A primary restore is intended to recover the initial member of the SYSVOL replica set, only when the entire replica set has been lost. A primary restore should therefore not be used if there are two or more operational domain controllers in the domain. If there are other members in the replica set with which the restored SYSVOL can synchronize, a primary restore should not be performed, as it disrupts the replication of SYSVOL data.
For more information about primary restore, see the Microsoft article “Authoritative, Primary, and Normal Restores” at How to force authoritative and non-authoritative synchronization for DFSR-replicated sysvol replication.
RMAD uses a TCP port to communicate with Backup Agent installed on the target domain controllers to be backed up. To change the Backup Agent port number, perform the following procedures.
On each target domain controller to be backed up, perform the following steps:
Start Registry Editor (Regedit.exe), and then locate the registry key:
HKLM\SYSTEM\CurrentControlSet\Services\ErdAgent
In the details pane, double-click the ImagePath value, and in the Value data text box, specify the port number in the following way:
%SystemRoot%\RecoveryManagerAD\ErdAgent.exe -I -P:3899
In this example, Backup Agent will use port 3899. When finished, click OK.
Close Registry Editor.
Restart the Backup Agent service.
Start the Recovery Manager for Active Directory Console (snap-in), and then perform the following steps:
In the console tree, select the node RMAD, and then on the Action menu, click Settings.
On the Ports tab, select the Connect to Backup Agent using a specific TCP port. check box, and then specify the port number in the Port text box.
Click OK to close the Recovery Manager for Active Directory Properties dialog box.
Important |
If you are using a firewall, the specified TCP port must be opened. You must specify the same port number for all target domain controllers to be backed up. |
LDAP is used to search AD-LDS (ADAM) to retrieve Active Directory object information. During the Online Restoration (agentless and agent-based) and Group Policy Restoration, the LDAP API is used to perform modifications to specified Active Directory objects.
RMAD does not use LDAP for authentication of credentials or for Domain Controller connectivity. RMAD is using LDAP version 3, and the password is not in plain text, but is "encrypted". RMAD uses the Generic Security Services Application Program Interface (GSSAPI) to authenticate user logon. GSSAPI is included in the Kerberos protocol.
RMAD does not use LDAP for transfer, but deploys a Backup Agent to the domain controller. The Backup agent will collect data and make a backup file. If you store the backup file on console side, the backup file will be transfer by encrypted RPC protocol; if you use Remote Storage and assign a UNC path, the backup is copied by SMB protocol. The user can assign a password to encrypt the backup file.
When recovering an Active Directory® forest, Recovery Manager for Active Directory (RMAD) automatically selects a DC in each domain to perform an authoritative (primary) restore of the SYSVOL folder. To select such a DC, RMAD uses a number of predefined criteria listed in this section. These criteria are listed in the order they are applied by RMAD. If no DC meets the first criteria in the list, RMAD tries to apply the next criteria. RMAD keeps going through the list of criteria, from top to bottom, until it finds a suitable DC.
Criteria used to determine if a DC is suitable for an authoritative (primary) restore of the SYSVOL (in the order of priority):
DC has the PDC Emulator role.
DC has the Domain Naming Master role or Schema Master role in the forest.
DC has the RID Master role in the domain.
DC is a DNS server in the domain.
DC resides in the largest Active Directory® site (as compared to other DCs in the domain).
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center