You can configure Recovery Manager for Active Directory (RMAD) to automatically run custom scripts on the RMAD computer before, after, or during the recovery operation.
This version of RMAD is supplied with the Microsoft Windows Script File (.wsf) file that serves as a template where you can insert your custom scripts written in the VBScript or JScript language.
The .wsf file has a number of XML elements where you can insert your scripts. Depending on the XML element where you insert it, your script will run
Before the recovery operation starts in the current project.
Each time before the restore from backup operation starts for a domain controller in the current project.
After the restore from backup operation completes for all domain controllers in the current project.
Before the reinstall Active Directory operation starts in the current project.
Each time before the reinstall Active Directory operation starts for a domain controller in the current project.
Each time the reinstall Active Directory operation completes for a domain controller in the current project.
After the recovery operation completes in the current project.
Recovery Manager for Active Directory performs the following functions:
Regular backup of domain controllers’ components across a network, including the Active Directory database, SYSVOL and Registry, and maintenance of one or more secure repositories containing the backed-up Active Directory data.
Creation of BMR backups for the forest bare metal restore.
Secondary storage for critical backups with Secure Storage server and Cloud Storage.
Wizard-driven, remotely administered restoration of Active Directory object data and Group Policy information from a point-in-time backup.
Active Directory, AD LDS (ADAM), and Group Policy comparison reporting, troubleshooting, and investigation.
Recovery Manager for Active Directory (RMAD) provides the facility to create backups of the Active Directory® components on domain controllers, including the Active Directory® database and Windows Server® Bare Metal Recovery (BMR) backups.
Both types of backups can be created for any Active Directory® domain controller available on the network. Backup creation is a task that can be performed on a regular basis without interrupting the operation of the domain controller.
RMAD lets you organize domain controllers into collections, and establish a backup scheduling frequency and “allowed hours” during which the backup process may run. Based on the frequency of updates to the directory data store, you can configure a backup schedule for each collection.
Depending on the requirements of your enterprise, you can configure a retention policy to specify how many backups are retained: for example, all saved backups or a number of the most recent backups. Different policy settings can be specified for different domain controller collections.
For Active Directory® backups, it is not necessary to maintain a single, centralized repository: several repositories, perhaps based on the site topology, can make your deployment more WAN-friendly. To minimize bandwidth consumption, RMAD employs agents that compress the data to be backed up, before sending it across the network.
For Windows Server® Bare Metal Recovery (BMR) backups, you have to set up the dedicated backup server performing the role of an SMB repository. The backups are created on domain controllers and saved to the SMB share. Windows Server® BMR backups are stored in VHD (Microsoft Windows Server® 2008 R2) format or VHDX (for higher Windows versions).
RMAD allows backups to be encrypted and protected with a password, to prevent unauthorized access. This password is used to generate a passphrase with which the backup is encrypted.
For Active Directory® backup encryption, the product uses Microsoft’s implementation of the AES-256 algorithm from RSA, Inc. (Microsoft Enhanced RSA and AES Cryptographic Provider), with the maximum cipher strength. The use of the Microsoft Enhanced RSA and AES Cryptographic Provider ensures that backups are encrypted with 256–bit cipher strength
For Bare Metal Recovery backup encryption, RMAD uses a virtual hard disk encrypted with BitLocker® Drive Encryption as a container for the backup (256-bit AES encryption). The BitLocker® Drive Encryption feature should be installed on all backed up domain controllers and on the Forest Recovery Console machine to support encrypted BMR backups. But note that the BitLocker® feature does not encrypt DC drives automatically.
Since Windows Server® BMR backups are stored in VHD or VHDX format, note that a password cannot be used directly to unlock the backup container *.vhd(x) file.
You can have RMAD keep unpacked Active Directory® or AD LDS (ADAM) backups in any appropriate location on your network.
Unpacked backups can be reused for subsequent starts of the Online Restore Wizard or Group Policy Restore Wizard. The use of unpacked backups accelerates the backup data preparation step of those wizards, because the unpacking process may be a lengthy operation.
RMAD makes it possible to use Active Directory® or AD LDS (ADAM) backups created with third-party backup tools. Before using this feature, unpack the backup to an alternate location with the corresponding third-party backup tool, and then register the database file (ntds.dit or adamntds.dit) using the Online Restore Wizard or Online Restore Wizard for AD LDS (ADAM), respectively.
When backing up Global Catalog servers, you have the option to force RMAD to collect group membership information from all domains within the Active Directory® forest. This option ensures that group membership spanning multiple domains is fully backed up.
It is recommended that you restore objects from Global Catalog backups that were created with this option. Otherwise, restored objects may not retrieve their membership in some local groups, because even Global Catalog servers do not store full information about group memberships. For example, information about membership in domain local groups is only stored in the home domains of those groups.
In an Active Directory® environment, each domain controller maintains its own Active Directory® database. Therefore, a backup of the Active Directory® database is domain controller-specific. To completely back up Active Directory®, you must back up the directory database on every domain controller.
To restore deleted or corrupted objects, it is recommended to back up at least two domain controllers for each domain for redundancy. If you intend to restore cross-domain group membership information, then it is also necessary to back up a global catalog server.
Another reason for backing up the directory database on every domain controller is loose consistency. Replication of changes made to Active Directory® does not occur immediately. The replication process first accumulates all changes, and then provides them to the participating domain controllers. As a result, the directory database on any domain controller is normally in a state of loose consistency. The directory object data on individual domain controllers differs to some extent, given that replication updates are either in transit between domain controllers, or waiting to be initiated.
The age of the backup must also be considered. Active Directory® prevents the restoration of data older than the "tombstone lifetime" - a setting specified in Active Directory®. Because of this, an Active Directory® backup should be created at least once within the tombstone lifetime. However, it is strongly recommended that backups of the directory database be created more often than this.
Backups created with Recovery Manager for Active Directory can be stored in multiple locations. Primary storage of backups allows for backup files to be saved on a distributed network, or on selected computers with physically restricted access. Recovery Manager considers these locations as primary storage and is referred to as Tier 1 storage.
Recovery Manager for Active Directory Disaster Recovery Edition offers secondary storage locations known as Tier 2 storage.Secondary storage options in Recovery Manager include Secure Storage server and Cloud Storage. Tier 2 storage provides secure locations for business critical backups to ensure you are ready when disaster strikes.
Recovery Manager for Active Directory provides options for primary storage in local and remote locations. Local storage is refers to storage on the Recovery Manager console computer, where remote storage is storage on the backed up domain controller or other remote servers on network shares. These locations are remote due to not being on the Recovery Manager console computer. See the Local Storage tab and Remote Storage tab. For both local and remote storage locations, a primary backup path can be provided and an alternate backup path.
Primary storage is for the original backup files to be saved to the a safe location. For primary storage, the backup agent creates the backup file, compresses the data and then the file is saved to the configured storage locations. In the diagram below see line number 1 to view the process that is taken to save the backup file to primary storage locations. The RPC protocol is used to save backups files to the console computer. For saving to remote storage locations SMB protocols are used.
The figure illustrates how Recovery Manager for Active Directory creates and saves backup files to primary storage locations.
Recovery Manager for Active Directory Disaster Recovery Edition provides secondary storage for critical backups. For Active Directory® and Windows Server® BMR backups, you can copy backups to a secondary storage location. There are two options available for secondary storage in Recovery Manager for Active Directory Disaster Recovery Edition. You can set up a dedicated Secure Storage server, use Cloud Storage or use both options to ensure that your backups are always available even if disaster strikes and your primary storage backups are lost.
After a backup is created and saved to primary storage locations, the backup will be additionally copied to configured Tier 2 locations. For more information on using a Secure Storage server refer to Secure Storage server. For more information on setting up Cloud storage refer to Cloud Storage.
A Secure Storage server is a dedicated secure backup storage server, hardened by Recovery Manager for Active Directory and isolated according to IPSec rules. For detailed information on how the server is hardened refer to Secure Storage Server Hardening.
After primary storage is complete, copies of the backup files are then copied to secondary storage. The Secure Storage agent installed on the Secure Storage server, pulls the backup from the primary storage location and a copy is stored securely on the server. Refer to the illustration below and line labeled 2.
The figure above illustrates how Recovery Manager for Active Directory copies backup files to secondary storage with a Secure Storage server.
Using Cloud storage you can configure and use storage for your business-critical backups. Cloud storage provides multiple options including immutability to protect your backups from being overwritten or deleted.
After primary storage is complete, copies of the backup files are then copied to Cloud Storage locations. For Cloud storage, the backup file is copied to the Recovery Manager console (line number 2) and then the Recovery Manager Cloud Upload service uploads a copy of the backup to the cloud storage location indicated by line numbered 3.
The figure above illustrates how Recovery Manager for Active Directory copies backup files to secondary storage with Cloud Storage.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center