Chat now with support
Chat with Support

Recovery Manager for AD Disaster Recovery Edition 10.3.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Cloud Storage Secure Storage Server Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Clean OS method Bare metal forest recovery Using Management Shell Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Step 3: Use the Install-ADDSDomainController cmdlet to install from media

Use the Install-ADDSDomainController cmdlet supplied with Windows PowerShell® to create a new domain controller from the backup you extracted in Step 1: Create and extract a backup. To specify the path to the extracted backup, use the -InstallationMediaPath parameter of the cmdlet.

To view detailed information about the Install-ADDSDomainController cmdlet, in the Windows PowerShell® window, type the following:

Get-Help Install-ADDSDomainController -detailed

 

Restoring passwords and SID history

When undeleting an object by using the agentless method, the Online Restore Wizard employs LDAP functions along with the Restore Deleted Objects feature provided by the Windows operating system. This feature restores only the attributes preserved in the object’s tombstone. The other attributes are restored from a backup. However, some attributes, such as Password and SID History cannot be written using LDAP functions, and thus cannot be restored from a backup via the agentless method.

In many situations, the inability to restore the Password attribute from a backup is not a big problem as an object’s password can be reset after restoring the object. As for the SID History attribute, its restoration may be business-critical. An example is a situation where the domain from which the object was migrated is unavailable or decommissioned, and therefore SID History cannot be re-added.

To enable the restoration of these two attributes using the agentless method, the Active Directory® schema may be modified so that these attributes are preserved in object tombstones. As a result, an undeleted object has the same Password and SID History as the object had when it was deleted.

As this solution requires schema modifications, it should be carefully considered. Microsoft recommends modifying or extending the schema only in extreme situations. Proceed with extreme caution, because making a mistake may render the directory service unstable, resulting in a reinstallation.

Often, organizations are reluctant to make changes to the schema because schema modifications may result in heavy replication traffic. It is not the case for the schema modifications described in this article as they do not affect the partial attribute set (PAS).

Note

Recovery Manager for Active Directory also provides an agent-based method for restoring or undeleting objects. With the agent-based method any attributes can be restored. The agent-based method does not require any schema modifications.

 

Preserving passwords and SID history in object tombstones

To preserve passwords and SID history in object tombstones, complete the following steps:

 

Step 1: Make sure prerequisites are met

  • You are logged on as a member of the Schema Admins group.

  • Write operations to the schema are allowed.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating