-
Title
What exactly are the various credentials that are required for each DC in the Forest Edition cons -
Description
What exactly are the various credentials that are required for each DC in the Forest Edition console?
-
Resolution
Recovery Manager Forest Edition requests 3 sets of credentials:
- Local administrator credentials
- DSRM administrator credentials
- Backup access credentials
See attached screenshot.
1. Local administrator credentials
This is a domain account that has administrative rights on the domain controller. These credentials are used by the Recovery Manager Forest Edition console to connect to the DC.
A user can and must enter just AdminAccount into the field. The console doesn't allow "SOMETHING\AdminAccount" syntax there, just "AdminAccount". Regardless, "AdminAccount" will be a domain account from the same domain that the DC resides in.
Although it seems inconvenient that you cannot specify an account from another domain (e.g. an Enterprise Admin account from a parent domain), there is an important reason for requiring credentials from the local domain. During development and testing of Recovery Manager Forest Edition, engineering found that this is the most robust approach. The product requires an account that is likely to be authenticated in very stressful situations - where a machine is restored from backup, all passwords are reset, replication doesn't work, etc. Testing showed that local administrators (e.g. Domain Admins) work best.
Enterprise Admins and accounts from parent domain admins were not so reliable. The problem is that during the recovery operation on the child DCs there will be no domain controllers online from the parent domain that can authenticate the account (keep in mind that Recovery Manager Forest Edition restores all DCs in parallel). So, we need the DC to be able to authenticate an account by itself, using its own AD replica, with no help from other DCs.
2. DSRM administrator credentials
In order to restore a DC from backup, the DC must first be rebooted into DSRM (Directory Services Restore Mode). Every DC has its own DSRM password, which is independent of Active Directory. Since the passwords can vary from DC to DC, and that administrators may not readily have access to these passwords, Recovery Manager Forest Edition resets the DSRM password on the DC to the value you set in the Forest Edition Console. Therefore the password you specify in the Console does not have to match the current DSRM password on the DC.
3. Backup access credentials
If the backup is stored locally on the DC then it is not necessary to specify these credentials. However, backup access credentials are necessary if the backup is stored on a network share. This domain\user must be able to access and copy the backup from the network location where the backup is stored to the DC.
-
Attachments
-
Additional Information
***This solution only applies to the Forest Edition of Recovery Manager for AD***
