You can use the Forest Recovery Console to create a virtual machine in Microsoft Azure Active Directory®. You can then use the Restore Active Directory® to Clean OS recovery method to restore Active Directory® on the virtual machine.
Create Active Directory backups
Create a recovery project
To create a virtual machine in Microsoft Azure®
In the Forest Recovery Console, create a new project or select an existing recovery project.
Select the Domain Controller to be created as a virtual machine in Azure®.
From the Recovery Method drop-down list, select Restore Active Directory on Clean OS.
In the Server access credentials section, type the user name and password that you want to be created as a local account on the new virtual machine in Azure®. These credentials are used during the Forest Recovery process.
NOTE: You cannot use 'Administrator' in the Local user name field as this name is reserved in Azure®.
In the Backup Access Credentials section, type the user name and password to access the selected backup file. The backup file must be accessible from the Forest Recovery Console and from the newly created DCs in Azure®. For example, if your backup is located on a file share in Azure®, supply credentials with access to the file share.
NOTE: The backup file must be accessible from both the Forest Recovery Console server and the newly created DCs in the Azure® virtual network. For example, backup may be located on Azure® File Share or access to backup files located on premise from the Azure® virtual network may be configured by setting up a Site-To-Site VPN connection.
On the Infrastructure tab, from the Infrastructure drop-down list, select Microsoft Azure.
Click Edit to configure the infrastructure template and virtual machine settings.
In the Recovery Project Settings window, on the Infrastructure tab, click Login to sign in to the Azure® tenant. Provide a user account that is assigned an Azure role with create and write permissions for the required resource group and all other virtual machine resources. The Azure® built-in role of Owner or User Access Administrator on the subscription is recommended.
NOTE: To create a virtual machine in Azure, the Az Powershell module is required. If the module fails to install automatically, click the link provided to download and install the module manually. After installation, click refresh to update the information on the Infrastructure tab.
After successful login, the fields on the Infrastructure tab are populated with information retrieved from the tenant. This includes available subscriptions, resource groups, networks, and security groups. If the resource already exists in the selected Azure® subscription RMAD will not create a duplicate. This reuse of resources is recommended for performance of your restore operation.
From the Subscription drop-down list, select the subscription to be used by the infrastructure template.
In the Infrastructure Settings section, configure the following settings:
Location: Select the location where the virtual machine will be created.
Resource group: Select an existing resource group for the virtual machine or click Create new to create a new resource group.
Security group: Select the Network security group or click Create new to create a new Network security group within the selected Resource group.
Network: Select the virtual network where the virtual machine will reside or click Create new to add a new virtual network.
IP range: Specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network a private IP address from the address space that you assign.
Subnetwork: Select an existing subnetwork or click Create new to create a new one.
Subnetwork IP range: Specify a subnetwork address range in CIDR notation (for example, 192.168.1.0/24) and it must be contained by the address space of the virtual network.
To manually assign a static IP address for the virtual machine to be created in Microsoft Azure select the Manually assign a static IP address in the subnet's address range checkbox. After the template settings are configured and the Azure® template is applied to domain controllers, click the Infrastructure tab for the domain controller, under Target Virtual Machine. Type a valid IP address within the sub-network IP range for the virtual machine in Azure®. When the virtual machine (Domain Controller) is created in Azure®, the IP address will be statically assigned.
The Forest Recovery Console should have access to the virtual network where the Azure® virtual machine will be created. If there is no Point-to-Site or Site-to-Site VPN connection to the Azure® virtual network exists, select the Connect VMs using Virtual Network Gateway (VPN Connection) check box to connect to Azure® using an existing Virtual Network Gateway, or to create a new Virtual Network Gateway. When this checkbox is selected, a VPN connection to Azure® will be configured automatically on the Forest Recovery console machine for communication. Next, complete the following steps:
From the Network drop-down list, select an existing Virtual network gateway or click Create new to create a new Virtual network gateway.
In the Address Pool field, an IP address received from the client address pool is listed for VPN clients that connect to the virtual network using this point-to-site connection.
IMPORTANT: The Virtual Network Gateway(VPN connection) will take approximately 30 minutes to be created. If Connect VMs using Virtual Network Gateway (VPN Connection) and Delete Infrastructure after verification are both selected, the Virtual Network Gateway will be deleted as part of the infrastructure. Since the Virtual Network Gateway will need to be created again during the restore operation, the length of time required for the recovery will be increased by 30 minutes.
To remove all resources created by the Verify Settings process, select the Delete infrastructure after verification check box. After the Verify Settings process is complete, all resources within the Resource group will be removed except the Resource group. This is useful for testing purposes or to manage cost. During recovery, the required Azure® resource will be created. If the Delete infrastructure after verification check box is not selected, resources created by the Verify Settings will remain and will be used for future verifications and recoveries.
NOTE: If unused resources are not deleted, this may incur additional cost for your tenant.
In the Virtual machine Settings section, configure the following settings:
Virtual machine name: Type a name for the virtual machine or use the {DnsName} template.
Overwrite the VM if exists: Select this check box if you want the new VM to overwrite an existing one with the same name.
Delete VM after verification: Select this check box to delete the virtual machine after the Verify Settings process is complete. This is useful for testing purposes or if the machine is expected to be unused and to manage cost. The check box is automatically selected when the Delete infrastructure after verification is selected. If a recovery process is started, the machine is recreated.
Virtual machine size: Select the instance type for the virtual machine size that you want based on the number of CPUs and amount of memory. A full list of all available instance types is provided for selection.
Auto select virtual machine size: Select this check box to have the virtual machine size automatically selected based on the original domain controller configuration. When automatically selecting the virtual machine size, Recovery Manager for Active Directory uses the Microsoft Azure® Virtual Machine D-series for general purpose computing. The number of cores is then read from the backup and the closest match found. For cost efficiency the smallest available memory size is selected.
Storage type: Select the storage type. This affects performance.
Disk size: Select Use Original Sizes for the disk size to be determined by the size of the Active Directory data size (DIT, LOGS, SYSVOL) in the back up. Select Set Size to customize the size of the disk for the virtual machine.
NOTE: The disk will have a minimum size (128 GB for an operating system disk and 8 GB for a data disk). If the selected disk size is not large enough for the restored data, the system will use the required size and this setting will be ignored.
Click Apply then click OK.
note |
If the signed in user does not have sufficient permissions to create or write the resource group and resources, an error message will be displayed. If the user was recently granted permissions for the resource group, please refresh the credentials in the Recovery Project Settings window. |
A service principal containing the settings you configured is created for the connection to Azure®.
note |
After you have configured the default infrastructure template named "Microsoft Azure", you can then clone the default template. That is, you can create a new template based on the Azure® template and apply it to other DCs in the Forest Recovery project. |
To start recovery of Active Directory to Microsoft Azure® virtual machines
Click Verify Settings to start the project verification. During verification, resources will be created in Microsoft Azure® based on the infrastructure template assigned to the Domain controller(s) in the project.
After Verify Settings has successfully completed, click Start Recovery.
During recovery, the Active Directory backups of the domain controllers defined in the recovery project will be restored to newly created virtual machines in Microsoft Azure®.
Active Directory® failure, which includes corrupted, completely lost, or unbootable domain controllers, is something that scares any administrator. There can be a lot of reasons for the loss of valuable data. It can be caused by any error, a virus, or a natural disaster. With our disaster recovery plan, you get an insurance policy for your business information.
This section contains recommendations for recovering an Active Directory® forest if forest-wide failure renders all domain controllers (DCs) in the forest incapable of functioning normally.
NOTE |
Domain controllers that are running on virtual machines in Amazon Web Services™ (AWS™) or Microsoft Azure® cannot be restored with the Bare Metal Active Directory® Recovery method because there is no way to boot such DCs from an ISO image. |
If you do not want to encrypt BMR backups, we recommend that you enable the Server Message Block (SMB) Encryption feature (SMB version 3.0 and higher ) on the network share to secure network connection. For more details on how to turn on SMB Encryption, see SMB security enhancements. Note that backed up domain controllers must support SMB Encryption as well.
The best practice is to store backups in the repository that is located in the same Active Directory® site due to faster network.
For Windows Server® 2008 R2, BMR backups that are stored on the Forest Recovery Console host are not supported.
The account that is used to access the BMR backups location must have Read and Write permissions for that location.
If the process of creating a Windows Server® 2008 R2 BMR backup completes with an error similar to "The sector size of the physical disk on which the virtual disk resides is not supported", make sure that the disk sector size on the target machine (NAS device or similar) is equal to 512 bytes. For instance, NetApp® ONTAP® operating system uses the following command:vserver cifs options modify -file-system-sector-size 512
.
Active Directory® does not allow the use of a backup with an age that exceeds the Active Directory® tombstone lifetime (default is 180 days). But if there is a RMAD BMR backup that is older than 180 days and a more recent Active Directory® backup, you can successfully perform the restore operation.
The number of physical disks on the target computer must be equal to or exceed the number of critical disks on the source machine at the time the backup was created. A critical disk contains critical volumes (volumes that contain the operating system's state).
The order of system partitions must be the same on the target disk as on the source one.
The physical disks on the target computer must be of the same size as the critical disks or larger.
If a source machine with the legacy BIOS firmware has physical disks of different sizes, it is critical to have the same physical disks order on the target machine. For example, if a source has two disks - disk 0 (90 GB), disk 1 (40 GB), the target should have the same 90-40 order.
The firmware on the target computer must be compatible with the configuration of the source disks.
If the physical disks on the source computer have the GPT partition style, the target computer must have UEFI firmware and must be booted in the UEFI mode.
If the physical disks on the source computer have the MBR partition style, then the target machine should be booted in the BIOS-compatibility mode (or just legacy BIOS mode).
Source partition style | BIOS (Target firmware) | UEFI (Target firmware) |
---|---|---|
GPT | Incompatible | Compatible |
MBR | Compatible | Compatible (legacy BIOS-compatibility mode) |
It is recommended that you encrypt your Bare Metal Recovery backup by selecting the Encrypt and protect backups with password option (by default, this option is disabled) on the Backup tab in the collection properties. For details, see Creating BMR and Active Directory backups. In this case, not only the backup data stored on the remote share is encrypted, but the data transferred over the network during the backup operation is encrypted as well.
If Active Directory® backup encryption is enabled, the RMAD BMR backup will be encrypted by BitLocker. Recovery Manager for Active Directory uses a virtual hard disk encrypted by BitLocker as a container for the backup (256-bit AES encryption).
An encryption key for the backup is derived from the backup password and is not tied to a TPM chip (if any). This means that the encrypted RMAD BMR can be used on another machine, without or with another TPM chip. Only a backup password is required.
The BitLocker Drive Encryption feature should be installed on all backed up domain controllers and on the Forest Recovery Console machine to support encrypted BMR backups. But note that the BitLocker feature does not encrypt DC drives automatically. After the feature is installed, it is required to reboot the machine.
NOTE |
After disaster recovery, volumes on the restored machine will not be BitLocker-protected. You must enable the BitLocker protection again, if required. |
To enable backup encryption, see Enabling backup encryption.
To restore the Active Directory data in case of failure, you must occasionally create a BMR backup for at least one domain controller in each domain in your environment along with the Active Directory® data backup.
What should you do?
Decide on a Backup Location For BMR backups, the best practice in an enterprise environment is to deploy a dedicated backup server performing the role of an SMB repository with high disk I/O throughput to cope with the amount of backup data. You need to specify custom access credentials for the share to access the backup data even when Active Directory® is unavailable.
Create Backups The backup schedule is defined by customer based on the available resources and desired level of protection.
Bare Metal Recovery (BMR) Backup It is recommended to prepare a BMR backup for a forest recovery because it can be restored to different hardware instances. The best practice is to create BMR backups only once a week to minimize the required storage space. Now only system critical volumes are included in a BMR backup by default. If you need to include additional volumes, see Creating BMR and Active Directory® backups.
Active Directory Backup Standard Active Directory backup includes Active Directory-specific data, e,g. Active Directory data, registry, etc. It is recommended to create Active Directory® backup daily. In case of critical failures (such as DC hardware failure or malware) it will be possible to fully restore the domain with the combination of the most recent BMR backups and latest Active Directory® Backups.
For details on how to create backups, see Creating BMR and Active Directory backups.
Recovery Manager for Active Directory (RMAD) has the option to convert a Windows Server Backup to a RMAD BMR backup. Note that а Windows Server Backup cannot be converted to an encrypted backup.
To convert a Windows Server Backup and then register the resulting backup, use the following command:
PS C:\> Convert-RMADBackup \\backup_srv01\wsb\WindowsImageBackup \\backup_srv01\backups\dc1.vhdx | Add-RMADBackup
For Windows Server Backups, you have to specify the full path to the WindowsImageBackup folder.
For more details about RMAD PowerShell® Help, see the Management Shell Guide supplied with this release of the product.
© ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center