지금 지원 담당자와 채팅
지원 담당자와 채팅

Recovery Manager for AD Disaster Recovery Edition 10.2 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Secure Storage servers Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Clean OS Bare metal forest recovery Using Management Shell Creating virtual test environments Using Recovery Manager for Active Directory web portal Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory Descriptions of PowerShell commands
Add-RMADBackup Add-RMADCollectionItem Add-RMADReplicationConsole Add-RMADStorageServer Backup-RMADCollection Close-RMADFEProject Compare-RMADObject Convert-RMADBackup ConvertTo-RMADRecycledObject Copy-RMADFEBackup Create-RMADStorageAgentSetup Expand-RMADBackup Export-RMADBackup Export-RMADFERecoveryCertificate Export-RMADFEResult Export-RMADSecureStorageBackup Get-RMADBackup Get-RMADBackupAgent Get-RMADBackupInfo Get-RMADBackupObject Get-RMADBackupSecurityStatus Get-RMADCollection Get-RMADCollectionItem Get-RMADDeletedObject Get-RMADFEAvailableSubnet Get-RMADFEComputer Get-RMADFEConsole Get-RMADFEDnsCache Get-RMADFEDomain Get-RMADFEEvent Get-RMADFEGlobalOptions Get-RMADFEOperation Get-RMADFEPersistenceConnection Get-RMADFEProject Get-RMADFERecoveryAgent Get-RMADFESchedule Get-RMADGlobalOptions Get-RMADLicenseInfo Get-RMADObject Get-RMADReplicationConsole Get-RMADReplicationSchedule Get-RMADReplicationSession Get-RMADReplicationSessionItem Get-RMADReportObject Get-RMADReportObjectAttributes Get-RMADReportObjectChildren Get-RMADReportSession Get-RMADSession Get-RMADSessionItem Get-RMADSessionItemEvent Get-RMADStorageServer Get-RMADStorageServerHardeningStatus Get-RMADStorageServerRetentionPolicy Import-RMADBackup Import-RMADFERecoveryCertificate Install-RMADBackupAgent Install-RMADFERecoveryAgent New-RMADCollection New-RMADFEProject New-RMADFERecoveryMedia New-RMADSchedule Open-RMADFEProject Protect-RMADSecureStorageServer Protect-RMADStorageServer Publish-RMADBackupSecurityStatus Refresh-RMADStorageServer Register-RMADSecureStorageBackups Remove-RMADBackup Remove-RMADBackupAgent Remove-RMADCollection Remove-RMADCollectionItem Remove-RMADFERecoveryAgent Remove-RMADFESchedule Remove-RMADReplicationConsole Remove-RMADReplicationSchedule Remove-RMADReplicationSession Remove-RMADStorageServer Remove-RMADUnpackedComponent Rename-RMADCollection Restore-RMADDeletedObject Restore-RMADDomainController Restore-RMADObject Resume-RMADFERecovery Save-RMADFEProject Set-RMADCollection Set-RMADFEComputer Set-RMADFEDnsCache Set-RMADFEDomain Set-RMADFEGlobalOptions Set-RMADFEPersistenceConnection Set-RMADFERecoveryMode Set-RMADFESchedule Set-RMADGlobalOptions Set-RMADReplicationConsole Set-RMADReplicationSchedule Set-RMADStorageServerRetentionPolicy Start-RMADFERecovery Start-RMADFERecoveryAgentOperation Start-RMADFEVerification Start-RMADReplication Start-RMADReportViewer Stop-RMADFEWorkflow Test-RMADSecureStorageBackup Unprotect-RMADStorageServer Update-RMADBackupAgent Update-RMADFEProject Update-RMADLicense

How many Instances of the Forest Recovery Console to deploy?

The Forest Recovery Console must have access to the Recovery Manager for Active Directory backup registration database containing information about all backups of the domain controllers in the forest. To meet this requirement, you must deploy the Forest Recovery Console on the same computer that hosts the Recovery Manager Console used to create backups of the domain controllers.

You can easily meet this requirement in simple and relatively small environments where you have a single instance of the Recovery Manager Console deployed. However, in complex and large environments the requirement to have a single instance of the Recovery Manager Console (and thus maintain a single forest-wide backup registration catalog) might not be feasible.

For more information on how to consolidate backups created by different instances of Recovery Manager for Active Directory deployed in your environment, see Consolidating backups from different backup registration databases.

 

Where to Install the Forest Recovery Console?

The best practice is to install the Forest Recovery Console on a standalone computer. This allows you to avoid situations where a corruption in Active Directory prevents you from using the Forest Recovery Console.

 

Backing up the Recovery Manager for Active Directory configuration

It is recommended to regularly back up the Recovery Manager for Active Directory configuration, so that you could quickly reinstall the product and restore its configuration to the last backed up state in case Recovery Manager for Active Directory becomes inoperable due to a failure. All the Recovery Manager for Active Directory configuration data is held in the following location on the Recovery Manager for Active Directory computer:

%AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory The Recovery Manager Console saves its configuration data in the following files:

  • Rmad.db3. Contains the Recovery Manager Console configuration data, such as computer collections and backup creation sessions.

  • Backups.mdb. Contains the backup registration database that stores information about created Active Directory and ADAM backups.

As a rule, the overall size of these .mdb files does not exceed 10 MB.

The Forest Recovery Console saves all its configuration data in the Forest Recovery Project (.frproj) file.

 

Descriptions of recovery or verification steps

The next table describes the steps you may encounter in the Recovery Plan or on the Progress tab in the Forest Recovery Console while running a restore or verify settings operation. Some steps are applicable only to Recovery Manager for Active Directory Disaster Recovery Edition.

Step Description
Add global catalog Adds the global catalog to the DC if:
- The global catalog was removed from DC during recovery.
- The recovery project settings specify to rebuild the global catalog.
If no global catalog servers were successfully restored from backup, the global catalog is added to the DC that was assigned the Schema Master role during the recovery.
Adjust to Active Directory changes Tries to perform the following operations to avoid rebuilding of Global Catalog:
- Removes lingering objects from non-recovering domains
- Unhost\Rehost the recovered domain partitions from non-recovering domains if the previous operation has failed

If all previous operations were unsuccesfull, rebuilds Global Catalog.
Boot target machine using Quest Recovery Environment image Boot target machine using Quest Recovery Environment image.
Bring all disks online Makes all disks on the recovered domain controller online.
Change global catalog partition occupancy level Sets the appropriate global catalog partition occupancy level to advertise the global catalog servers in DNS according to the recovery project settings.
Check AD installation paths Checks whether the specified "DIT database path", "Log files path" and "SYSVOL path" are available.
Check domain controller recovery settings Checks that Active Directory backup is newer than Windows backup.
Check free space Checks whether there is a sufficient amount of free disk space on the DC to accommodate the backup file and perform the recovery operation.
Check if backup is available Checks that the backup file specified in the DC recovery settings is accessible.
Check if BitLocker is enabled Checks whether BitLocker Drive Encryption is enabled on the domain controller.
Gets the BitLocker configuration if BitLocker is enabled.
Check if computer is a domain controller Checks if the computer is a domain controller to ensure that restore from backup is possible.
Check if computer is not a domain controller Checks if a computer is a standalone server to ensure that Active Directory can be installed.
Check if domain controller is read-only Checks whether the DC is read-only (RODC).
Check if machine is booted from Quest Recovery Environment image Checks if the machine is booted from Quest Recovery Environment image.
Check logical disks configuration Checks whether the specified "DIT database path", "Log files path" and "SYSVOL path" point to the existing logical disks on the target server.
Check operating system version Checks that the target machine has the same Operating System as the backed-up domain controller.
Check that hardware and firmware of the target machine are compatible with the backup Checks that hardware and firmware of the target machine are compatible with the backup.
Check whether the automatically selected IP address is not in use Checks if the target IP address does not have conflicts with other DCs.
Clean up DNS records of removed domain controllers Removes DNS resource records of all domain controllers that were not restored from backup.
This includes the domain controllers whose restore from backup has failed.
Clean up metadata for domains that were not restored if necessary Cleans up metadata of the domains in which no DCs were successfully restored from backup or for which you specified to not recover any DCs.
Clean up metadata of removed domain controllers Removes metadata of all domain controllers that were not restored from backup.
This includes the domain controllers whose restore from backup has failed and those for which a recovery method other than "Restore from backup" has been selected.
Configure DNS server Updates DNS server delegation and forwarding in accordance with the new IP address of a target machine.
When Active Directory-integrated DNS is used, Recovery Manager for Active Directory restores DNS Servers from a backup and checks if there are any DNS Servers in different DNS zones.
If there are such DNS servers, Recovery Manager for Active Directory restores delegation and forwarding between domain DNS zones.
All restored DNS Servers from a particular domain will be configured as delegation and forwarding targets.
Configure Forest Recovery Agent on restored machine Deploys and configures Forest Recovery Agent on the recovered domain controller.
Copy the backup file to domain controller If a backup was configured, then copies the backup file specified in the DC recovery settings to the DC. If there was no backup configured, this step will be skipped.
Copy the backup file to domain controller, if there is one If a backup was configured, then copies the backup file specified in the DC recovery settings to the DC.
If there was no backup configured, this step will be skipped.
Create virtual machine Creates a virtual machine.
Delete target infrastructure. Deletes target infrastructure.
The following Azure resources will be deleted:
- Network security group
- Virtual network
- Virtual network gateway
- Resource group
Delete virtual machine Deletes a virtual machine after verification.
Detect current boot mode Checks whether the computer is in the Normal mode or DSRM recovery mode.
Disable BitLocker Disables BitLocker Drive Encryption if it is enabled on the domain controller.
Disable custom filters for passwords Disables any third-party custom password filters enabled on the DC.
This step is required to ensure the filters do not block any password reset operations during the recovery.
Disable Windows Modules Installer Disables Microsoft Windows Modules Installer on the DC for the duration of the recovery.
This prevents software updates from interrupting the restore process.
Disable Windows Update Disables Microsoft Windows Update on the DC for the duration of the recovery.
Eject Quest Recovery Environment image Ejects Quest Recovery Environment image.
Enable BitLocker Enables BitLocker Drive Encryption if it was disabled on the domain controller earlier in the recovery process.
Enable custom filters for passwords Enables the third-party custom password filters that were disabled on the DC earlier in the recovery process.
Enable domain controller isolation Uses IPsec policies to restrict all traffic on the DC except:
- Network traffic to/from the Forest Recovery Console
- Incoming RDP traffic
- Incoming and outgoing ICMP traffic
- Incoming and outgoing DNS traffic
- File share access traffic
- Internal TCP traffic

This step does not delete any existing IPsec policies.
Enable the use of global catalog for user authentication Enables the use of the global catalog for user login validation.
Enable Windows Modules Installer Re-enables Microsoft Windows Modules Installer on the DC.
Enable Windows Update Re-enables Microsoft Windows Update on the DC.
Ensure global catalog is available Performs all necessary operations to ensure a global catalog server is available in the forest and functioning properly.
Ensure that domain controller isolation is disabled Disables any IPsec policies that were enabled during the recovery. Enables the IPsec policies that were in effect before the recovery started.
Sets certain additional parameters that require a DC that restarts and holds operations master roles to have successful AD DS replication with its known replica partners before it advertises itself as DC.
Ensure that domain controller isolation is disabled (if DC is read-only) Disables any IPsec policies that were enabled during the recovery.
Enables any IPsec policies that were in effect before the recovery started.
Ensure that Forest Recovery Agent is installed and running Checks the installed version of the Forest Recovery Agent.
If necessary, installs the agent or upgrades it to the version supplied with the Forest Recovery Console you are using.
Ensure that Quest Recovery Environment image is available Checks that the Quest Recovery Environment image is created for the domain controller.
If it is not found, the recovery environment with corresponding settings will be created for the domain controller.
If the Quest Recovery Environment network settings, third-party drivers, Recovery Agent, or communication keys are outdated, the Quest Recovery Environment image file will be recreated.
Ensure that the SYSVOL share is available Checks that the SYSVOL share is available on the DC.
Extract the backup file components Extract backup components data on the target server.
Get information about computer Collects the following information from the computer:
- IP addresses of all network adapters
- IP addresses of all DNS servers on all network adapters
- DNS names of all the FSMO role holders in the forest
- Installed Forest Recovery Agent version (if any)
- Current Windows Updates service startup mode
- Whether the computer is a DC, a member server or a stand-alone machine
- Whether the computer is a RODC
- Operating system version
- Current boot mode
Get information about computer from backup Collects the following information from the bare metal backup:
- IP addresses of all network adapters
- IP addresses of all DNS servers on all network adapters
- Current Windows Updates service startup mode
Get replication data from the DC Collects replication data from DC. The collected data will be used later to determine if lingering objects are present.
Install Active Directory Domain Services Installs Active Directory Domain Services (AD DS) on the computer and promotes it as a domain controller using domain and forest name of an original DC.
If necessary, renames computer to the name of an original DC prior promotion.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
Install Active Directory from media Installs Active Directory Domain Services (AD DS) on the computer and promotes it as a domain controller using domain and forest name of an original DC, and the provided backup data.
If necessary, renames computer to the name of an original DC prior promotion.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
Invalidate RID pool Invalidates the current RID pool.
This operation prevents the restored domain controller from re-issuing RIDs from the RID pool that was assigned at the time the backup was created.
Mark the SYSVOL to be overridden by the primary SYSVOL Configures replication service to get proper SYSVOL files from authoritatively restored DC.
Disables the use of a global catalog for user login validation. This allows users other than the built-in Administrator to log on during the recovery.
Prepare target infrastructure. Prepare target infrastructure.
The following Azure resources will be created if required:
- Network security group
- Virtual network
- Virtual network gateway
Raise RID pool Raises the value of available RID pools by the value specified in the Forest Recovery Console configuration file (100,000 by default).
Reading original DC info from backup Reading an original DC logical disks configuration (paths to the DIT database and SYSVOL).
Reinstall Active Directory Domain Services Demotes domain controller, then installs Active Directory Domain Services and promotes it as a domain controller again using domain and forest name of an original DC.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
Reinstall Active Directory from media Demotes domain controller, then installs Active Directory Domain Services and promotes it as a domain controller again using domain and forest name of an original DC, and the provided backup data.
Enables Global Catalog if the corresponding option is set in the DC recovery settings.
Restarts the computer after the AD DS installation completes.
Remove global catalog Removes the global catalog from DC if all of the following is true:
- The DC is a global catalog server
- You selected an option in the recovery project settings to rebuild the global catalog to ensure no lingering objects are present.
Remove global catalog if necessary Removes the global catalog from DC if necessary, provided that the DC is a global catalog server.
Remove temporary files Deletes the backup file from DC if the file was copied to the DC during the recovery.
Replicate FSMO role owners Replicates Active Directory configuration:
- Recalculates replication topology with Knowledge Consistency Checker (KCC)
- Replicates FSMO role owners
- Replicates configuration naming context and waits until replication is completed at least for one partner
Reset computer account passwords Resets computer account passwords twice to an automatically-generated value. The passwords are reset for the current DC and all other DCs in the project.
By default, the automatically-generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.
Reset DSRM administrator password Resets the DSRM administrator password to the value specified in the DC recovery settings.
Reset password for users in privileged groups Resets password for domain users in the privileged groups.
Reset the Krbtgt password Resets the krbtgt password twice to an automatically-generated value to isolate domain controllers that were not recovered.
By default, the automatically-generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.
Reset trust passwords Resets the trust passwords twice to a generated value.
By default, the automatically-generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.
This operation is performed for all implicit and explicit trusts between this domain and all other trusted domains in the forest. Trust passwords for any external trusts are not reset.
Restart domain controller in DSRM Reboots recovered domain controller into Directory Services Restore Mode and resets the password for the domain administrator account.
Restart domain controller in DSRM Restarts the DC in DSRM.
Restart domain controller in DSRM if necessary If DSRM is not the current mode, this step restarts the domain controller in DSRM and resets the DSRM password.
Restart domain controller in normal mode Restarts the DC in normal mode.
Then, resets the user password to the value specified in the DC recovery settings.
This password reset is required to overwrite the old password restored from backup.
Restart domain controller in normal mode Restarts the DC in normal mode for the changes to take effect.
When performing this step on a DC restored from backup, Recovery Manager for Active Directory also resets the user password to the value specified in the DC recovery settings.
This password reset overwrites the old password restored from backup.
Restart domain controller in normal mode if necessary Checks if the domain controller is read-only (RODC). If so, restarts the RODC for changes to take effect.
Restore data from backup Restores the Active Directory database (.dit file), SYSVOL, and system registry entries from
the backup specified in the DC recovery settings.
Disables the use of a global catalog for user login validation. This allows users other than
the built-in Administrator to log on during the recovery.
Restore data from backup, if there is one If a backup was configured, restore SYSVOL from the backup.
If a backup was not configured, configures the replication service to get SYSVOL files from authoritatively restored DC.
Restore disks from a BMR Backup Performs bare-metal recovery of the machine from BMR Backup.
Restore initial global catalog partition occupancy level Sets the global catalog partition occupancy level to the value that existed before the recovery started.
Restore start types of Windows services Restore start types of Windows services that were changed during recovery.
Run pre-recovery checks Checks the following:
- Whether the BMR backup specified in the DC recovery settings is accessible.
- If the recovery from the Active Directory backup option is selected, checks whether the Active Directory backup is accessible.
Run pre-recovery checks Checks the following:
- That the DSRM password specified in the DC recovery settings meets the password complexity criteria.
- Whether a preferred DNS server is specified for the DC in the recovery settings. If this is true, then the DNS server validity is checked.
Run pre-recovery checks Checks the following:
- The DSRM password specified in the DC recovery settings meets the password complexity criteria.
- The backup file specified in the DC recovery settings is accessible (mandatory requirement for domain or forest recovery).
- There is a sufficient amount of free disk space on the DC to accommodate the backup file (mandatory requirement for domain or forest recovery).
- A preferred DNS server is specified for the DC in the recovery settings. If this is true, then this step checks the validity of the DNS server.
- Whether Kerberos Distribution Center (KDC) and Base Filtering Engine (BFE) services are enabled.
Save start types of Windows services Saves start types of Windows services that can be changed during recovery.
Scan the backup with the antivirus software Scans the backup for malware threats.
The antivirus software that is installed on the Forest Recovery Console machine and specified in the antimalware configuration is checking the remote backup.
Depending on the size and speed of the network, this process can take from several minutes to more than an hour.
All volumes in the backup will be scanned.
Seize FSMO roles Seizes FSMO roles for the DCs automatically selected for each role.
Select preferred DNS server Selects a properly functioning DNS server for all network adapters on the DC.
This step uses the following order of priority to select a DNS server:

1. Preferred DNS server specified in the DC recovery settings.
2. Primary and alternate DNS servers that were selected for the DC before the recovery.
3. DNS servers selected for other DCs in the same domain.
4. All other DNS servers in the forest.

AD-integrated DNS servers hosted on DCs that were not successfully restored from backup are excluded from the list of possible DNS servers.
Set initial SYSVOL replication mode if applicable Forces authoritative SYSVOL restore if the Forest Recovery Console machine was explicitly or automatically selected as an authoritative SYSVOL source.
Sets the new path to the SYSVOL share if it has been changed Updates the AD database if the path to the SYSVOL share has been changed.
Uninstall Active Directory Domain Services Demotes the DC to a member server joined to the workgroup named WORKGROUP.
Resets the local Administrator password to the value specified in the “Set DSRM password” option in the DC recovery settings.
Update Forest Recovery project with the collected data Updates Forest Recovery project with the collected data.
Wait for a global catalog server to become available Waits for at least one global catalog server to become available in the forest.
This step may take a significant time to complete.
Wait until the target machine becomes accessible Waits until the target machine is booted from Quest Recovery Environment image.
If a source domain controller is accessible during the project verification, it will be contacted instead.
Wipe all disks on the target machine Wipes all data on remote machine disks before restoring backup.

 

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택