지금 지원 담당자와 채팅
지원 담당자와 채팅

Recovery Manager for AD Disaster Recovery Edition 10.2.2 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Cloud Storage Secure Storage Server Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Clean OS method Bare metal forest recovery Using Management Shell Creating virtual test environments Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Where to Install the Forest Recovery Console?

The best practice is to install the Forest Recovery Console on a standalone computer. This allows you to avoid situations where a corruption in Active Directory® prevents you from using the Forest Recovery Console.

 

Backing up the Recovery Manager for Active Directory configuration

It is recommended to regularly back up the Recovery Manager for Active Directory (RMAD) configuration, so that you could quickly reinstall the product and restore its configuration to the last backed up state in case RMAD becomes inoperable due to a failure. All the RMAD configuration data is held in the following location on the RMAD computer: %AllUsersProfile%\Quest\Recovery Manager for Active Directory. The Recovery Manager Console saves its configuration data in the following files:

  • Rmad.db3. Contains the Recovery Manager Console configuration data, such as computer collections and backup creation sessions.

  • Backups.mdb. Contains the backup registration database that stores information about created Active Directory® and AD LDS (ADAM) backups.

As a rule, the overall size of these .mdb files does not exceed 10 MB.

The Forest Recovery Console saves all its configuration data in the Forest Recovery Project (.frproj) file.

 

Descriptions of recovery or verification steps

The next table describes the steps you may encounter in the Recovery Plan or on the Progress tab in the Forest Recovery Console while running a restore or verify settings operation. Some steps are applicable only to Recovery Manager for Active Directory Disaster Recovery Edition.

ID Name Description
EnableGC Add global catalog Adds the global catalog to the DC if:
- The global catalog was removed from DC during recovery.
- The recovery project settings specify to rebuild the global catalog.
If no global catalog servers were successfully restored from backup, the global catalog is added to the DC that was assigned the Schema Master role during the recovery.
AdjustAd Adjust to Active Directory changes Tries to perform the following operations to avoid rebuilding of Global Catalog:
- Removes lingering objects from non-recovering domains
- Unhost\Rehost the recovered domain partitions from non-recovering domains if the previous operation has failed

If all previous operations were unsuccesfull, rebuilds Global Catalog.
BootTargetHost Boot target machine using Quest Recovery Environment image Boot target machine using Quest® Recovery Environment image.
BringDisksOnline Bring all disks online Makes all disks on the recovered domain controller online.
UpdateGCPartitionOccupancyLevel Change global catalog partition occupancy level Sets the appropriate global catalog partition occupancy level to advertise the global catalog servers in DNS according to the recovery project settings.
CheckADInstallationPath Check AD installation paths Checks whether the specified "DIT database path", "Log files path" and "SYSVOL path" are available.
ValidateSecondStage Check domain controller recovery settings Checks that Active Directory® backup is newer than Windows backup.
CheckFreeSpace Check free space Checks whether there is a sufficient amount of free disk space on the DC to accommodate the backup file and perform the recovery operation.
CheckBackupAccess Check if backup is available Checks that the backup file specified in the DC recovery settings is accessible.
GetEncryptableVolumes Check if BitLocker is enabled Checks whether BitLocker® Drive Encryption is enabled on the domain controller.
Gets the BitLocker® configuration if BitLocker® is enabled.
EnsureComputerIsDc Check if computer is a domain controller Checks if the computer is a domain controller to ensure that restore from backup is possible.
EnsureComputerIsNotDc Check if computer is not a domain controller Checks if a computer is a standalone server to ensure that Active Directory® can be installed.
If a target computer was not explicitly specified in the project settings, then the source domain controller (Source DC) will be used to verify the project against.
If the project is verified against the "Source DC" a warning message will be displayed.
Attempting to perform a restore operation while targeting the "Source DC" will result in an error.
EnsureRodcIsNotRecovering Check if domain controller is read-only Checks whether the DC is read-only (RODC).
EnsureTargetHostBootIsRequired Check if machine is booted from Quest Recovery Environment image Checks if the machine is booted from Quest® Recovery Environment image.
CheckLogicalDiskConfiguration Check logical disks configuration Checks whether the specified "DIT database path", "Log files path" and "SYSVOL path" point to the existing logical disks on the target server.
CheckOSVersion Check operating system version Checks that the target machine has the same Operating System as the backed-up domain controller.
CheckTargetHardware Check that hardware and firmware of the target machine are compatible with the backup Checks that hardware and firmware of the target machine are compatible with the backup.
ValidateTargetAddress Check whether the automatically selected IP address is not in use Checks if the target IP address does not have conflicts with other DCs.
DnsCleanup Clean up DNS records of removed domain controllers Removes DNS resource records of all domain controllers that were not restored from backup.
This includes the domain controllers whose restore from backup has failed.
RemoveUnrecoveredDomains Clean up metadata for domains that were not restored if necessary Cleans up metadata of the domains in which no DCs were successfully restored from backup or for which you specified to not recover any DCs.
RemoveUnrecoveredDc Clean up metadata of removed domain controllers Removes metadata of all domain controllers that were not restored from backup.
This includes the domain controllers whose restore from backup has failed and those for which a recovery method other than "Restore from backup" has been selected.
RestoreDnsRelations Configure DNS server Updates DNS server delegation and forwarding in accordance with the new IP address of a target machine.
When Active Directory-integrated DNS is used, Recovery Manager for Active Directory® restores DNS Servers from a backup and checks if there are any DNS Servers in different DNS zones.
If there are such DNS servers, Recovery Manager for Active Directory® restores delegation and forwarding between domain DNS zones.
All restored DNS Servers from a particular domain will be configured as delegation and forwarding targets.
ScheduleAgentInstallation Configure Forest Recovery Agent on restored machine Deploys and configures Forest Recovery Agent on the recovered domain controller.
PrepareRestore Copy the backup file to domain controller If a backup was configured, then copies the backup file specified in the DC recovery settings to the DC. If there was no backup configured, this step will be skipped.
PrepareRestoreFromBackupIfThereIsOne Copy the backup file to domain controller, if there is one If a backup was configured, then copies the backup file specified in the DC recovery settings to the DC.
If there was no backup configured, this step will be skipped.
CreateVM Create virtual machine Creates a virtual machine.
DeleteInfrastructure Delete target infrastructure. Deletes target infrastructure.
The following Azure resources will be deleted:
- Network security group
- Virtual network
- Virtual network gateway
- Resource group
DeleteVM Delete virtual machine Deletes a virtual machine after verification.
GetBootMode Detect current boot mode Checks whether the computer is in the Normal mode or DSRM recovery mode.
DisableBitlocker Disable BitLocker Disables BitLocker® Drive Encryption if it is enabled on the domain controller.
DisablePasswordFilters Disable custom filters for passwords Disables any third-party custom password filters enabled on the DC.
This step is required to ensure the filters do not block any password reset operations during the recovery.
DisableWindowsModulesInstaller Disable Windows Modules Installer Disables Microsoft Windows Modules Installer on the DC for the duration of the recovery.
This prevents software updates from interrupting the restore process.
DisableWindowsUpdates Disable Windows Update Disables Microsoft Windows Update on the DC for the duration of the recovery.
EjectImageFromTargetHost Eject Quest Recovery Environment image Ejects Quest® Recovery Environment image.
EnableBitlocker Enable BitLocker Enables BitLocker® Drive Encryption if it was disabled on the domain controller earlier in the recovery process.
EnablePasswordFilters Enable custom filters for passwords Enables the third-party custom password filters that were disabled on the DC earlier in the recovery process.
DisableReplication Enable domain controller isolation Uses IPsec policies to restrict all traffic on the DC except:
- Network traffic to/from the Forest Recovery Console
- Incoming RDP traffic
- Incoming and outgoing ICMP traffic
- Incoming and outgoing DNS traffic
- File share access traffic
- Internal TCP traffic

This step does not delete any existing IPsec policies.
EnableGcCheck Enable the use of global catalog for user authentication Enables the use of the global catalog for user login validation.
EnableWindowsModulesInstaller Enable Windows Modules Installer Re-enables Microsoft Windows Modules Installer on the DC.
EnableWindowsUpdates Enable Windows Update Re-enables Microsoft Windows Update on the DC.
EnsureGcIsActivatedAndAvailable Ensure global catalog is available Performs all necessary operations to ensure a global catalog server is available in the forest and functioning properly.
ApplyGroupPolicy Ensure group policies are applied Updates group policies settings applied to the domain controller.
Restarts domain controller to execute boot time policies.
EnableReplication Ensure that domain controller isolation is disabled Disables any IPsec policies that were enabled during the recovery. Enables the IPsec policies that were in effect before the recovery started.
Sets certain additional parameters that require a DC that restarts and holds operations master roles to have successful AD DS replication with its known replica partners before it advertises itself as DC.
EnableReplicationForRODC Ensure that domain controller isolation is disabled (if DC is read-only) Disables any IPsec policies that were enabled during the recovery.
Enables any IPsec policies that were in effect before the recovery started.
EnsureAgentIsWorking Ensure that Forest Recovery Agent is installed and running Checks the installed version of the Forest Recovery Agent.
If necessary, installs the agent or upgrades it to the version supplied with the Forest Recovery Console you are using.
EnsureRecoveryMediaIsCreated Ensure that Quest Recovery Environment image is available Checks that the Quest® Recovery Environment image is created for the domain controller.
If it is not found, the recovery environment with corresponding settings will be created for the domain controller.
If the Quest® Recovery Environment network settings, third-party drivers, Recovery Agent, or communication keys are outdated, the Quest® Recovery Environment image file will be recreated.
EnsureDCHasSysvolShare Ensure that the SYSVOL share is available Checks that the SYSVOL share is available on the DC.
ExtractBackup Extract the backup file components Extract backup components data on the target server.
GetComputerInfo Get information about computer Collects the following information from the computer:
- IP addresses of all network adapters
- IP addresses of all DNS servers on all network adapters
- DNS names of all the FSMO role holders in the forest
- Installed Forest Recovery Agent version (if any)
- Current Windows Updates service startup mode
- Whether the computer is a DC, a member server or a stand-alone machine
- Whether the computer is a RODC
- Operating system version
- Current boot mode
GetComputerInfoFromBackup Get information about computer from backup Collects the following information from the backup:
- IP addresses of all network adapters
- IP addresses of all DNS servers on all network adapters
- Operating system version
- Active Directory installation paths
- Current Windows Updates service startup mode
GetReplicationInfo Get replication data from the DC Collects replication data from DC. The collected data will be used later to determine if lingering objects are present.
InstallAd Install Active Directory Domain Services Installs Active Directory® Domain Services (AD DS) on the computer and promotes it as a domain controller using domain and forest name of the original DC.
If necessary, renames computer to the name of the original DC prior to promotion.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
InstallAdFromMedia Install Active Directory from media Installs Active Directory® Domain Services (AD DS) on the computer and promotes it as a domain controller using domain and forest name of the original DC, and the provided backup data.
If necessary, renames computer to the name of the original DC prior to promotion.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
InvalidateRidPool Invalidate RID pool Invalidates the current RID pool.
This operation prevents the restored domain controller from re-issuing RIDs from the RID pool that was assigned at the time the backup was created.
ResetSYSVOL Mark the SYSVOL to be overridden by the primary SYSVOL Configures replication service to get proper SYSVOL files from authoritatively restored DC.
Disables the use of a global catalog for user login validation. This allows users other than the built-in Administrator to log on during the recovery.
PrepareInfrastructure Prepare target infrastructure. Prepare target infrastructure.
The following Azure resources will be created if required:
- Network security group
- Virtual network
- Virtual network gateway
RaiseRidPool Raise RID pool Raises the value of available RID pools by the value specified in the Forest Recovery Console configuration file (100,000 by default).
CollectRegistryInfo Reading original DC info from backup Reading an original DC logical disks configuration (paths to the DIT database and SYSVOL).
ReinstallAd Reinstall Active Directory Domain Services Demotes domain controller, then installs Active Directory® Domain Services and promotes it as a domain controller again using domain and forest name of the original DC.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
ReinstallAdFromMedia Reinstall Active Directory from media Demotes domain controller, then installs Active Directory® Domain Services and promotes it as a domain controller again using domain and forest name of the original DC, and the provided backup data.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
DisableGC Remove global catalog Removes the global catalog from DC if all of the following is true:
- The DC is a global catalog server
- You selected an option in the recovery project settings to rebuild the global catalog to ensure no lingering objects are present.
CleanupGcDataIfRequired Remove global catalog if necessary Removes the global catalog from DC if necessary, provided that the DC is a global catalog server.
CleanUp Remove temporary files Deletes the backup file from DC if the file was copied to the DC during the recovery.
InitialReplication Replicate FSMO role owners Replicates Active Directory® configuration:
- Recalculates replication topology with Knowledge Consistency Checker (KCC)
- Replicates FSMO role owners
- Replicates configuration naming context and waits until replication is completed at least for one partner
SetAccountPasswords Reset computer account passwords Resets computer account passwords twice to an automatically-generated value. The passwords are reset for the current DC and all other DCs in the project.
By default, the automatically-generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.
SetDsrmPassword Reset DSRM administrator password Resets the DSRM administrator password to the value specified in the DC recovery settings.
ResetAdminPwd Reset password for users in privileged groups Resets password for domain users in the privileged groups.
SetKrbtgtPassword Reset the Krbtgt password Resets the krbtgt password twice to an automatically-generated value to isolate domain controllers that were not recovered.
By default, the automatically-generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.
SetTrustPasswords Reset trust passwords Resets the trust passwords twice to a generated value.
By default, the automatically-generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.
This operation is performed for all implicit and explicit trusts between this domain and all other trusted domains in the forest. Trust passwords for any external trusts are not reset.
RebootToDsrm Restart domain controller in DSRM Restarts the DC in DSRM.
RebootDsrmAfterFullRestore Restart domain controller in DSRM Reboots recovered domain controller into Directory Services Restore Mode and resets the password for the domain administrator account.
RebootToDsrmIfRequired Restart domain controller in DSRM if necessary If DSRM is not the current mode, this step restarts the domain controller in DSRM and resets the DSRM password.
RebootToNormalMode Restart domain controller in normal mode Restarts the DC in normal mode for the changes to take effect.
When performing this step on a DC restored from backup, Recovery Manager for Active Directory® also resets the user password to the value specified in the DC recovery settings.
This password reset overwrites the old password restored from backup.
RebootToNormalModeAfterRestore Restart domain controller in normal mode Restarts the DC in normal mode.
Then, resets the user password to the value specified in the DC recovery settings.
This password reset is required to overwrite the old password restored from backup.
RebootToNormalModeIfRodc Restart domain controller in normal mode if necessary Checks if the domain controller is read-only (RODC). If so, restarts the RODC for changes to take effect.
Restore Restore data from backup Restores the Active Directory® database (.dit file), SYSVOL, and system registry entries from
the backup specified in the DC recovery settings.
Disables the use of a global catalog for user login validation. This allows users other than
the built-in Administrator to log on during the recovery.
RestoreFromBackupIfThereIsOne Restore data from backup, if there is one If a backup was configured, restore SYSVOL from the backup.
If a backup was not configured, configures the replication service to get SYSVOL files from authoritatively restored DC.
FullServerRestore Restore disks from a BMR Backup Performs bare-metal recovery of the machine from BMR Backup.
RestoreGCPartitionOccupancyLevel Restore initial global catalog partition occupancy level Sets the global catalog partition occupancy level to the value that existed before the recovery started.
RestoreWindowsServices Restore start types of Windows services Restore start types of Windows services that were changed during recovery.
ValidateFullServerRestore Run pre-recovery checks Checks the following:
- Whether the BMR backup specified in the DC recovery settings is accessible.
- If the recovery from the Active Directory® backup option is selected, checks whether the Active Directory® backup is accessible.
ValidateReinstall Run pre-recovery checks Checks the following:
- That the DSRM password specified in the DC recovery settings meets the password complexity criteria.
- Whether a preferred DNS server is specified for the DC in the recovery settings. If this is true, then the DNS server validity is checked.
ValidateRestore Run pre-recovery checks Checks the following:
- The DSRM password specified in the DC recovery settings meets the password complexity criteria.
- The backup file specified in the DC recovery settings is accessible (mandatory requirement for domain or forest recovery).
- There is a sufficient amount of free disk space on the DC to accommodate the backup file (mandatory requirement for domain or forest recovery).
- A preferred DNS server is specified for the DC in the recovery settings. If this is true, then this step checks the validity of the DNS server.
- Whether Kerberos Distribution Center (KDC) and Base Filtering Engine (BFE) services are enabled.
SaveWindowsServices Save start types of Windows services Saves start types of Windows services that can be changed during recovery.
PerformMalwareScan Scan the backup with the antivirus software Scans the backup for malware threats.
The antivirus software that is installed on the Forest Recovery Console machine and specified in the antimalware configuration is checking the remote backup.
Depending on the size and speed of the network, this process can take from several minutes to more than an hour.
All volumes in the backup will be scanned.
SetFsmoRolesMasters Seize FSMO roles Seizes FSMO roles for the DCs automatically selected for each role.
SetPrefferedDns Select preferred DNS server Selects a properly functioning DNS server for all network adapters on the DC.
This step uses the following order of priority to select a DNS server:

1. Preferred DNS server specified in the DC recovery settings.
2. Primary and alternate DNS servers that were selected for the DC before the recovery.
3. DNS servers selected for other DCs in the same domain.
4. All other DNS servers in the forest.

AD-integrated DNS servers hosted on DCs that were not successfully restored from backup are excluded from the list of possible DNS servers.
SetReplicationServiceMode Set initial SYSVOL replication mode if applicable Forces authoritative SYSVOL restore if the Forest Recovery Console machine was explicitly or automatically selected as an authoritative SYSVOL source.
SetSysvolRoot Sets the new path to the SYSVOL share if it has been changed Updates the AD database if the path to the SYSVOL share has been changed.
DemoteAd Uninstall Active Directory Domain Services Demotes the DC to a member server joined to the workgroup named WORKGROUP.
Resets the local Administrator password to the value specified in the “Set DSRM password” option in the DC recovery settings.
UpdateProject Update Forest Recovery project with the collected data Updates Forest Recovery project with the collected data.
CheckGcAvailability Wait for a global catalog server to become available Waits for at least one global catalog server to become available in the forest.
This step may take a significant time to complete.
EnsureTargetHostIsBooted Wait until the target machine becomes accessible Waits until the target machine is booted from Quest® Recovery Environment image.
If a source domain controller is accessible during the project verification, it will be contacted instead.
CleanDisks Wipe all disks on the target machine Wipes all data on remote machine disks before restoring backup.

 

Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition)

This section provides information about the communication ports required to work with Recovery Manager for Active Directory.

Resources/Images/8_RMADFE_DG_Working scheme-01.png

 

Resources/Images/8_RMADFE_DG_Working scheme-02.png

 

Resources/Images/8_RMADFE_DG_Working scheme-03.png

 

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택