This recovery approach is recommended by Microsoft® in the Planning for Active Directory Forest Recovery paper. To use this approach, you must have a recent and trusted backup for one domain controller in each domain in the forest. These backups must be created at a similar point in time to mitigate the risk of discrepancy after the forest is recovered.
At a high level, recovering a forest using this approach includes the following stages:
Recovery Manager for Active Directory restores one domain controller in each domain from the recent and trusted backup you specify.
Recovery Manager for Active Directory uses Microsoft® tools (Dcpromo.exe or the Uninstall-ADDSDomainController and Install-ADDSDomainController cmdlets) to automatically reinstall Active Directory® on the domain controllers for which no backups are available.
The domain controllers on which Active Directory was reinstalled replicate Active Directory data from the domain controllers restored from reliable backups.
Approach 2 has the following advantages and limitations.
Recommended by Microsoft. This recovery approach is recommended in the Microsoft’s best practice paper, Planning for Active Directory Forest Recovery.
Safer, healthier recovery as compared to Approach 1. The limited number of backups used in Approach 2 (one backup per each domain) allows you to check them all to make sure they do not include any corrupted or unwanted data.
Forest recovery may require significant time to complete. Approach 2 requires more time to complete than Approach 1.
Recovery of entire domain depends on a successful restore of a single domain controller. A successful restore of one domain controller from backup is required before Active Directory can be reinstalled on all other domain controllers in the domain.
The original forest infrastructure is not retained. Because Active Directory is reinstalled on most domain controllers in the forest, the forest infrastructure cannot be restored to its exact pre-failure state.
For a step-by-step procedure on how to perform a forest recovery, Overview of steps to recover a forest
To restore domain controllers from RMAD or BMR backups, use the backups that were taken a few days before the occurrence of the failure. In general, you have to trade off between recentness and safeness of restored data. Choosing a more recent backup recovers more useful data, but it might increase the risk of re-introducing dangerous data into the restored forest.
It is strongly recommended that you keep detailed logs about the health state of Active Directory® on a daily basis, so that in case of a forest-wide failure you could identify an approximate time of the failure.
For more information on the methods you can use to select backups for recovery, see Selecting backups for recovery.
You can configure Recovery Manager for Active Directory (RMAD) to automatically run your custom scripts on the RMAD computer before, after, or during the recovery operation.
RMAD is supplied with a Microsoft Windows Script (.wsf) file serving as a template where you can insert your custom scripts written in the VBScript or JScript language. The file name is ConsoleSideScripting.wsf, and you can find it in the RMAD installation folder (by default, this is %ProgramFiles%\Quest\Recovery Manager for Active Directory Forest Edition).
The .wsf file has a number of XML elements where you can insert your scripts. Each XML element in the .wsf file provides a description explaining when the script inserted that element will run. Depending on where you inserted your script, it will run:
Before the recovery operation starts in the current project.
Each time before the restore from backup operation starts on a domain controller in the current project.
After the restore from backup operation completes on all domain controllers in the current project.
Before the reinstall Active Directory® operation starts in the current project.
Each time before the reinstall Active Directory® operation starts on a domain controller in the current project.
Each time the reinstall Active Directory® operation completes on a domain controller in the current project.
After the recovery operation completes in the current project.
Locate the file ConsoleSideScripting.wsf in the RMAD installation folder, and open the file in a text editor.
In the file, read the descriptions provided for the XML elements to identify the ones where you want to insert your script, then insert your script as appropriate.
Open the recovery project you created for your environment. For more information, see Opening a recovery project.
Use the Active Directory logs to determine the forest failure date.
Select appropriate backups for the domain controllers in your project. Make sure you use backups that were created before the point in time when the forest failure occurred. For more information on how to select backups for the recovery, see Selecting backups for recovery.
Verify the settings specified in your recovery project. For more information, see Specifying recovery project settings.
Verify the recovery settings specified for each domain controller in your recovery project:
Use the list of domain controllers in the Forest Recovery Console to select the domain controller whose settings you want to verify.
Open the General tab, and then verify the specified recovery settings. If necessary, adjust the settings as needed.
Repeat these steps for each domain controller in the project.
For more information about forest recovery approaches, see Forest recovery approaches.
On the toolbar, click Start Recovery to start the recovery operation on your project.
Important |
Before starting a forest recovery, the settings verification must be successfully passed. For more information, see Verifying recovery project settings. |
After you start the recovery operation on your project, you can reset the password for users in the following privileged groups on the Reset Passwords step of the wizard. The password resetting option is available only for Forest Recovery and Domain Recovery modes. For more information about privileged groups, refer this link.
Enterprise Admins
Domain Admins
Administrators
Account Operators
Schema Admins
Group Policy Creator Owners
Backup Operators
Server Operators
Print operators
Note |
The Domain User Name setting specified on the General tab is excluded from password resetting. |
The groups above are also listed in order of priority, from highest to lowest, for users belonging to more than one group, or a nested group to obtain the new password.
A user belongs to more than one group: The password with the highest priority will be assigned to the user.
A user belongs to a group nested in another one, and so on: The password with the highest priority of all groups in the nested structure will be assigned to the user.
Make sure the new passwords meet your domain password policies, otherwise passwords will not be reset successfully.
Resetting password also enables the account setting "User must change password at next logon". This means users must enter and change the new password the next time they log in.
NOTE |
The account setting "User must change password at next logon" will not be enabled for the users who have the setting "Password never expires" enabled. |
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center