A primary restore is intended to recover the initial member of the SYSVOL replica set, only when the entire replica set has been lost. A primary restore should therefore not be used if there are two or more operational domain controllers in the domain. If there are other members in the replica set with which the restored SYSVOL can synchronize, a primary restore should not be performed, as it disrupts the replication of SYSVOL data.
For more information about primary restore, see the Microsoft article “Authoritative, Primary, and Normal Restores” at https://technet.microsoft.com.
RMAD uses a TCP port to communicate with Backup Agent installed on the target domain controllers to be backed up. To change the Backup Agent port number, perform the following procedures.
On each target domain controller to be backed up, perform the following steps:
Start Registry Editor (Regedit.exe), and then locate the registry key:
HKLM\SYSTEM\CurrentControlSet\Services\ErdAgent
In the details pane, double-click the ImagePath value, and in the Value data text box, specify the port number in the following way:
%SystemRoot%\RecoveryManagerAD\ErdAgent.exe -I -P:3899
In this example, Backup Agent will use port 3899. When finished, click OK.
Close Registry Editor.
Restart the Backup Agent service.
Start the Recovery Manager for Active Directory Console (snap-in), and then perform the following steps:
In the console tree, select the node RMAD, and then on the Action menu, click Settings.
On the Ports tab, select the Connect to Backup Agent using a specific TCP port. check box, and then specify the port number in the Port text box.
Click OK to close the Recovery Manager for Active Directory Properties dialog box.
Important |
If you are using a firewall, the specified TCP port must be opened. You must specify the same port number for all target domain controllers to be backed up. |
When recovering an Active Directory forest, Recovery Manager for Active Directory automatically selects a DC in each domain to perform an authoritative (primary) restore of the SYSVOL folder. To select such a DC, Recovery Manager for Active Directory uses a number of predefined criteria listed in this section. These criteria are listed in the order they are applied by Recovery Manager for Active Directory. If no DC meets the first criteria in the list, Recovery Manager for Active Directory tries to apply the next criteria. Recovery Manager for Active Directory keeps going through the list of criteria, from top to bottom, until it finds a suitable DC.
Criteria used to determine if a DC is suitable for an authoritative (primary) restore of the SYSVOL (in the order of priority):
DC has the PDC Emulator role.
DC has the Domain Naming Master role or Schema Master role in the forest.
DC has the RID Master role in the domain.
DC is a DNS server in the domain.
DC resides in the largest Active Directory site (as compared to other DCs in the domain).
The overall success of a domain or forest recovery operation very much depends on the domain controllers being restored from backups. Not only it is important to ensure these domain controllers are restored from recent and trusted backups, it is also necessary to temporarily isolate these domain controllers to guarantee that no dangerous or unwanted data will be replicated to them from their replication partners and to block requests to Active Directory from client workstations during the recovery. Recovery Manager for Active Directory isolates domain controllers by creating a service dependency and using custom Internet Protocol security (IPSec) rules.
Before isolating the domain controllers being restored from backups, Recovery Manager for Active Directory backs up the IPSec settings existing in your environment to revert to these settings later.
Then, at the recovery step named Enable domain controller isolation, Recovery Manager for Active Directory does the following:
Establishes a dependency between the IPsec Policy Agent (PolicyAgent) service and the Active Directory Domain Services (NTDS) service. As a result, the Active Directory Domain Services service cannot start until the IPsec Policy Agent service starts.
Activates a number of custom IPSec rules defined in the IsolateDC.bat file.
The IsolateDC.bat file is located in the Recovery Manager for Active Directory installation folder (by default, this is %ProgramFiles%\Quest\Recovery Manager for Active Directory). The IPSec rules defined in the IsolateDC.bat file block all IP traffic between the domain controllers and their replication partners, except for the IP traffic generated by the following tools/services:
Remote Desktop Connection client
Ping command
File sharing services
Domain Naming System
These IPSec rules also apply to the IP traffic from the domain controllers to the Forest Recovery Console computer. Traffic from the Forest Recovery Console computer to the domain controllers is not affected by these IPSec rules.
Note |
You can edit the IsolateDC.bat file to define the IPSec rules that become active during recovery. However, we cannot guarantee that problems that may occur if you incorrectly edit the IsolateDC.bat file can be solved. Edit the IsolateDC.bat file at your own risk. |
At the recovery step named Ensure that domain controller isolation is disabled, Recovery Manager for Active Directory removes the dependency between the Active Directory Domain Services service and the NTDS service and uses the UnisolateDC.bat file to revert to the pre-recovery IPSec settings.
The UnisolateDC.bat file is located in the Recovery Manager for Active Directory installation folder (by default, this is %ProgramFiles%\Quest\Recovery Manager for Active Directory).
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center