Recovery Manager for Active Directory performs the following functions:
Regular backup of domain controllers’ components across a network, including the Active Directory database, SYSVOL and Registry, and maintenance of one or more secure repositories containing the backed-up Active Directory data.
Creation of BMR backups for the forest bare metal restore.
Secondary storage for critical backups with Secure Storage server and Cloud Storage.
Wizard-driven, remotely administered restoration of Active Directory object data and Group Policy information from a point-in-time backup.
Active Directory, AD LDS (ADAM), and Group Policy comparison reporting, troubleshooting, and investigation.
Recovery Manager for Active Directory (RMAD) provides the facility to create backups of the Active Directory® components on domain controllers, including the Active Directory® database and Windows Server® Bare Metal Recovery (BMR) backups.
Both types of backups can be created for any Active Directory® domain controller available on the network. Backup creation is a task that can be performed on a regular basis without interrupting the operation of the domain controller.
RMAD lets you organize domain controllers into collections, and establish a backup scheduling frequency and “allowed hours” during which the backup process may run. Based on the frequency of updates to the directory data store, you can configure a backup schedule for each collection.
Depending on the requirements of your enterprise, you can configure a retention policy to specify how many backups are retained: for example, all saved backups or a number of the most recent backups. Different policy settings can be specified for different domain controller collections.
For Active Directory® backups, it is not necessary to maintain a single, centralized repository: several repositories, perhaps based on the site topology, can make your deployment more WAN-friendly. To minimize bandwidth consumption, RMAD employs agents that compress the data to be backed up, before sending it across the network.
For Windows Server® Bare Metal Recovery (BMR) backups, you have to set up the dedicated backup server performing the role of an SMB repository. The backups are created on domain controllers and saved to the SMB share. Windows Server® BMR backups are stored in VHD (Microsoft Windows Server® 2008 R2) format or VHDX (for higher Windows versions).
RMAD allows backups to be encrypted and protected with a password, to prevent unauthorized access. This password is used to generate a passphrase with which the backup is encrypted.
For Active Directory® backup encryption, the product uses Microsoft’s implementation of the AES-256 algorithm from RSA, Inc. (Microsoft Enhanced RSA and AES Cryptographic Provider), with the maximum cipher strength. The use of the Microsoft Enhanced RSA and AES Cryptographic Provider ensures that backups are encrypted with 256–bit cipher strength
For Bare Metal Recovery backup encryption, RMAD uses a virtual hard disk encrypted with BitLocker® Drive Encryption as a container for the backup (256-bit AES encryption). The BitLocker® Drive Encryption feature should be installed on all backed up domain controllers and on the Forest Recovery Console machine to support encrypted BMR backups. But note that the BitLocker® feature does not encrypt DC drives automatically.
Since Windows Server® BMR backups are stored in VHD or VHDX format, note that a password cannot be used directly to unlock the backup container *.vhd(x) file.
You can have RMAD keep unpacked Active Directory® or AD LDS (ADAM) backups in any appropriate location on your network.
Unpacked backups can be reused for subsequent starts of the Online Restore Wizard or Group Policy Restore Wizard. The use of unpacked backups accelerates the backup data preparation step of those wizards, because the unpacking process may be a lengthy operation.
RMAD makes it possible to use Active Directory® or AD LDS (ADAM) backups created with third-party backup tools. Before using this feature, unpack the backup to an alternate location with the corresponding third-party backup tool, and then register the database file (ntds.dit or adamntds.dit) using the Online Restore Wizard or Online Restore Wizard for AD LDS (ADAM), respectively.
When backing up Global Catalog servers, you have the option to force RMAD to collect group membership information from all domains within the Active Directory® forest. This option ensures that group membership spanning multiple domains is fully backed up.
It is recommended that you restore objects from Global Catalog backups that were created with this option. Otherwise, restored objects may not retrieve their membership in some local groups, because even Global Catalog servers do not store full information about group memberships. For example, information about membership in domain local groups is only stored in the home domains of those groups.
In an Active Directory® environment, each domain controller maintains its own Active Directory® database. Therefore, a backup of the Active Directory® database is domain controller-specific. To completely back up Active Directory®, you must back up the directory database on every domain controller.
To restore deleted or corrupted objects, it is recommended to back up at least two domain controllers for each domain for redundancy. If you intend to restore cross-domain group membership information, then it is also necessary to back up a global catalog server.
Another reason for backing up the directory database on every domain controller is loose consistency. Replication of changes made to Active Directory® does not occur immediately. The replication process first accumulates all changes, and then provides them to the participating domain controllers. As a result, the directory database on any domain controller is normally in a state of loose consistency. The directory object data on individual domain controllers differs to some extent, given that replication updates are either in transit between domain controllers, or waiting to be initiated.
The age of the backup must also be considered. Active Directory® prevents the restoration of data older than the "tombstone lifetime" - a setting specified in Active Directory®. Because of this, an Active Directory® backup should be created at least once within the tombstone lifetime. However, it is strongly recommended that backups of the directory database be created more often than this.
Backups created with Recovery Manager for Active Directory can be stored in multiple locations. Primary storage of backups allows for backup files to be saved on a distributed network, or on selected computers with physically restricted access. Recovery Manager considers these locations as primary storage and is referred to as Tier 1 storage.
Recovery Manager for Active Directory Disaster Recovery Edition offers secondary storage locations known as Tier 2 storage.Secondary storage options in Recovery Manager include Secure Storage server and Cloud Storage. Tier 2 storage provides secure locations for business critical backups to ensure you are ready when disaster strikes.
Recovery Manager for Active Directory provides options for primary storage in local and remote locations. Local storage is refers to storage on the Recovery Manager console computer, where remote storage is storage on the backed up domain controller or other remote servers on network shares. These locations are remote due to not being on the Recovery Manager console computer. See the Local Storage tab and Remote Storage tab. For both local and remote storage locations, a primary backup path can be provided and an alternate backup path.
Primary storage is for the original backup files to be saved to the a safe location. For primary storage, the backup agent creates the backup file, compresses the data and then the file is saved to the configured storage locations. In the diagram below see line number 1 to view the process that is taken to save the backup file to primary storage locations. The RPC protocol is used to save backups files to the console computer. For saving to remote storage locations SMB protocols are used.
The figure illustrates how Recovery Manager for Active Directory creates and saves backup files to primary storage locations.
Recovery Manager for Active Directory Disaster Recovery Edition provides secondary storage for critical backups. For Active Directory® and Windows Server® BMR backups, you can copy backups to a secondary storage location. There are two options available for secondary storage in Recovery Manager for Active Directory Disaster Recovery Edition. You can set up a dedicated Secure Storage server, use Cloud Storage or use both options to ensure that your backups are always available even if disaster strikes and your primary storage backups are lost.
After a backup is created and saved to primary storage locations, the backup will be additionally copied to configured Tier 2 locations. For more information on using a Secure Storage server refer to Secure Storage server. For more information on setting up Cloud storage refer to Cloud Storage.
A Secure Storage server is a dedicated secure backup storage server, hardened by Recovery Manager for Active Directory and isolated according to IPSec rules. For detailed information on how the server is hardened refer to Secure Storage Server Hardening.
After primary storage is complete, copies of the backup files are then copied to secondary storage. The Secure Storage agent installed on the Secure Storage server, pulls the backup from the primary storage location and a copy is stored securely on the server. Refer to the illustration below and line labeled 2.
The figure above illustrates how Recovery Manager for Active Directory copies backup files to secondary storage with a Secure Storage server.
Using Cloud storage you can configure and use storage for your business-critical backups. Cloud storage provides multiple options including immutability to protect your backups from being overwritten or deleted.
After primary storage is complete, copies of the backup files are then copied to Cloud Storage locations. For Cloud storage, the backup file is copied to the Recovery Manager console (line number 2) and then the Recovery Manager Cloud Upload service uploads a copy of the backup to the cloud storage location indicated by line numbered 3.
The figure above illustrates how Recovery Manager for Active Directory copies backup files to secondary storage with Cloud Storage.
NOTE |
For Recovery Manager for Active Directory 10.1 or higher: Make sure that you use the Backup Agent version supplied with this release of Recovery Manager for Active Directory. |
Recovery Manager for Active Directory employs a Backup Agent to back up remote domain controllers and AD LDS (ADAM) hosts. This is because some backup APIs provided by the operating system cannot be used to access a target domain controller or AD LDS (ADAM) host from the Recovery Manager Console. Therefore, Backup Agent must be installed on a remote domain controller or AD LDS (ADAM) host in order to gain access to its specific objects. RMAD can automatically install Backup Agent before starting a backup, and remove it upon the completion of backup operation. Alternatively, you can preinstall Backup Agent manually. For more information on the advantages of using preinstalled Backup Agent, see Using preinstalled Backup Agent below.
The Recovery Manager for Active Directory (RMAD) employs a Backup Agent when creating backups. The Backup Agent is installed on domain controllers DC1 and DC2 and compresses the data and transfers the compressed data to storage location.
Since Backup Agent compresses the data before sending it over the network, the network load is decreased significantly. The average compression ratio is 7:1. The use of Backup Agent also provides increased scalability and performance by allowing the creation of backups on multiple domain controllers in parallel.
RMAD allows to run Backup Agent in the security context of a specific user account. Since RMAD needs administrative access to the domain controller in order to run Backup Agent, the account under which RMAD is running must belong to the Administrators group on that domain controller or AD LDS (ADAM) host, providing administrative access to the entire domain. If RMAD cannot be started under such an account, separate credentials (user logon name and password) should be specified, so that Backup Agent is run under an account that has sufficient privileges.
RMAD allows you to back up Computer Collections using Backup Agent manually preinstalled on each target domain controller. This method enables you to
Perform a backup operation without having domain administrator privileges. It is sufficient if RMAD runs under a backup operator's credentials.
Reduce network traffic when backing up the Computer Collection.
Back up domain controllers in domains that have no trust relationships established with the domain in which RMAD is running, solving the so-called “no trust” problem.
© ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center