Compatibility with Recovery Manager for Active Directory (RMAD) FE/DRE
When using Disaster Recovery for Identity for Active Directory and Recovery Manager for Active Directory Forest Edition (RMAD FE) or Recovery Manager for Active Directory Disaster Recovery Edition (RMAD DRE) in the same Active Directory environment:
- RMAD FE/DRE 10.3.2 Hotfix 1 is required.
- It is recommended to install the Disaster Recovery for Identity for Active Directory hybrid agent on the same machine as the RMAD Forest Recovery Console.
Forest Recovery Agent vs Domain Controller Agent
Disaster Recovery for Identity for Active Directory uses the RMAD FE/DRE Forest Recovery Agent as a domain controller agent. Disaster Recovery for Identity for Active Directory can connect and use an existing Forest Recovery Agent deployed in the environment when a hybrid agent is installed on the machine hosting the Forest Recovery Console.
Communication Keys Synchronization
It is possible to install the Disaster Recovery for Identity for Active Directory hybrid agent and the Forest Recovery Console on different machines or add RMAD DRE/FE into an environment that already has Disaster Recovery for Identity for Active Directory. In this case, manual key synchronization may be required to allow both products to use the same Forest Recovery Agent.
- If the Disaster Recovery for Identity for Active Directory hybrid agent and Forest Recovery Console are installed on different machines:
- If RMAD FE/DRE was installed first, it is recommended that you copy the RMAD keys after installing the hybrid agent:
- In the Forest Recovery Console, open the Tools | Fault Tolerance | Export communication keys... dialog. Select the file to which you want to export the keys and enter a secret password of your choice. After exporting, copy the file to the hybrid agent machine.
- On the hybrid agent machine, open an elevated (”Run as Administrator”) command prompt and run the following command (assuming that the keys were copied to the С:\Temp\exported_keys.pfx file):
C:\ProgramData\Quest\OnDemandAgent\Service\OdradPlugin\<version>\CreateCommunicationKeys.exe -i:С:\Temp\exported_keys.pfx -p:<secret password>
This command imports keys from the exported_keys.pfx file and stores them in the ConsoleCommunicationKeys.rmad and AgentCommunicationKeys.rmad files in the C:\ProgramData\Quest\OnDemandAgent\Service\OdradPlugin\<version>\ folder.
- Finally, copy the ConsoleCommunicationKeys.rmad and AgentCommunicationKeys.rmad files from C:\ProgramData\Quest\OnDemandAgent\Service\OdradPlugin\<version>\ folder to the C:\ProgramData\Quest\OnDemandAgent\Service\OdradPlugin\Data\ folder.
- If the Disaster Recovery for Identity for Active Directory hybrid agent was installed first, it is recommended that you copy the hybrid agent keys to RMAD:
- On the hybrid agent machine, open an elevated (”Run as Administrator”) command prompt and run the following command (the exported_keys.pfx file name and path may be different, use a secret password of your choice):
C:\ProgramData\Quest\OnDemandAgent\Service\OdradPlugin\<version>\CreateCommunicationKeys.exe -e:С:\Temp\exported_keys.pfx -a -p:<secret password>
This command exports the keys to the file exported_keys.pfx. After the export, copy the file to any folder on the RMAD machine. Then, in the Forest Recovery Console, open the Tools | Fault Tolerance | Import communication keys... dialog. Select the copied file and enter a password.
- If the Disaster Recovery for Identity for Active Directory hybrid agent and Forest Recovery Console are on the same machine and the hybrid agent was installed first, reinstall the agents either from Disaster Recovery for Identity for Active Directoryor the Forest Recovery Console.
Server Access Credentials
The following are definitions for each credential when configuring domains or domain controllers:
Domain User
This account must be a domain administrator in the domain that is being restored. After the domain is restored, the password for this account is reset to the specified value, regardless of the value restored from the backup. Supported format is domain\username or username. If only the username is specified, then the local domain name is automatically added.
Local User
Specifies the account that will be used to access the target computer to install the agent before the target computer is promoted to a domain controller. This account must be a local administrator on the target computer. Supported format is machine\username or username. If only the username is specified, then the target machine name is automatically added.
DSRM Administrator
Specifies the account used to promote the target computer to a domain controller in the Restore to Clean OS recovery method. After the domain is restored, the password for the DSRM Administrator account is reset to the specified value, regardless of the value restored from the backup.
DNS Configuration
DNS Configuration
When using the Recover Domain recovery method, you need to specify the DNS configuration for domain controllers within that domain. This section helps you select the correct option for your environment.
In the domain configuration, you can choose one of the following options for DNS server selection:
- Select DNS server automatically – Automatically selects and assigns a DNS server for each domain controller in the domain. This option is selected by default.
- Use preferred DNS server(s) – Assigns DNS servers from a user-specified list of one or more IP addresses, each separated by a semicolon (;).
Select DNS server automatically
The Select DNS server automatically option is recommended in the following cases:
- Your DNS is Active Directory-integrated (AD-integrated DNS service).
- Your DNS is not Active Directory-integrated (external DNS service), and the original DNS servers are available to the restored domain controllers.
For Active Directory-integrated DNS, ensure that at least one DNS server for each DNS zone is restored from backup. The best practice is to restore as many DNS servers as possible from backup.
When the original DNS servers are available, automatic DNS selection uses an ordered list of the original DNS servers as follows. First, it includes IP addresses configured in the DNS client settings of the domain controller. Next, it includes the preferred DNS addresses of other domain controllers within the same domain and their DNS client settings. This approach is then used for domain controllers in the parent domain hierarchy, followed by those in child and direct child domains. During recovery, Disaster Recovery for Identity for Active Directory automatically selects a functioning DNS server from the resulting list and assigns that DNS server to the domain controller.
Use preferred DNS servers
The Use preferred DNS server(s) option is recommended when using a new external DNS server during recovery. When this option is specified, ensure the DNS servers:
- Are properly configured to work with the domain controllers being recovered;
- Support dynamic updates;
- Have DNS zones configured for each domain within the forest you intend to recover.
During recovery, Disaster Recovery for Identity for Active Directory checks whether the specified DNS server is accessible. If the DNS server is unavailable or not functioning properly, one or more of the original DNS servers will be selected.
Security
In this topic:
Required permissions
This section describes specific permission requirements needed for agents and credentials in Disaster Recovery for Identity for Active Directory. For permissions needed to operate the product, go to the Roles and Permissions in On Demand page.
| Restore to Clean OS |
Hybrid agent |
A service account used to run the hybrid agent service must be a local administrator account on the computer where the hybrid agent is installed.
The domain FQDN\username should at least have forest-wide read permissions. |
| Domain controller agent |
A service account used to run the domain controller agent is always a Local System account.
An account used to install the domain controller agent remotely a member of the Local Administrators group. |
| Domain User |
When configuring a domain or domain controller, this account must be a domain administrator in the domain that is being restored. |
|
Local User |
When configuring a domain or domain controller, this account must be a local administrator on the target computer. |
| Install Active Directory |
Hybrid agent |
A service account used to run the hybrid agent service must be a local administrator account on the computer where the hybrid agent is installed.
The domain FQDN\username should at least have forest-wide read permissions. |
| Domain controller agent |
A service account used to run the domain controller agent is always a Local System account.
An account used to install the domain controller agent remotely a member of the Local Administrators group. |
| Domain User |
When configuring a domain or domain controller, this account must be a domain administrator in the domain that is being restored. |
|
Local User |
When configuring a domain or domain controller, this account must be a local administrator on the target computer. |
Endpoint requirements
Hybrid agent requirements
| 389 |
Outbound |
Domain Controllers |
LDAP port to domain controllers to discover forest topology. |
| 445 |
Outbound |
Domain Controllers |
SMB port to domain controllers to install domain controller agents. |
| 443 |
Outbound |
AU
odjrs-auprod-au-iothub.azure-devices.net
https://odjrsauprodaugrssto.blob.core.windows.net
https://odrjsauprodausto.blob.core.windows.net
CA
odjrs-caprod-ca-iothub.azure-devices.net
https://odjrscaprodcagrssto.blob.core.windows.net
https://odrjscaprodcasto.blob.core.windows.net
EU
odjrs-euprod-eu-iothub.azure-devices.net
https://odjrseuprodeugrssto.blob.core.windows.net
https://odjrseuprodeusto.blob.core.windows.net
UK
odjrs-ukprod-uk-iothub.azure-devices.net
https://odjrsukprodukgrssto.blob.core.windows.net
https://odjrsukproduksto.blob.core.windows.net
US
odjrs-usprod-us-iothub.azure-devices.net
https://odjrsusprodusgrssto.blob.core.windows.net
https://odjrsusprodussto.blob.core.windows.net |
Agent connection to Disaster Recovery for Identity for Active Directory backend services (see On Demand Global Settings User Guide for more) |
| 80 |
Outbound |
AU
odjrsauprodauiotinst-odjrsauprodauiotacct.b.nlu.dl.adu.microsoft.com
CA
odjrscaprodcaiotinst-odjrscaprodcaiotacct.b.nlu.dl.adu.microsoft.com
EU
odjrseuprodeuiotinst--odjrseuprodeuiotacct.b.nlu.dl.adu.microsoft.com
UK
odjrsukprodukiotinst--odjrsukprodukiotacct.b.nlu.dl.adu.microsoft.com
US
odjrsusprodusiotinst--odjrsusprodusiotacct.b.nlu.dl.adu.microsoft.com |
Agent connection to Disaster Recovery for Identity for Active Directory backend services (see On Demand Global Settings User Guide for more) |
Domain Controller Agent requirements
| 445 |
Inbound |
|
SMB port to allow automatic agent installation. |
| 135 |
Inbound |
|
RPC Endpoint Mapper port used by the RPC runtime. |
| 49152-65535 |
Inbound |
|
RPC dynamic port range to accept RPC connection from hybrid agent. |
| 443 or proxy server port |
Outbound |
AU
https://odradprodausa.blob.core.windows.net
CA
https://odradprodcasa.blob.core.windows.net
EU
https://odradprodeusa.blob.core.windows.net
UK
https://odradproduksa.blob.core.windows.net
US
https://odradprodussa.blob.core.windows.net |
Download and upload backups from Azure Blob Storage accounts. |
Windows Firewall
A firewall in your environment may block network traffic on ports used by Disaster Recovery for Identity for Active Directory, potentially hindering backup and restore operations. Before using the product, ensure your firewall does not restrict traffic on the necessary ports.
You can configure built-in Windows Firewall on domain controllers to be backed up either automatically or manually. For firewall rules for the hybrid agent, see the On-premises agent requirements section in the On Demand Global Settings User Guide.
Automatic
This is enabled by default and will not configure any outbound firewall rules. Depending on your environment, you may need to configure outbound rules manually (allow outbound 443 or proxy port).
Manual
This is used if the automatic method fails for any reason, or if the automatic method has been disabled. Depending on your environment, you may also need to configure outbound rules manually (allow outbound 443 or proxy port).
The following list describes the settings for each firewall rule. Any setting not described in this list can be left as the default value:
Rule 1
- Rule Type: Custom
- Program Path: System
- Service settings: Apply to all programs and services
- Protocol: TCP
- Local ports: 445
- Remote ports: Any
- Local IP addresses: Any
- Remote IP addresses: Any
- Action: Allow the connection
- Rule profile: Domain, Private, and Public
- Allowed users: Any
- Allowed computers: Any
PowerShell for the Rule 1 settings: New-NetFirewallRule -DisplayName "Rule 1" -Group DRIAD -Enabled True Profile Any -Direction Inbound -LocalPort 445 -Protocol TCP -Program System
Rule 2
- Rule Type: Custom
- Program Path: %SystemRoot%\System32\Svchost.exe
- Service settings: Remote Procedure Call (RpcSs)
- Protocol: TCP
- Local ports: RPC Endpoint Mapper
- Remote ports: Any
- Local IP addresses: Any
- Remote IP addresses: Any
- Action: Allow the connection
- Rule profile: Domain, Private, and Public
- Allowed users: Any
- Allowed computers: Any
PowerShell for the Rule 2 settings: New-NetFirewallRule -DisplayName "Rule 2" -Group DRIAD -Enabled True Profile Any -Direction Inbound -LocalPort RPCEPMap -Protocol TCP -Program "%SystemRoot%\System32\Svchost.exe" -Service RpcSs
Rule 3
Rule Type: Custom
Program Path: C:\Program Files\Quest\Recovery Manager for Active Directory Forest Edition\FRRestoreService64.exe
Service settings: Apply to all programs and services
Protocol: TCP
Local ports: RPC dynamic port range
Remote ports: Any
Local IP addresses: Any
Remote IP addresses: Any
Action: Allow the connection
Rule profile: Domain, Private, and Public
Allowed users: Any
Allowed computers: Any
PowerShell for the Rule 3 mn nmsettings: New-NetFirewallRule -DisplayName "Rule 7" -Group DRIAD -Enabled True Profile Any -Direction Inbound -LocalPort RPC -Protocol TCP -Program "C:\Program Files\Quest\Recovery Manager for Active Directory Forest Edition\FRRestoreService64.exe"
