지금 지원 담당자와 채팅
지원 담당자와 채팅

Recovery Manager for AD Disaster Recovery Edition 10.3.2 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Cloud Storage Secure Storage Server Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Installed Active Directory method Restore Active Directory on Clean OS method Bare metal forest recovery Using Management Shell Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Cloud Storage Upload Sessions

After a backup creation session completes for a computer collection and the backup is saved to configured primary storage locations (Tier 1), an upload session will be started to copy the backup to all cloud storage locations. Recovery Manager for Active Directory supports multiple Cloud Storage locations per computer collection.

The backup upload session is created and managed with the Quest Recovery Manager Cloud Storage service on the Recovery Manager console machine. Each backup upload session is displayed in the Backup Upload Sessions pane. For each session, you can view the backup file path, upload location, creation timestamp, finished timestamp, and the status of the upload.

note

The Backup Upload Sessions pane has a display limit of 100 items and a time limit of the last 30 days. There may be upload sessions outside these limits.

To view a backup upload sessions for a cloud storage account

  1. In the Recovery Manager for Active Directory console, expand the Storage node.

  2. Select the Cloud Storage node in the console tree.

  3. Select the registered cloud storage in the Cloud Storage pane. The backup upload sessions for the selected cloud storage will be displayed in the bottom pane Backup Upload Session. The backup path, upload to path, created timestamp, finished timestamp and current status will be displayed.

  4. To filter the upload sessions for the cloud storage, you can select the toggle buttons at the top right corner of the pane.

    • Select Total (7 days) to view all upload sessions in the last 7 days.

    • Select Queued to view all upload sessions that are waiting in the queue to be processed.

    • Select In Progress to view upload sessions that are in progress and backup files are being uploaded.

    • Select Completed to view successful and completed upload sessions.

    • Select Failed to view failed upload sessions. Any failed upload sessions can be retried.

tip

When you select Cloud Storage under Storage you will see that the different Cloud Storages are displayed and the Backup Upload Sessions for all of the Cloud Storages are displayed. When you select a specific Cloud Storage, the Backup Upload Sessions for that storage are displayed. Hold the Ctrl key down and select the Cloud Storage again, all Backup Upload Sessions are displayed (Hold Ctrl and select to toggle). You can also return the Backup Upload Sessions for all Cloud Storages by clicking anywhere in the white space of the Cloud Storage.

To cancel a backup upload session

  1. In the Recovery Manager for Active Directory console, expand the Storage node.

  2. Select the Cloud Storage node in the console tree.

  3. Select the registered cloud storage in the Cloud Storage pane.

  4. In the Backup Upload Session pane, select the session with the status of In Progress or Queued, right click and select Cancel.

  5. Select Yes on the confirmation dialog.

To retry a backup upload session

  1. In the Recovery Manager for Active Directory console, expand the Storage node.

  2. Select the Cloud Storage node in the console tree.

  3. Select the registered cloud storage in the Cloud Storage pane.

  4. In the Backup Upload Session pane, select the failed session, right click and select Retry.

To remove a backup upload session

  1. In the Recovery Manager for Active Directory console, expand the Storage node.

  2. Select the Cloud Storage node in the console tree.

  3. Select the registered cloud storage in the Cloud Storage pane.

  4. In the Backup Upload Session pane, select the session, right click and select Remove.

  5. Select Yes on the confirmation dialog.

note

Only the backup upload session is removed from the Recovery Manager database. The backup file on the cloud storage is not removed.

 

Secure Storage Server

Recovery Manager for Active Directory (RMAD) provides the ability to set up a dedicated secure backup storage server which is not joined to any domain. If you use a Secure Storage server (a standalone server) in your environment, it helps prevent unauthorized modification or malware attacks on backup data, supporting your key data security and compliance initiatives. For more information on how a Secure Storage server is secured, see Hardening a Secure Storage server below.

IMPORTANT

Use of Secure Storage Server requires a Recovery Manager for Active Directory Disaster Recovery Edition license.

Requirements

  • Operating system: Microsoft Windows® 2016 or higher

  • A stand-alone server to be used as your Secure Storage server. This server should be a workgroup server and MUST NOT BE JOINED to any Active Directory domain.

  • An account that will be used to deploy the Storage Agent on the Secure Storage server (a standalone server). This account must also be a local Administrator on the Secure Storage server.

  • Physical access (keyboard) to the Secure Storage server. Once the server is hardened, access with regular methods will be disabled (RDP).

  • Sufficient storage space on the Secure Storage server for all backup files. For one backup file, the space required is at least the size of the backed-up Active Directory database file (Ntds.dit) and the SYSVOL folder plus 40 MB for the transaction log files. The space check performed also includes an extra 1 GB to ensure enough space is available.

Warning

It is highly recommend any remote console access (aka “IPMI” access, like HP-iLO, or Dell IDrac) is disabled on the Secure Storage server as these services have known vulnerabilities which can allow access to the server.


Important

Secure Storage will not function properly with BitLocker enabled drives. Backups to these drives is not recommended. On server reboot, BitLocker drives can lock and require administrator unlocking.

If locked, the status is: “The drive is locked by BitLocker Drive Encryption. You must unlock this drive from Control Panel.” Operations resume post-unlock.

Enable backup encryption in Computer Collection properties as a best practice.





Best Practices

  • We highly recommend using a new, dedicated, clean physical server as your Secure Storage server (a standalone server) to help ensure access methods are kept to a minimum.

  • Secure additional methods of accessing the Secure Storage server such as console or serial access.

  • Recommend the Secure Storage (a standalone server) have additional volumes available in addition to the system drive. It is not advised to store backups on the system drive.

note

Virtual machines are more susceptible to ransomware attacks. It is highly recommended that a virtual machine not be used for your Secure Storage server, as a bad actor could gain access to backups on the server or delete the entire Secure Storage server.

User Scenario

Backup data for all domain controllers can be accumulated on primary storage, and at the same time, you can make a copy of your backup data on a Secure Storage server. The Secure Storage agent will receive the backup securely either from Console or Backup Agent and write it to local storage while the firewall on the Secure Storage server remains in place. If disaster strikes, you could lose your backups on primary storage and even your installation of RMAD but your Secure Storage server will remain in place.

Figure: Secure Storage Protocols

 

Adding a Secure Storage server

To add a Secure Storage server (a standalone server), it is recommended to install the agent manually. This method saves the agent installation package to the local machine. You must transfer the package manually to the Secure Storage server. This reduces the likelihood of any malware infecting your Secure Storage server by being exposed to your network before the server is secured. Your Secure Storage server (a standalone server) is only secured after the Storage Agent has been installed and the Secure Storage server is hardened.

To add a Secure Storage server (a standalone server) using manual method (Recommended)

  1. In the Recovery Manager for Active Directory (RMAD) console, expand the Storage node and click the Secure Storage node.

  2. In the Secure Storage Servers pane, click Add Server.

  3. Type the DNS name or IP address of the server you want to use as your Secure Storage server.

  4. In the Agent port field, type port number or use default port of 48001.

    NOTE: Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, the server must be removed and added again.

  5. From the Agent installation method drop-down list, select Manual (recommended).

  6. Type the path or browse to path to Save agent setup package to.

  7. Click OK. The agent setup package is saved to your local machine.

  8. Copy the package, SecureStorageAgent.zip, to the server being configured as your Secure Storage server. This requires console (physical) access to the Secure Storage server.

  9. Extract the installation package on the Secure Storage server and double-click the SecureStorageAgent.msi file to install the agent.

  10. A warning will be displayed and requires confirmation to proceed. IMPORTANT PLEASE READ: This server is about to be hardened and all network connections to this server will be lost including Remote Desktop. Ensure you have physical access to this server and have an available method to access such as console access or serial access. Select YES to acknowledge you understand and are prepared for the Secure Storage server to be installed and hardened. Recovery Manager for Active Directory cannot undo this operation without physical access to the server.

    NOTE: For quiet installation both the /qn switch and FORCE=true can be specified when launching the msi file from the command line.

  11. The Storage Agent is installed and the server is hardened automatically. For more information on hardening, see Hardening a Secure Storage server below.

To add a Secure Storage server (a standalone server) using automatic method

  1. In the RMAD console, click the Secure Storage node.

  2. In the Secure Storage Servers pane, click Add Server.

  3. Type the DNS name or IP address of the server you want to use as your Secure Storage server.

  4. In the Agent port field, type port number or use default port of 48001.

    NOTE: Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, the server must be removed and added again.

  5. From the Agent installation method drop-down list, select Automatic.

  6. Specify a user account that will be used to automatically deploy the agent on the target Secure Storage server. Select Use current account to use the currently logged in user account or select Use this account. Type the user name and password for the user account to be used to deploy the agent.

  7. Click OK.

To manually export the setup package

If you have misplaced the agent setup package or need to update the configuration for a Secure Storage server, you can manually export the package again.

  1. In the RMAD console, click the Secure Storage node.

  2. In the Secure Storage Servers pane, right-click the Secure Storage server that you want to manually export the setup package for.

  3. Click Export setup.

NOTE

The setup package is exported to your local machine. You must then copy the setup package to the server that you want to use as your Secure Storage server and run the installation.

To delete a Secure Storage server from RMAD console

  1. In the RMAD console, expand the Secure Storage node.

  2. Right-click the Secure Storage server and select Delete.

NOTE

The Secure Storage server is not automatically unhardened when deleted from the RMAD console. To unharden use available PowerShell cmdlets on the Secure Storage server. For further details see the Management Shell Guide supplied with this release of the product.

To export a list of all registered Secure Storage servers to a text file

  1. In the Recovery Manager for Active Directory console, select the Storage node, then Secure Storage and right click.

  2. In menu shown click on Export Servers…

  3. In the Export storage servers dialog, select a location to save the file, enter a file name, and click Save .

Add an existing Secure Storage server on a clean RMAD installation after full disaster

If the RMAD server is lost, after installing the RMAD console on a new server, you can register the backups that are stored on the Secure Storage server (a standalone server) on your new RMAD server.

NOTE

Due to server hardening, the Automatic agent installation method is not supported when adding an existing Secure Storage server to a clean RMAD installation.

To add a Secure Storage server on a clean installation of RMAD console

  1. In the new RMAD console, click the Secure Storage node.

  2. In the Secure Storage Servers pane, click Add server.

  3. Type the DNS name or IP address of the server you want to use as your Secure Storage server.

  4. In the Agent port field, type port number or use default port of 48001.

    NOTE: Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, the server must be removed and added again.

  5. From the Agent installation method drop-down list, select Manual (recommended).

  6. Type the path or browse to path to Save agent setup package to.

  7. Click OK. The agent setup package for the new RMAD console is saved to your local machine.

  8. Copy the package, SecureStorageAgent.zip, to the existing Secure Storage server. This requires console (physical) access to the Secure Storage server.

  9. Extract the package on the Secure Storage server and double-click the SecureStorageAgent.msi file to reinstall the agent and register the Secure Storage server with new Recovery Manager for Active Directory console.

  10. In the RMAD console, you will now see the Secure Storage server (a standalone server) and can now retrieve your backups from the existing Secure Storage server for recovery purposes.

NOTE

The existing Secure Storage server has continued to be hardened throughout this process.

Default Storage Agent ports

The Storage Agent is used to manage backups on the Secure Storage server (a standalone server). By default, the Storage Agent port is 48001. If you want to use a different default port, you can configure it in the Secure Storage server Properties window or overwrite when adding each Secure Storage server.

To change the default Storage Agent port

  1. In the RMAD console, right-click the Secure Storage node and select Properties.

  2. In the Storage Agent port field, type a port number.

  3. Click OK.

NOTE

Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, the server must be removed and added again.

Storage Server Properties

To view Secure Storage server properties

  1. In the RMAD console, click the Secure Storage node, in the Secure Storage Servers pane, select a Secure Storage Server, right-click and select Properties.

  2. Properties of the Secure Storage server will be displayed. Properties include the Host name, Agent version, Agent port, and Server Status. All properties are read only and cannot be edited.

  3. Additionally, all configured volumes are displayed in priority order. Each volume is shown with the amount of space taken by Existing Backups and the amount of Free Space available on the volume.

NOTE

A warning icon will be displayed if a volume is running out of available free space.

 

Hardening a Secure Storage server

After the Secure Storage server (a standalone server) has been added and the Storage Agent has been installed on it, the server is hardened automatically. The following list outlines what happens to a Secure Storage server when it is hardened:

  • All SMB server roles are disabled (SMBv1 - SMBv3).

  • All inbound and outbound TCP, ICMP and UDP protocols are blocked by IPSec policies, except for the high-level Secure Storage Agent ports (see below).

  • ICMP traffic is blocked (i.e. the server cannot be pinged).

  • Remote desktop (RDP) traffic is blocked.

  • Only one TCP inbound agent port is left open on the server for communication with Recovery Manager for Active Directory, the Storage Agent port (by default, this is 48001).

  • To allow the backups to be uploaded to remote locations (the "Copy to…" menu item in the Backups on the Secure Storage Servers pane), outbound TCP port 445 for SMB, outbound UDP 53 port for DNS, outbound UDP 5355 port for LLMNR, and outbound UDP 137 port for NetBIOS are opened.

  • Agent traffic is encrypted by the public/private key pair.

  • Logons to the server are only allowed via console (physical) access.

When a Secure Storage server is hardened, the lock icon next to the name of the Secure Storage server in the Secure Storage Servers window will be closed and it will have a Security Status of Secured.

IMPORTANT

You cannot install the Secure Storage server agent on a domain joined server, a domain controller or a member server. A server that is hardened will not be able to perform authentication or allow replication to occur. A Secure Storage server should be a stand-alone server in a workgroup.

Secure Storage server reporting secured


Secure Storage server reporting unsecured


To get the hardening status of a Secure Storage server

  1. During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.

  2. On the Secure Storage server, run the PowerShell® console. The module will be automatically imported.

  3. To get the hardening status, run the cmdlet Get-RMADStorageServerHardeningStatus. For further details see the Management Shell Guide supplied with this release of the product.



To unharden a Secure Storage server

  1. During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.

  2. On the Secure Storage server, run the PowerShell® console. The module will be automatically installed.

  3. To unharden a Secure Storage server, run the cmdlet Unprotect-RMADStorageServer. For further details see the Management Shell Guide supplied with this release of the product.

To harden a Secure Storage server manually

  1. During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.

  2. On the Secure Storage server, run the PowerShell® console. The module will be automatically installed.

  3. To harden a Secure Storage server manually, run the cmdlet Protect-RMADStorageServer. For further details see the Management Shell Guide supplied with this release of the product.

 

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택