지금 지원 담당자와 채팅
지원 담당자와 채팅

Recovery Manager for AD Disaster Recovery Edition 10.3.2 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Cloud Storage Secure Storage Server Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Installed Active Directory method Restore Active Directory on Clean OS method Bare metal forest recovery Using Management Shell Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Viewing backups on Secure Storage server

After a Secure Storage server (a standalone server) has been added, backups can be copied to the Secure Storage server. To enable and configure backups on the Secure Storage server you must enable backups for each Computer Collection separately. For more information on configuring backups on a Secure Storage server refer to Secure Storage server backups.

To view backups on Secure Storage server

  1. In the Recovery Manager for Active Directory console, expand the Secure Storage node. Each Secure Storage server will be displayed

  1. Select a Secure Storage server to view available backups on the server. The backups are identified as Active Directory and Bare Metal and Console Configuration backups. The Console Configuration backups are configured in the Forest Recovery Console.

  1. Active Directory and Bare Metal backups are displayed with information about the backup on the server including name of the domain controller, the domain, the date of the backup, the size of the backup, the OS version of the system backed up, status of any integrity check done on the backup, and the path of the location of the backup.

  1. Console Configuration backups are displayed with information about the Forest Recovery console backup including name of the console server and the date of the backup.



NOTE: Integrity checks are recorded as a Windows Eventlog event on the console during the integrity check. The events can be found in Applications and Services Log | Recovery Manager for Active Directory. If Email is configured, then email notifications are sent for integrity checks that are performed either after creating a backup (controlled by the Run an integrity check after creating a backup setting); or after creating a scheduled backup for the previous N sessions (controlled by the Check the integrity of previously created backups after a scheduled backup setting). The integrity check results are combined with the backup creation results and sent as a single message. If the Send notification upon errors or warnings only setting is selected, then an notification will only be sent if the integrity check report contains the results Backup file is corrupted or Integrity check failed. If all integrity checks are successful, no email notification will be sent.

 

Secure Storage server backups

Secure Storage is enabled and configured for each Computer Collection separately. When a backup is run for a Computer Collection with Secure Storage enabled, a copy of the backup is saved to the Secure Storage server.

If only Local Storage is configured, then the backup will be sent to Secure Storage server by the console. If Remote Storage is configured, the Backup Agent, running on the Domain Controller, will copy the backup to Secure Storage server. RMAD will send the Remote Storage copy of the backup if both primary storages are configured.

In either case, the backup is copied to Secure Storage server via the secure agent-communications channel on the High-level port you specified when you added the Secure Storage server. User Credentials are not needed to write to the Secure Storage server; they are only needed to read if you used a UNC share on the Remote Storage tab.

NOTE

If you use the remote storage option and specify the remote UNC path, be aware that the backup data will need to be transferred back to domain controller in order to be sent to the Secure Storage server. To eliminate excessive traffic, set local path on domain controller either in Primary backup path or Additional backup path fields. The backup copy will be created locally and sent directly to Secure Storage server from domain controller.

Bare Metal backups, as they are very large, cause excessive network usage on the Domain Controller when sent to the Secure Storage server as the backup agent performs this action.

Prerequisites
You must have completed the following steps before you can copy backups to your Secure Storage server (a standalone server).

  1. Secure Storage servers must be created and hardened.

  2. Computer Collections must be created.

  3. The backup type, either Standard (Active Directory®) or Full (Bare Metal Recovery), must be set for the Computer Collection.

NOTE

Both Active Directory® and Bare Metal Recovery backups can be copied to a Secure Storage server (a standalone server).

To enable a Secure Storage server for a Computer Collection

  1. In the Recovery Manager for Active Directory console, expand the Computer Collections node.

  2. Right-click the Computer Collection and select Properties.

  3. On the Secondary Storage tab, select the Enable a Secure Storage server check box. Select the drop down box below Enable a Secure Storage server to choose the storage server to copy backup to. After the backup is saved to the Primary Storage location(s), a copy will be sent to the Secure Storage server.

IMPORTANT

RMADDRE will always try to use Remote Storage as the source when copying backups to the Secure Storage server.

If the Select Account… button is grayed out, then you do not need to specify an account. This happens if:
- you are only using Local Storage to a local path (e.g. D:\…).
- you are using Remote Storage to a local path.
- you are using both Local and Remote Storage, and Remote Storage is to a local path.

If you are only using Remote Storage to a UNC share, then you must specify an account.

If you are only using Local Storage to a UNC path, then you cannot configure Secure Storage.

  1. Click Apply then click OK.



To create backups and copy them to the Secure Storage server

  1. In the Recovery Manager for Active Directory console, expand the Computer Collections node.

  2. Right-click the Computer Collection and select Create Backup.

  3. After the backup file is created and saved to primary storage locations, the backup will be pushed to the configured Secure Storage server.

TIP

You can schedule backup creation on the Schedule tab on the Computer Collections Properties window.

To perform an integrity check

When a backup is created, a checksum is calculated for the backup file and saved in the backup file when the backup is registered. An integrity check recalculates the checksum and compares it to the checksum stored in the backup file.

  1. In the Recovery Manager for Active Directory console, click on Secure Storage and expand the server node(s).

  2. Click the Secure Storage server that contains the backup you want to perform the integrity check on.

  3. In the Backups on the Secure Storage Server pane, click the backup to check, right click and select Check Integrity.

  4. The following statuses can be displayed after running the integrity check:

    Status Description
    Passed The newly calculated checksum value matches the previously calculated checksum stored in the backup file.
    Unknown The integrity check was not performed.
    Running The integrity check is in progress.
    Failed The backup is not accessible (wrong credentials) or may have been moved from the path.
    No Checksum The previously calculated checksum could not be read. This could be due to the backup being created by a previous version of the product. The backup also may have been damaged in such a way that the checksum was also affected.
    Corrupted The newly calculated checksum value does not match the previously calculated checksum stored in the backup file.

NOTE: Integrity checks are recorded as a Windows Eventlog event on the console during the integrity check. The events can be found in Applications and Services Log | Recovery Manager for Active Directory. If Email is configured, then email notifications are sent for integrity checks that are performed either after creating a backup (controlled by the Run an integrity check after creating a backup setting); or after creating a scheduled backup for the previous N sessions (controlled by the Check the integrity of previously created backups after a scheduled backup setting). The integrity check results are combined with the backup creation results and sent as a single message. If the Send notification upon errors or warnings only setting is selected, then an notification will only be sent if the integrity check report contains the results Backup file is corrupted or Integrity check failed. If all integrity checks are successful, no email notification will be sent.

Copying backups from the Secure Storage server

You can copy backups stored on the Secure Storage server (a standalone server) to another location.

  1. In the Recovery Manager for Active Directory console, click on Secure Storage and expand the server node(s).

  2. Select the Secure Storage server that you want to copy backups from.

  3. In the Backups on the Secure Storage Server pane, right-click the backup you want to copy and select Copy to. To select multiple backups, hold down CTRL, and click the backups.

  1. In the Network path to copy the backup to field, type a network share where you want to copy the backup files.

  2. In the User name and Password fields, type credentials that has write permissions for the network share.

  3. Click OK.

The backups are copied to the provided network share and can now be registered for use within a recovery project. In the share, a new folder is created having the name of the parent folder the backups are stored in on the Secure Storage. Inside these folders, are the backups from the Secure Storage and have the same name as the backups on Secure Storage.

For example, if the backups on your Secure Storage server are stored at:

\\172.16.0.4\D$\Recovery Manager Backups\ProgramData\Quest\
Recovery Manager for Active Directory\Backups\January\

then the folder, January will be created on the share and the backups will be in that folder.

NOTE

If NTLM is disabled in your environment, the method Copy Backup is not available.

 

Configuring backup retention policy for Secure Storage server

If you create backups on a daily basis as recommended, you should configure a backup retention policy to maintain the backups created. It is recommended to maintain at least 2 weeks (14 days) of backups including backups on your Secure Storage server (a standalone server). This approach will provide you with a sufficient number of backups to recover from an Active Directory® failure that remained undetected for some time.

note

The default number of days to retain backups is 0 days. Ensure you configure the backup retention policy after adding a new Secure Storage server.

To configure backup retention policy directly on the Secure Storage server

  1. During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.

  2. On the Secure Storage server, run Windows PowerShell. The module will automatically be imported.

  3. To configure backup retention policy, run the cmdlet Set-RMADStorageServerRetentionPolicy. For further details on Set-RMADStorageServerRetentionPolicy see the Management Shell Guide supplied with this release of the product.

To get the current backup retention policy on the Secure Storage server

  1. During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.

  2. On the Secure Storage server, run the PowerShell console. The module will automatically be imported.

  3. To configure backup retention policy, run the cmdlet Get-RMADStorageServerRetentionPolicy. For further details on Get-RMADStorageServerRetentionPolicy see the Management Shell Guide supplied with this release of the product.

 

Configuring exceptions for Secure Storage server maintenance

After the Secure Storage server (a standalone server) has been hardened some of the following such as, all incoming TCP ports are blocked by IPSec policies, ICMP traffic is blocked and only one TCP agent port is left open (48001) for communication with Recovery Manager for Active Directory, there may be a need to add an exception to these items to perform maintenance For example, opening a port to allow for Microsoft system updates.

Warning

Keeping exceptions in place for an extended period of time is not recommended. Secure Storage server exceptions should be removed as soon as possible after the need for the exception has finished.

If an exception has been applied to a Secure Storage server the Security Status will read Secured with exceptions as seen below.

To configure an exception on the Secure Storage server for ICMP or ping

  1. During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.

  2. On the Secure Storage server, run Windows PowerShell. The module will automatically be imported.

  3. To configure an exception for ICMP so that you can ping the Secure Storage server, run the cmdlet Add-RMADStorageServerException -Name "ping" -SourceAddress Any -DestinationAddress Me -Protocol Icmp. For further details on Add-RMADStorageServerException see the Management Shell Guide supplied with this release of the product.

To get the exceptions on the Secure Storage server

  1. During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.

  2. On the Secure Storage server, run the PowerShell console. The module will automatically be imported.

  3. To list the exceptions for a Secure Storage server, run the cmdlet Get-RMADStorageServerException. For further details on Get-RMADStorageServerException see the Management Shell Guide supplied with this release of the product.

To remove the exceptions on the Secure Storage server

  1. During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.

  2. On the Secure Storage server, run the PowerShell console. The module will automatically be imported.

  3. To remove an exception for ICMP, run the cmdlet Remove-RMADStorageServerException -Name "ping". For further details on Remove-RMADStorageServerException" see the Management Shell Guide supplied with this release of the product.

 

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택