サポートと今すぐチャット
サポートとのチャット

Recovery Manager for AD 10.2.2 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Monitoring Recovery Manager for Active Directory Using Management Shell Collecting diagnostic data for technical support Appendices
Frequently asked questions Best practices for using Computer Collections Best practices for creating backups Ports Used by Recovery Manager for Active Directory Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Technical characteristics Events generated by Recovery Manager for Active Directory

Adding containers to a Computer Collection

You can add containers such as Active Directory® domains, sites, or organizational units to a Computer Collection. When a Computer Collection includes a container, it implicitly includes all domain controllers that are in that container. You can select containers in the details pane after browsing the console tree and selecting a node that holds the containers you want to add.

Domains are located under the Active Directory/Forest <Name> node, organizational units are located under domain nodes. You can add Active Directory® forests to the Active Directory node by using the Connect to Forest command on the node’s Action menu.

To add a container to a selected Computer Collection
  1. Right-click the Computer Collection, point to Add, and then click Container.

  2. In the Domain box, select the domain that includes the container or type the DNS name of the domain. If you typed the domain name, click Connect to redraw the tree in the Containers box.

  3. Browse the directory tree in the Containers box to locate and select the container.

  4. In the dialog box, click OK.

Note

For a Computer Collection that includes a container, backups are created for all domain controllers in the container, including the newly created DCs that are not explicitly present in the Computer Collection .

Alternatively, you can add containers to a Computer Collection using the following procedure
  1. Browse the Recovery Manager Console tree to select the node that holds the containers you want to add.

  2. In the details pane, select the containers you want to add. To select multiple containers, hold down CTRL, and click the containers.

  3. On the Action menu, click Add to Collection.

  4. In the dialog box that opens, select an existing Computer Collection or click New Collection to create and select a new Computer Collection.

  5. In the dialog box, click OK.

Note

Also you can drag the containers selected in the details pane to the target Computer Collection in the console tree or use the Copy and Paste commands.

To view and modify an exclusion list for a container

This option lets you specify an explicit list of the domain controllers that will not be included in the backup.

  1. In the Recovery Manager Console tree, select the Computer Collection that holds the container.

  2. In the details pane, right-click the container and select Properties.

  3. In the Properties dialog box, click Modify.

  4. Select domain controllers that you want to exclude from the Available domain controllers list and click Add.

  5. Click OK.

 

Adding AD LDS (ADAM) hosts and instances to a Computer Collection

You can add AD LDS (ADAM) hosts and instances to a Computer Collection. AD LDS (ADAM) instances available for a selected AD LDS (ADAM) configuration set are located under the Active Directory/AD LDS (ADAM) Configuration Set/All Instances node. To add an AD LDS (ADAM) configuration set to a Computer Collection, you need to connect to AD LDS (ADAM).

To connect to AD LDS (ADAM)
  1. In the Recovery Manager Console tree, select the Active Directory node.

  2. From the main menu, select Action | Connect to AD LDS (ADAM).

  3. In the dialog box that opens, do the following:

    • In the AD LDS (ADAM) host box, type the full DNS name of the host to which you want to connect.

    • In the Port number box, type the port number used by AD LDS (ADAM).

    • In the User name and Password boxes, type the user name and password with which you want to access the AD LDS (ADAM) host. Note that to display these boxes, you may need to click the Options button.

  4. When finished, click OK.

To add AD LDS (ADAM) hosts to a particular Computer Collection
  1. Right-click the Computer Collection, point to Add, and then click AD LDS (ADAM) Host.

  2. In the Select Computers dialog box, enter the names of the AD LDS (ADAM) hosts you want to add or select the hosts from the list and click Add. The Select Computers dialog box allows you to specify multiple AD LDS (ADAM) host names.

Recovery Manager for Active Directory backs up all AD LDS (ADAM) instances hosted on the computer you have added to a Computer Collection.

To add AD LDS (ADAM) instances to a Computer Collection
  1. In the Recovery Manager Console tree, expand the appropriate Active Directory/AD LDS (ADAM) Configuration Set node, and then click All Instances.

  2. In the details pane, select the instances you want to add. To select multiple instances, hold down CTRL, and click the instances.

  3. On the Action menu, click Add to Collection.

  4. In the dialog box that opens, select an existing Computer Collection or click New Collection to create and select a new Computer Collection.

  5. In the dialog box, click OK.

Note

Alternatively, you can drag the selected AD LDS (ADAM) instances to the target Computer Collection in the console tree or use the Copy and Paste commands.

You can also select a Computer Collection, and then add AD LDS (ADAM) hosts to the selected Collection.

 

Removing items from a Computer Collection

To remove items from a Computer Collection
  1. In the Recovery Manager Console tree, select the Computer Collection from which you want to remove items.

  2. In the details pane, select the items you want to remove. Use CTRL and SHIFT to select multiple items.

  3. Right-click the selection, and then click Delete.

 

Hybrid Recovery with On Demand Recovery

Recovery Manager for Active Directory integration with On Demand Recovery enables the restoration and undelete of on-premises objects that are synchronized with Azure Active Directory.

About the Hybrid Connector

The Hybrid Connector Windows service establishes a secure connection to the On Demand Recovery online service enabling simultaneous restoration of both on-premises and online objects.



Figure: Simplified architectural Hybrid services block diagram

What can be restored using hybrid recovery

  • On-premises groups

  • Office 365® licenses (assignedLicenses property for cloud users) and cloud group membership

  • Deleted on-premises users and groups

  • Service principals' appRoleAssignments to on-premises users

  • appRoleAssignments to non-Office 365® groups (used for SSO and App Roles)

  • Directory roles: Global administrator, Exchange administrator, Compliance administrator

  • Other cloud-only properties: such as Block sign in, Authentication contact information, Minors and Consent

  • Multifactor authentication (MFA) settings if a customer uses cloud MFA

  • Azure® application custom attributes (schema extension attributes)

  • Conditional access policies

  • Inactive mailboxes of permanently deleted users; the Federated Domain scenario is also supported.

Important Considerations

To restore on-premises objects, On Demand Recovery uses attribute values from the RMAD backup that is closest in time but older than the cloud backup unpacked in the On Demand Recovery user interface. If the closest on-premises backup is 24 hours older than the cloud backup, you will receive the warning message.

By default, the search of the closest in time on-premises backup is performed among the backups that were unpacked in RMAD. You can use the Use unpack and encrypted backups for restore operations option on Hybrid Recovery settings of RMAD – in this case, the on-premises backup will be unpacked automatically during the restore operation.

On Demand Recovery shows only on-premises attributes synchronized with the cloud and cloud-only attributes for the selected object when you click Browse in the Restore Objects dialog. On-premises only attributes are not included in this list. To restore on-premises only attributes, you must select the Restore all attributes option in the Restore Objects dialog.

After the hybrid restore operation, On Demand Recovery forces Azure AD Connect synchronization to push on-premises changes to the cloud and wait until it completes the synchronization. Restore events can be used to track steps of Azure AD Connect synchronization, such as export and import.

To restore 'member' or 'memberOf' attributes for an object, restore the group from the Unpacked Objects view. Restoring of group memberships from the Differences report is not supported in hybrid environments.

Hybrid restore from the Differences report uses attribute values from the on-premises backup. These values may be different from the corresponding values shown in the Differences report.

On Demand Recovery supports one hybrid connection per On Demand organization. If you need to manage multiple hybrid tenants, create a separate On Demand organization for each Hybrid Azure AD tenant.

On Demand Recovery restores Back Link attributes: 'memberOf' (the back link for the 'member' attribute) and 'directReports' (the back link for the 'manager' attribute). These attributes can be selected along with all other attributes when you click Browse in the Restore Objects dialog.

Separate Microsoft Azure Relay service is used for each hybrid connection (one per On Demand organization). On Demand Recovery creates WCF Relay per On Demand organization. No changes to On-Premises Firewall settings are required.

On Demand Recovery users can restore objects from all on-premises domains and forests that are synchronized with the Azure AD tenant. Also, in Recovery Manager, you need to add domain controllers for every domain that will be restored and specify the account under which the restore operation will be performed.

Required Permissions

Depending on which kind of restore operation (agent-based or agentless) you are going to perform in a hybrid configuration, the account under which you want the selected Recovery Manager for Active Directory instance to recover data in the domain must meet the corresponding requirements. For details about account permissions for agent-based and agentless restore, see Permissions required to use Recovery Manager for Active Directory.

To push an Azure® synchronization, the specified account must be a member of the ADSyncOperators group on the Azure® Active Directory® synchronization server. This account must also be able to run remote PowerShell commands against the server.

How to disable hybrid integration on the Web Portal

If hybrid integration is configured on the Web Portal it must be disabled prior to configuring hybrid integration from the Recovery Manager for AD (RMAD) console. Failure to do so may result in a failed online restoration.

Follow the steps below to fully disable hybrid integration on the Web Portal.

  1. Logon to Web Portal

  2. Select the “Configuration” tab at the top

  3. Expand the “Portal Settings” expander

  4. Click on the “Configure On Demand” button

  5. Remove the checkmark from the “Enable integration” checkbox

  6. Click “OK” to save and close the dialog

  7. Open the Windows “Services” application

  8. Find the Windows service “Quest Recovery Manager Portal” from the list

  9. Right click on the service and select “Stop”

  10. Once the service has been stopped it can then be re-enabled if desired

Web Portal and Recovery Manager for Active Directory (RMAD) version compatibility

To continue using the Web Portal with newer versions of the RMAD console some configuration changes must be made.

For instructions on how to make the necessary configuration changes follow the steps below.

  1. Navigate to the installation directory of the Web Portal (the default installation location is C:\Program Files (x86)\Quest\Recovery Manager Portal)

  2. Open the file EnterprisePortalSettings.xml

  3. Inside the GeneralSettings element find the property VersionValidationMode. If this property is not present one will have to be created

  4. Change the value of the VersionValidationMode to None

Below is a sample of what the configuration should look like once the changes have been made.

<GeneralSettings>
    <add key="VersionValidationMode" value="None" />   
    Other configuration values…
</GeneralSettings>
Configure Hybrid Recovery
  1. From within the RMAD Console, select the Hybrid Recovery node from the tree on the left.

  2. Select the Enable integration with On Demand Recovery checkbox to enable a secure connection to the online On Demand Recovery service.

  3. Enter the On Demand Recovery Settings using the following procedure:

    • Navigate to the On Demand Recovery online dashboard and select the Recovery menu option from the left-hand side (highlighted in yellow in the image below)

    • Click OPEN under the Recovery Standard panel

    • Click CONFIGURE CONNECTION under the Hybrid Connection panel. This will bring up the hybrid connection dialog.

    • Click the Download hybrid credentials button on the dialog to download the required connection credentials. This file will be used to configure the On Demand Recovery Settings in the Recovery Manager for Active Directory console.

    • From the Hybrid Recovery node on the Recovery Manager for Active Directory console, click on the ellipses (…) button located inside of the Url text box. This will bring up the Windows file dialog. Navigate to the location where the hybrid credentials file was saved (in the previous step) and select Open. This will automatically populate all the required fields under the On Demand Recovery Settings.

  4. Enter in the Azure AD Connect host and its associated credentials under Azure AD Connector Settings. The values entered depends on where Azure AD Connect is installed.

    NOTE: If Azure AD Connect is currently installed on the same server as the Recovery Manager for Active Directory console, then these fields can be left blank.

    Azure AD connector Host: Enter in the host name or IP address of the system where Azure AD Connect is installed.

    • Username: Enter in the domain username for this server. This account should have the necessary permissions listed under the Required Permissions section.

    • Password: Enter in the domain password for this server.

  5. Enter in the domain username, password and primary computer for each domain listed under Discovered Domains. The designated primary computer will be used for hybrid recovery operations.

    Resources/Images/Hybrid_ODR_04.png

    The domains listed under Discovered Domains are pulled from backups; this means to fully populate this list at least one backup per domain is required.

    After performing a backup, it may be necessary to manually refresh this list which can be done by clicking on the refresh button , Resources/Images/Hybrid01.png.

  6. Once all configuration has been entered click on the Save settings button located at the bottom of the screen

 

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択