In this topic:

• Recovery strategies overview
• Forest recovery strategies
• Recovery methods in Disaster Recovery for Identity for Active Directory
• About Domain Controller Agents and Hybrid Agents
• Server Access Credentials
• Handling DNS servers during recovery
• DNS configurations

Recovery strategies overview

Before you choose one of the recovery strategies described in this section, it is strongly recommended that you read Microsoft’s Active Directory Forest Recovery Guide. When choosing a recovery strategy, note that every recovery is unique, and the strategy might need adjustments to suit your needs.

It is highly recommended to periodically test your chosen strategy to ensure that you are familiar with the process, and that the strategy can be run during a disaster. It is essential to have Recovery Plans created in Disaster Recovery for Identity for Active Directory before a disaster occurs. Refer to Creating and Editing a Recovery Plan for more details.

The product allows you to restore a domain in the forest to its prior state at the time of the last trusted backup. Consequently, the restore operation will result in the loss of at least the following Active Directory data:

• All objects (such as users and computers) that were added after the last trusted backup.
• All updates made to existing objects since the last trusted backup.
• All changes made to either the configuration partition or the schema partition in Active Directory since the last trusted backup (such as schema changes).

Additionally, any software applications that were running on the domain controllers will need to be reinstalled on the domain controllers after recovery.

 

Forest recovery overview

At a high level, the forest recovery process using Disaster Recovery for Identity for Active Directory involves the following steps:

1. Restore domain controllers within each domain from backups using the Restore to Clean OS recovery method, utilizing the most reliable backups.

2. Install Active Directory on the domain controllers that were not restored.

3. Wait for the domain controllers with reinstalled Active Directory to replicate Active Directory data from domain controllers restored from reliable backups.

 

Forest recovery strategies

 

Recovery strategy 1: Restore all critical domain controllers from backups

This strategy is recommended by Quest.

Advantages

• Rapid recovery of the most critical infrastructure allowing to get to business as usual faster.
• Enhanced stability of the recovery process compared to restoring only one domain controller per domain. The use of multiple backups ensures that the entire forest can be recovered, even if the restoration of some domain controllers is unsuccessful.
• The more domain controllers restored from backup, the closer recovered forest resembles its pre-failure state.

Limitations

• The risk of reintroducing corrupted or unwanted data due to the use of multiple backups, there is no guarantee that corrupted or unwanted data from the backups will not be introduced into the recovered forest.

 

Recovery strategy 2: Restore one domain controller per domain from backups

Advantages

• Recommended by Microsoft - this recovery approach is aligned with Microsoft's best practices as outlined in the Planning for Active Directory Forest Recovery Guide.
• The limited number of backups allows for thorough inspection to ensure they are free of corruption or unwanted data.

Limitations

• Successful recovery of an entire domain relies on the successful restoration of a single domain controller. Active Directory can only be reinstalled on other domain controllers within the domain after the initial domain controller is successfully restored from backup.
• The full forest recovery process may be time-consuming.
• The original forest infrastructure is not preserved - as Active Directory is reinstalled on most domain controllers within the forest, the recovered forest will not be an exact replica of its pre-failure state.

 

Recovery strategy 3: Restore at least 2 domain controllers per domain from backups

Advantages

• Enhanced stability of the recovery process compared to restoring only one domain controller per domain. The use of multiple backups ensures that the entire forest can be recovered, even if the restoration of some domain controllers is unsuccessful.

Limitations

• The forest recovery process may be time-consuming.
• The original forest infrastructure is not preserved - as Active Directory is reinstalled on most domain controllers within the forest, the recovered forest will not be an exact replica of its pre-failure state.

 

Recovery methods in Disaster Recovery for Identity for Active Directory

The following recovery methods are available to perform recovery of the forest or specific domains in Disaster Recovery for Identity for Active Directory. Depending on your recovery strategy, a different combination of recovery methods may be needed to perform recovery.

Restore to Clean OS

The Restore to Clean OS method enables the restoration of the entire forest or specific domains onto freshly installed Windows machines. Domain controllers residing on virtual machines within Microsoft Azure or Amazon Web Services (AWS) can also be restored using the Restore to Clean OS method.

The initial stage of the Restore to Clean OS recovery method involves installing the DNS server role on a domain controller. Therefore, it is recommended to use a backup created on an Active Directory-integrated DNS server for the Clean OS recovery process. While backups from non-Active Directory-integrated DNS servers can be used, the Automatic DNS Selection option should not be enabled for any domain controller for that domain. If your domain has Active Directory-integrated DNS servers restored from backup, you need to specify the DNS settings manually.

Following recovery, the domain controller restored using the Restore to Clean OS method synchronizes DNS partitions and continues to function as a DNS server.

If your domain utilizes external DNS, you must manually configure DNS settings for each domain controller within the domain. After recovery, the domain controller restored using the Restore to Clean OS recovery method will operate as a non-functional DNS server, allowing subsequent uninstallation.

If you are testing Forest Recovery in a lab environment and your production forest uses an external (non-AD integrated) DNS server:

1. To prepare the lab environment, you can install a new DNS server.
2. Create empty DNS zones on this server, mirroring your production DNS configuration.
3. Ensure that the Start of Authority (SOA) and Name Server (NS) records within each empty zone reference the FQDN DNS name of this server.
4. Ensure that the SOA and NS records within each empty zone reference the FQDN DNS name of this server.
5. Enable non-secure DNS dynamic updates.

For more on DNS settings, it is highly recommended that you visit the DNS configurations and the Handling DNS servers during recovery sections.

Recovery steps

1. Prepare a target machine using existing hardware or a virtual machine

A blank host should comply with the following requirements:

• The operating system version of the target machine must match the version of the failed domain controller.
• The target machine must have sufficient free disk space to accommodate Active Directory and SYSVOL data.
• The account specified to access the target machine must possess local Administrator privileges on that machine.

As previously mentioned, it is crucial that the Windows operating system version matches the deployed version. The Verify operation will issue a warning if a mismatch is detected between the target and backup Windows versions. The specific versions will be reported in the status information. If the Major and Minor versions do not match, indicating that at least one of the operating system versions is prior to 2016, an error message will be displayed.

2. Create Recovery Plan with Restore to Clean OS method

Create a Recovery Plan and use Restore to Clean OS method. Specify the IP of the prepared Target machine in the Domain Controller Configuration.

Install Active Directory

The Install Active Directory recovery method is used to install Active Directory on a clean machine. For Windows Server® 2012-based domain controllers, this option uses the Windows PowerShell® cmdlets InstallADDSDomainController.

The target server should be compliant with the following requirements:

• Operating system version should be equal to the original DC operating system.
• Operating system should follow organization security best practices (e.g. have latest updates,security software) since this operating system will be used to run the Active Directory Domain services after the restore.
• The physical disks should have enough free space to host the Active Directory® data after recovery.

Do Not Recover

The Do Not Recover method isolates the domain controller from other domain controllers and completely removes it from the domain; no actions are performed on the domain controller itself. This option should be used if the domain controller is inaccessible or you do not want to recover the domain controller due to any failures. Disaster Recovery for Identity for Active Directory removes all metadata of domain controllers that are set to Do Not Recover.

 

About Hybrid Agents and Domain Controller Agents

It is important to understand the distinction between Hybrid Agents and Domain Controller Agents:

Hybrid Agents

A Hybrid Agent is used to facilitate communication between On Demand and your on-premises environment. A Hybrid Agent must be manually installed on-premises. Refer to the Creating and Installing a Hybrid Agent section for more.

Ensure that the Hybrid Agent has a stable internet connection during the recovery operation and uses a DNS server that is not affected by the forest failure.

Where should the Hybrid Agent be installed?

The Hybrid Agent can be installed on a standalone or domain-joined server (although the use of a standalone server is highly recommended). It is important to ensure the Hybrid Agent is able to access Disaster Recovery for Identity for Active Directory even in the case of a disaster. For example, if the Hybrid Agent uses a domain controller as a DNS server and the domain controller goes down, this will prevent the Hybrid Agent from accessing the product and no backup or recovery will be possible. Therefore, it is important to ensure that an alternate DNS is specified and adjusted after the recovery to be able to continue using the product to perform backups in the restored environment.

Domain Controller Agents

A Domain Controller Agent is used to perform actions such as backup or restore against a single domain controller within your forest. A DC Agent should be installed on each domain controller you wish to perform certain operations like a restore from a backup during a recovery.

Permissions required for the Hybrid Agent and Domain Controller Agent can be found in the Required permissions section.

 

Server Access Credentials

The following are definitions for each credential when configuring domains or domain controllers:

Domain User

This account must be a domain administrator in the domain that is being restored. After the domain is restored, the password for this account is reset to the specified value, regardless of the value restored from the backup. Supported format is domain/username or username. If only the username is specified, then the local domain name is automatically added.

Local User

Specifies the account that will be used to access the target computer to install the agent before the target computer is promoted to a domain controller. This account must be a local administrator on the target computer. Supported format is machine/username or username. If only the username is specified, then the target machine name is automatically added.

DSRM Administrator

Specifies the account used to access the domain controller in Directory Services Restore Mode (DSRM) or the DSRM account used to promote the target computer to a domain controller in the Restore to Clean OS recovery method. After the forest is restored, the password for the DSRM Administrator account is reset to the specified value, regardless of the value restored from the backup.

 

Handling DNS servers during recovery

Active Directory is closely integrated with the DNS service. Each domain controller registers and maintains multiple Resource Records (RRs) within the DNS service. Different types of domain controllers register distinct sets of RRs. Disaster Recovery for Identity for Active Directory adjusts these records during the forest recovery process.

When configuring a Recovery Plan, consider the DNS infrastructure. For Active Directory-integrated DNS, ensure at least one DNS server per zone is restored from backup. Ideally, restore as many DNS servers as possible. Carefully consider the 'Use preferred DNS server(s)' option for each domain controller in the Recovery Plan, aligning with your DNS recovery strategy. The DNS client configuration of restored domain controllers will influence the DNS infrastructure detection during recovery. The solution will determine whether Active Directory-integrated DNS or external DNS is used, and identify the relevant DNS servers.

For Active Directory-integrated DNS scenarios with configured delegation and forwarding settings between parent and child domains, the Disaster Recovery for Identity for Active Directory ensures the restoration of DNS zone information, delegation and forwarding settings, Forest and Domain DNS zone replication settings, and, if applicable, Conditional Forwarders during the recovery process.

• If an external DNS is used, any inter-domain DNS relations are out of the Recovery Plan scope and are not affected by the recovery process.
• For DNS servers that have not been restored, its Resource Records associated with the DNS server are removed. This is performed during the Configure DNS server operation.
• If the Recovery Plan excludes certain domain controllers from the restoration process with the Do Not Recover method, their corresponding Resource Records are removed from DNS. This occurs during the Clean up DNS records of removed domain controllers operation. However, if excluded domain controllers remain operational and the DNS server allows non-secure dynamic updates, these domain controllers may still register their SRV records.

 

DNS configurations

When creating a Recovery Plan, you should specify a method for selecting a preferred DNS server for each domain controller in your Recovery Plan.

When creating or editing a Recovery Plan, you can choose one of the following DNS server selection methods:

• Select DNS server automatically - retrieves a list of all DNS servers that are in use in the forest and automatically assigns a DNS server that is operating correctly from the list to the current domain controller. This is selected by default.
• Use preferred DNS server(s) - input preferred DNS server(s), individually separated by a semicolon (;).

When you opt to automatically select a DNS server, Disaster Recovery for Identity for Active Directory retrieves a list of DNS servers utilized by domain controllers. Alternatively, use the Preferred DNS servers option and use external DNS servers that support dynamic updates and have DNS zones configured for each domain within the forest you intend to recover. For more on using DNS configurations with the Restore to Clean OS method, go to the Restore to Clean OS section in Recovery methods in Disaster Recovery for Identity for Active Directory.

The Select DNS server automatically option is recommended in the following cases:

• Your DNS is not Active Directory-integrated.
• Your DNS is Active Directory-integrated and you restore from backups the DNS servers (domain controllers) that act as the primary source for each DNS zone.

For non-Active Directory-integrated DNS (external DNS), the list of automatic DNS servers is prioritized. First, the IP addresses configured in the DNS client settings of the current domain controller are considered. Next, the preferred DNS addresses of other domain controllers within the same domain and their DNS client settings are included. This pattern continues for domain controllers in the parent domain hierarchy, sibling domains, and finally, direct child domains. During recovery, Disaster Recovery for Identity for Active Directory selects a functional DNS server from this prioritized list and assigns it to the domain controller.

For Active Directory-integrated DNS, the solution prioritizes DNS servers within the same domain. DNS servers are ordered based on the domain hierarchy, starting from the current domain and progressing up to the root. The primary DNS server is selected considering client settings and usage frequency within the DNS zone backup. The preferred DNS server's IP address from client settings is assigned to all restored domain controllers as the preferred address for the DNS zone they host. For alternate DNS servers, a list of other DNS servers hosting the DNS zone is obtained.

For forest-wide replicated DNS zones, the preferred DNS server is selected from the root domain. The DNS server designated as the primary for the root domain will also serve as the primary DNS server for any forest-wide replicated DNS zone.

If a domain controller is a DNS server itself, then a loopback address is included in the DNS server list (see the note below). By default, the number of DNS servers that can be selected automatically is limited to 3.

When you manually specify a DNS server or a list of DNS servers, Disaster Recovery for Identity for Active Directory initially attempts to assign the specified DNS server(s) to the domain controller. If the specified DNS server(s) are inaccessible or malfunctioning, the product automatically selects the DNS servers (primary and alternate) that were previously configured on the domain controller. Should this fail, the solution selects DNS servers from a list of all active DNS servers within the forest.

 

How does Disaster Recovery for Identity for Active Directory determine that the DNS server is available for use?

Disaster Recovery for Identity for Active Directory configures a DNS server on all network adapters of the domain controller and verifies its ability to register DC Locator resource records and A-type (host) records. If successful, this DNS server is designated as the preferred DNS server on all network adapters.

If you want to use the 'Use preferred DNS server(s)' method, ensure that you have at least one properly configured DNS server ready to work with the domain controllers being recovered. These DNS servers must support dynamic updates and have DNS zones configured for each domain within the forest you intend to recover. Assign one of these DNS servers to each domain controller in your Recovery Plan.