You can use the Recovery Manager Console to uninstall Backup Agent preinstalled on a computer added to a Computer Collection. You can only perform this operation on discovered instances of the Backup Agent. For more information, see Discovering preinstalled Backup Agent.
In the Recovery Manager Console tree, select the Backup Agent Management node.
In the right pane, right-click the computer from which you want to uninstall Backup Agent.
From the shortcut menu, select Uninstall Backup Agent and wait for the uninstall operation to complete.
After the uninstallation operation completes, RMAD removes the uninstalled Backup Agent entry from the list in the Backup Agent Management node.
You can selectively remove Backup Agent entries from the list provided in the Backup Agent Management node. Removing a Backup Agent entry from that list does not affect the corresponding preinstalled agent instance in any way. Rather, it removes the agent’s registration information from the Recovery Manager Console.
You may want remove a Backup Agent entry from the list when, for example, you have uninstalled the corresponding Backup Agent instance from the computer without using the Recovery Manager Console, and the agent entry remained in the Backup Agent Management node.
In the Recovery Manager Console tree, select the Backup Agent Management node.
In the right pane, right-click the Backup Agent entry you want to remove from the list.
From the shortcut menu, select Remove from List.
You can configure Recovery Manager for Active Directory (RMAD) to back up data in an Active Directory® domain under a least-privileged user account. A least-privileged user account is an account that has no other permissions except for those required to back up data with RMAD.
Using a least-privileged account to back up Active Directory® offers greater protection from unwanted changes to your Active Directory® environment, security attacks, or unsolicited access to sensitive documents or settings.
To run backup operations under a least-privileged user account, in the domain you want to back up, create an Active Directory® group named RMAD Backup Operators. Add the least-privileged user account you want to that group, and then preinstall the Backup Agent in the domain. As a result, members of the RMAD Backup Operators group are automatically granted the necessary permissions to back up data in the domain with RMAD.
In the Active Directory® domain you want to back up, create a new Active Directory® group with the following name: RMAD Backup Operators
To the RMAD Backup Operators group, add the least-privileged user account under which you want to back up the domain.
On the domain controllers you want to back up, preinstall the Backup Agent version supplied with this release of RMAD.
Make sure you first create the RMAD Backup Operators group, and then install the Backup Agent in the domain. During its installation, the agent locates that group and saves the group SID in the registry. Then the Backup Agent uses this group SID to check that the user account is a member of the RMAD Backup Operators group.
If the Backup Agent supplied with this release is already preinstalled, you can repair the agent’s installation so that the agent could locate the RMAD Backup Operators group.
Add the domain controllers on which you preinstalled the Backup Agent to a new Computer Collection.
In the Computer Collection properties, on the Agent Settings tab, do the following:
Specify to access the Backup Agent with the least-privileged account you have added to the RMAD Backup Operators group.
Select the check box to use preinstalled Backup Agent. For more information, see Agent Settings tab subsection in Properties for an existing Computer Collection.
Back up the Computer Collection.
Recovery Manager for Active Directory (RMAD) supports MSA/gMSA accounts for:
Scheduled backups - the account can be specified for scheduled tasks in the Computer Collection properties on the Schedule tab or in Task Scheduler.
Scheduled replication tasks (Fault Tolerance)
For PowerShell® scripts launched from the domain controller side before and/or after creating a backup. (Scripts run from the Recovery Manager for Active Directory console are not supported)
Note |
Recovery Manager for Active Directory has deprecated support for a group managed service account (gMSA) to be specified as the account to connect to the backup agent for manually triggered backups. Managed service accounts will continue to be supported for scheduled backup tasks. In accordance with Microsoft®, it is recommended to not use a group managed service account (gMSA) for interactively initiated network connections such as Recovery Manager for Active Directory manually triggered backups. To enforce this recommendation and to address the vulnerability CVE-2023-21524 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21524), Microsoft has limited the usages of managed service accounts with a Windows Update. By removing support for a gMSA to connect to the backup agent, this ensures an attacker does not exploit the RMAD backup agent to perform actions or access resources over the network. To utilize the benefits and security provided by a group managed service account (gMSA), we highly recommend that a gMSA account is used for the scheduled backup task. See Setting user account for scheduled tasks |
MSA/gMSA account requirements:
You can use Managed Service Account (in Windows Server® 2008 or higher) or Group Managed Service Account (in Windows Server® 2012 or higher).
Add the $
character at the end of the account name (e.g. domain\computername$) and leave the Password field blank.
The MSA/gMSA account must be a member of the local Administrator group on the RMAD machine.
How to create a Group Managed Service Accounts (gMSA)
Although the following instructions will configure gMSA accounts in your Active Directory® Forest, we recommend you first review the Microsoft® article: Getting Started with Group Managed Service Accounts
Note |
Even with the |
If you have never used gMSA accounts before, you must prepare Active Directory® by creating a KDS Root Key with one of the following PowerShell® commands on a domain controller:
In production, issue the command:
Add-KdsRootKey -EffectiveImmediately
In a test lab with minimal domain controllers, it’s safe to issue this command:
Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))
Run this command once in each Domain of the Forest.
NOTE: For more information, see Create the Key Distribution Services KDS Root Key and this Microsoft Blog post.
(Optional) If you plan to use the same gMSA account on more than one host (for example, you have more than one RMAD server), then it may be easier to create a group for the hosts you plan to use it on. We suggest a Domain-Local Security group for this purpose. The following PowerShell® commands will create the group in the default Users container, then add your RMAD server as a member:
Add-ADGroupMember -Identity <GroupName> -Members <RMADServer$>
Repeat the command above for each RMAD server you want to use the gMSA account.
NOTE: If you use a group, then you must either restart the host(s) you added as members or run the command klist purge –li 0x3e7
on each host before performing step 4 below. This is to refresh the computer’s Kerberos ticket so it will include the new group SID in its NT Token.
Create the gMSA account using the following PowerShell command:
New-ADServiceAccount -Name <gMSAName> -DNSHost <gMSAName.domain> -PrincipalsAllowedToRetrieveManagedPassword <AccountName>
Where:
<gMSAName>
is the name of your gMSA account. For example: “gMSABackup”
<gMSAName.domain>
is the gMSA account followed by the domain. For example: “gMSABackup.contoso.com”
<AccountName>
is either <RMADServer$>
, or the group name you created in step 2 above.
NOTE: If using remote storage for backups, the account for each domain controller being backed up, needs to be added to the "PrincipalsAllowedToRetrieveManagedPassword" property for the gMSA account. Use the following command:
SetADServiceAccount -Identity <gMSAName>
-PrincipalsAllowedToRetreiveManagedPassword <AccountName>
.
After the gMSA account is created, you must install it on each host it will be used on (for example; on your RMAD server). Do this by running the following PowerShell® command on each host:
Install-ADServiceAccount -Identity <gMSAName>
(Optional) You can test that the gMSA account can be used by running the following PowerShell® command on each host where you installed the gMSA account:
Test-ADServiceAccount <gMSAName>
A result of True shows the gMSA account is ready to be used.
For more details, see Getting Started with Group Managed Service Accounts.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center