigning roles to portal users
Delegating restore or undelete permissions
Configuring e-mail notification
How Recovery Manager Portal recovers data
How to use packed and/or encrypted backups for restore operations
How to enable diagnostic logging
To skip replication after restore in portal
To configure firewall after the restore operation
Integration with On Demand Recovery
Frequently asked questions
Why do I need to restore deleted users or groups, rather than re-create them?
How can I restore a user or group in Active Directory?
How does online restore work?
When an object is undeleted, what is restored from the tombstone and what is restored from the backup?
What's the difference between an online restore and an authoritative restore?
What's the difference between the agentless restore method and the agent-based restore method?
Can I undelete a mailbox-enabled user?
In the Group Policy Restore Wizard, a GPO link is shown as deleted, but the link actually exists in Active Directory. What's wrong?
What is a primary restore of the SYSVOL?
How do I change the Backup Agent port number?
How does Recovery Manager for Active Directory select a DC for an authoritative (primary) restore of SYSVOL during forest recovery?
How does Recovery Manager for Active Directory isolate domain controllers during forest recovery?
How does Recovery Manager for Active Directory select a DC to add the global catalog during forest recovery?
Best practices for using Computer Collections
Technical characteristics
Best practices for creating backups
Develop a backup and restore plan
Determine which domain controllers to back up and how often
Methods for deploying Backup Agent
Retain recent backups
Where to store backups
Best practices for creating backups for forest recovery
How many instances of the Recovery Manager Console to deploy?
How many domain controllers to back up?
How many domain controllers to back up at once?
What data to back up?
Using data compression
Using unpacked backups
Best practices for recovering a forest
How many Instances of the Forest Recovery Console to deploy?
Where to Install the Forest Recovery Console?
Backing up the Recovery Manager for Active Directory configuration
Descriptions of recovery or verification steps
Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition)
Backup Wizard
What to Back Up
Where to Store Backups
When to Back Up
Computer Collection Name (optional)
Completing the Backup Wizard
Online Restore Wizard
Wizard Operation Mode
Domain Selection
Backup Selection
Backup for Comparison (optional)
Unpacked Backups Folder Selection
Backup Data Preparation
Domain Access Options
Objects to Be Processed
Operation Selection
Processing Options
Additional Options
Operation Start
Operation Progress
Operation Option
Objects to Be Restored
Where to Restore Deleted Objects
Operation Results
Completing the Online Restore Wizard
Online Restore Wizard for AD LDS (ADAM)
Wizard Operation Mode
AD LDS (ADAM) Instance Selection
Backup Selection
Backup for Comparison
Unpacked Backups Folder Selection
Backup Data Preparation
AD LDS (ADAM) Access Options
Objects to Be Processed
Processing Options
Reporting Options
Operation Start
Operation Progress
Operation Option
Objects to Be Restored
Operation Results
Completing the Online Restore Wizard for AD LDS (ADAM)
Group Policy Restore Wizard
Domain Selection
Backup Selection
Unpacked Backups Folder Selection
Backup Data Preparation
Select Domain Controller
Group Policy Object Selection
GPO Restore Options
Link Restore Options
Restore Process Start
Completing the Group Policy Restore Wizard
Repair Wizard
Computer and Backup Selection
Target Computer
Computer Restart
Primary Restore of SYSVOL
Restore Process Start
Restore Progress
Authoritative Restore Selections
Computer Restart in Normal Mode
Completing the Repair Wizard
Extract Wizard
Events generated by Recovery Manager for Active Directory
Editing Cloud Storage
To edit the properties of a registered Cloud Storage.
- In the Recovery Manager for Active Directory console, expand the Storage node.
- Select the Cloud Storage node in the console tree.
- In the Cloud Storage pane, right-click the cloud storage that you want to edit, and select Properties.
- In the Properites dialog box edit the Display Name, Azure Storage Account Connection String and Container fields.
- Select the checkbox for one or more computer collections in the Backups from selected collections will be copied to the cloud storage list. All available computer collections will be displayed. Backups from selected computer collections will be copied to the Cloud Storage.
| note |
If a computer collection has be configured with no access credentials to read the backup file a warning icon will be displayed. To enter access credentials refer to Computer Collection Properties Secondary Storage tab. If the computer collection has both local and remote primary storage configured, the local storage will be used to copy to Cloud Storage and access credentials for local storage are required. |
- Click OK
Removing Cloud Storage
To remove a Cloud Storage from Recovery Manager for Active Directory console
- In the Recovery Manager for Active Directory console, expand the Storage node.
- Select the Cloud Storage node in the console tree.
- In the Cloud Storage pane, select the registered Cloud storage account to be removed, right-click and select Remove.
- Select Yes to the confirmation message.
| note |
Removing Cloud Storage from Recovery Manager for Active Directory unregisters the cloud storage account from Recovery Manager. No backup files are removed. |
Cloud Storage Backup
After a backup creation session completes for a computer collection and the backup is saved to configured primary storage locations (Tier 1), an upload session will be started to copy the backup to all cloud storage locations. Recovery Manager for Active Directory supports multiple Cloud Storage locations per computer collection.
The backup upload session is created and managed with the Quest Recovery Manager Cloud Storage service on the Recovery Manager console machine. Each backup upload session is displayed in the Backup Upload Sessions pane. For each session, you can view the backup file path, upload location, creation timestamp, finished timestamp, and the status of the upload.
| note |
The Backup Upload Sessions pane has a display limit of 100 items and a time limit of the last 30 days. There may be upload sessions outside these limits. |
To view a backup upload sessions for a cloud storage account
- In the Recovery Manager for Active Directory console, expand the Storage node.
- Select the Cloud Storage node in the console tree.
- Select the registered cloud storage in the Cloud Storage pane. The backup upload sessions for the selected cloud storage will be displayed in the bottom pane Backup Upload Session. The backup path, upload to path, created timestamp, finished timestamp and current status will be displayed.
- To filter the upload sessions for the cloud storage, you can select the toggle buttons at the top right corner of the pane.
- Select Total (7 days) to view all upload sessions in the last 7 days.
- Select Queued to view all upload sessions that are waiting in the queue to be processed.
- Select In Progress to view upload sessions that are in progress and backup files are being uploaded.
- Select Completed to view successfull and completed upload sessions.
- Select Failed to view failed upload sessions. Any failed upload sessions can be retried.
To cancel a backup upload session
- In the Recovery Manager for Active Directory console, expand the Storage node.
- Select the Cloud Storage node in the console tree.
- Select the registered cloud storage in the Cloud Storage pane.
- In the Backup Upload Session pane, select the session with the status of In Progress or Queued, right click and select Cancel.
- Select Yes on the confirmation dialog.
To retry a backup upload session
- In the Recovery Manager for Active Directory console, expand the Storage node.
- Select the Cloud Storage node in the console tree.
- Select the registered cloud storage in the Cloud Storage pane.
- In the Backup Upload Session pane, select the failed session, right click and select Retry.
To remove a backup upload session
- In the Recovery Manager for Active Directory console, expand the Storage node.
- Select the Cloud Storage node in the console tree.
- Select the registered cloud storage in the Cloud Storage pane.
- In the Backup Upload Session pane, select the session, right click and select Remove.
- Select Yes on the confirmation dialog.
| note |
Only the backup upload session is removed from the Recovery Manager database. The backup file on the cloud storage is not removed. |
Secure Storage servers
Recovery Manager for Active Directory provides the ability to set up a dedicated secure backup storage server. If you use a Secure Storage server in your environment it helps prevent unauthorized modification or malware attacks on backup data, supporting your key data security and compliance initiatives. For more information on how a Secure Storage server is secured, see Hardening Secure Storage servers below.
| IMPORTANT |
Use of Secure Storage Server requires a Recovery Manager for Active Directory Disaster Recovery Edition license. |
Requirements
- Operating system: Microsoft Windows 2016 or higher
- A stand-alone server to be used as your Secure Storage server. This server should be a workgroup server and not joined to an Active Directory domain.
- An account that will be used to deploy the Storage Agent on the Secure Storage server. This account must also be a local Administrator on the Secure Storage server.
- Physical access to the Secure Storage server. Once the server is hardened access with regular methods will be disabled.
- Sufficient storage space on the Secure Storage server for all backup files. For one backup file, the space required is at least the size of the backed-up Active
Directory database file (Ntds.dit) and the SYSVOL folder plus 40MB for the transaction log files. The space check performed also includes an extra 1 GB to ensure enough space is available.
Best Practices
-
We highly recommend using a new, dedicated, clean physical server as your Secure Storage server to help ensure access methods are kept to a minimum.
-
Secure additional methods of accessing the Secure Storage server such as console or serial access.
-
Recommend the Secure Storage have additional volumes available in addition to the system drive. It is not advised to store backups on the system drive.
| note |
Virtual machines are more susceptible to ransomware attacks and if a virtual machine is used for your Secure Storage server, a bad actor could gain access to backups on the server or delete the entire Secure Storage server. |
User Scenario
Backup data for all domain controllers can be accumulated on primary storage, and at the same time, you can make a copy of your backup data on a Secure Storage server. The Secure Storage agent will pull the backup securely to the Secure Storage server while the firewall on the Secure Storage server remains in place. If disaster strikes, you could lose your backups on primary storage and even your installation of Recovery Manager for Active Directory but your Secure Storage server will remain in place.
