*Please Note* If you have a Recovery Manager for AD version prior to 9.0, any folder/registry paths referenced may contain the non-Quest branded path instead of ‘Quest’”.
Install Recovery Manager for Active Directory:
The account must be a member of the local Administrators group on the computer where you want to install Recovery Manager for Active Directory. If during the installation you specify an existing SQL Server instance, the account with which Recovery Manager for Active Directory connects to that instance must have the following permissions on the instance:
- Create Database
- Create Table
- Create Procedure
- Create Function
Open and use the Recovery Manager Console:
The account must be a member of the local Administrators group on the computer where the Recovery Manager Console is installed. The account must also have the following permissions on the SQL Server instance used by Recovery Manager for Active Directory:
- Insert
- Delete
- Update
- Select
- Execute
Preinstall Backup Agent manually or Upgrade Backup Agent manually:
The account you use to access the target computer must be a member of the Builtin Administrators group in AD (to provide local Administrator access to the target DC). If the server is hosting AD LDS, the account must be a member of the Local Administrators group.
Discover preinstalled Backup Agent instances, Uninstall Backup Agent from the console or Update information displayed about the Backup Agent in the Recovery Manager Console:
The account used to access the target domain controllers must:
- Be a member of the Builtin Administrators group in AD (to provide local Administrator access to the target DC)
The account logged on to the Recovery Manager Server must have:
- Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory
Backing up Active Directory using the Automatically install Backup Agent during backup operation:
To automatically install Backup Agent during a manual backup, the logged on account account must have (unless there is an account specified on the Agent Settings tab, if there is see the *Note* below):
- Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory - Administrator permissions on the target domain controller.
To automatically install Backup Agent during a scheduled backup, the scheduled account must have (unless there is an account specified on the Agent Settings tab, if there is see the *Note* below):
- Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory - Administrator permissions on the target domain controller.
*Note* If an account is specified on the "Agent Settings" tab of the properties of the collection then this account will need administrator access on the target domain controller and the account initiating the backup (scheduled account for scheduled backup or logged on account for manual backups) will need access to the Application Data location above.
Back up Active Directory using preinstalled Backup Agent:
During a manual backup, the logged on account must have (unless there is an account specified on the Agent Settings tab, if there is see the *Note* below):
- Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory - Be a member of the Backup Operators group on the domain
During a scheduled backup, the scheduled account must have (unless there is an account specified on the Agent Settings tab, if there is see the *Note* below):
- Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory
- Be a member of the Backup Operators group on the domain
*Note* If an account is specified on the "Agent Settings" tab of the properties of the collection then this account will need to be a member of the Backup Operators group in the domain and the account initiating the backup (scheduled account for scheduled backup or logged on account for manual backups) will need access to the Application Data location above.
Perform a complete offline restore of Active Directory by using the Repair Wizard:
If you restore data to a domain controller where User Account Control (UAC) is not installed or disabled:
- The account you use to access the domain controller must be a member of the Domain Admins group.
If you restore data to a domain controller where User Account Control (UAC) is enabled:
- The account you use to access the domain controller must be the built-in Administrator on that computer.
In both these cases, the account you use to access the domain controller must have the Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory
Perform a selective online restore of Active Directory objects using the Online Restore Wizard using the Agentless method:
The account used to access the target domain controllers must have (logged on account unless a different account is specified during the wizard):
- Reanimate Tombstones extended right in the domain where objects are to be restored.
- Write permission on each object attribute to be updated during the restore.
- Create All Child Objects permission on the destination container.
- Write access to Universal and Domain Local groups in other domains (only for restoring cross-domain group memberships).
- db_owner rights to the RMAD database if selecting to create the comparison reports.
- List Contents permission on the Deleted Objects container in the domain where objects are to be restored.
The account logged on to the Recovery Manager Server must have:
- Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory
- For more information on how to grant List Contents permission to a non-administrator account, see Microsoft Knowledge Base
article 892806 “How to let non-administrators view the Active Directory deleted objects container in Windows Server 2003 and in
Windows 2000 Server” at http://support.microsoft.com.
Perform a selective online restore of Active Directory objects using the Online Restore Wizard using the Agent-Based method:
The account used to access the target domain controllers must have (logged on account unless a different account is specified during the wizard):
- Member of the Builtin Administrators group in AD (to provide local Administrator access to the target DC)
- Member of the Backup Operators or Domain Admins group in AD
- Write access to Universal and Domain Local groups in other domains (only for restoring cross-domain group memberships).
- db_owner rights to the RMAD database if selecting to create the comparison reports.
The account logged on to the Recovery Manager Server must have:
- Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory
Restore a Group Policy object The account used to access the target domain controller must:
- Have all the rights required to perform a selective online restore of Active Directory objects using the Online Restore Wizard.
- Be a member of the Group Policy Creator Owners group.
- Have Full Control privilege on the Group Policy object.
- Be a member of the Backup Operators group.
- Have sufficient permissions to read/write Active Directory objects linked to the Group Policy object.
View Recovery Manager for Active Directory configuration:
The account must have Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory
Automatically install Backup Agent and back up an AD LDS (ADAM) instance:
To automatically install Backup Agent during a manual backup, the logged on account must have (unless there is an account specified on the Agent Settings tab, if there is see the *Note* below):
- Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory - Be a member of the Local Administrators group on the server hosting AD LDS
To automatically install Backup Agent during a scheduled backup, the scheduled account must have (unless there is an account specified on the Agent Settings tab, if there is see the *Note* below):
- Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory
- Be a member of the Local Administrators group on the server hosting AD LDS
*Note* If an account is specified on the "Agent Settings" tab of the properties of the collection then this account will need to be a member of the Local Administrators group on the server hosting AD LDS and the account initiating the backup (scheduled account for scheduled backup or logged on account for manual backups) will need access to the Application Data location above.
Back up an AD LDS (ADAM) instance using preinstalled Backup Agent:
To automatically install Backup Agent during a manual backup, the logged on account account must have (unless there is an account specified on the Agent Settings tab, if there is see the *Note* below):
- Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory
- Be a member of the Local Administrators group on the server hosting AD LDS
To automatically install Backup Agent during a scheduled backup, the scheduled account must have (unless there is an account specified on the Agent Settings tab, if there is see the *Note* below):
- Write permission on the following folder on the RMAD server:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory
- Be a member of the Local Administrators group on the server hosting AD LDS
*Note* If an account is specified on the "Agent Settings" tab of the properties of the collection then this account will need to be a member of the Backup Operators group in the domain and the account initiating the backup (scheduled account for scheduled backup or logged on account for manual backups) will need access to the Application Data location above.
Restore an AD LDS (ADAM) instance:
The account used to access the computer hosting the instance must:
- Have the Write permission on the following folder located on the RMAD sever:
- Versions prior to 8.6: %AllUsersProfile%\Application Data\Quest Software\Recovery Manager for Active Directory
- Version 9.0 and later: %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory - Be a member of the local Administrators group on the computer hosting the AD LDS (ADAM) instance.
Use the Active Directory Virtual Lab (ADVL):
Please see KB Article:
https://support.quest.com/recovery-manager-for-ad-forest-edition/kb/148247
Open and use the Forest Recovery Console:
- Read access to the Recovery Manager for Active Directory Backup registration database:
- Versions prior to 8.6: C:\ProgramData\Quest Software\Recovery Manager for Active Directory\Backups.mdb
- Version 9.0 and later: C:\ProgramData\Quest\Recovery Manager for Active Directory\Backups.mdb
Access Domain Controllers in the Forest Recovery project and peform a Domain or Forest restore:
- Domain Administrator rights in each domain
Install/Uninstall the Forest Recovery Agent on the Domain Controllers:
- Member of the Builtin Administrators group in AD (to provide local Administrator access to the target DCs)