On Demand Recovery can be integrated with Recovery Manager for Active Directory 9.0 or higher to restore and undelete on-premises objects that are synchronized with cloud by Microsoft Entra Connect. The following figure illustrates the hybrid restore process.
Figure 1: Hybrid Restore Operation Flow Diagram
|
Note:
|
Prerequisites
- Microsoft Entra tenant that is synchronized with on-premises Active Directory by Microsoft Entra Connect.
- For Recovery Manager for Active Directory (RMAD) version 10.2.2 or later, the Hybrid Connector service must be enabled and configured in the RMAD console. To get the latest version of Recovery Manager for Active Directory, click here.
- For Recovery Manager for Active Directory 10.2.1 or earlier, the Recovery Manager Portal is required. If you have Microsoft Entra Connect version 1.4.32.0 or higher, the Recovery Manager Portal 10.1 is required.
- The portal can be run on any machine in your environment. It is not required to install all Recovery Manager for Active Directory components.
- For Recovery Manager for Active Directory 10.2.1 or earlier, the Recovery Manager Portal is required. If you have Microsoft Entra Connect version 1.4.32.0 or higher, the Recovery Manager Portal 10.1 is required.
To configure Hybrid Connector service with Recovery Manager for Active Directory - v.10.2.2 or later
For Recovery Manager for Active Directory 10.2.2 and later versions, you will need to disable the Recovery Manager Portal (if previously enabled), and enable and configure the Hybrid Connector service in the Recovery Manager for Active Directory (RMAD) console.
- In the RMAD console, select the Hybrid Recovery node from the tree and select Enable Integration with On Demand Recovery.
- In On Demand Recovery, click CONFIGURE CONNECTION under the Hybrid Connection panel.
- Download the credentials.
- In the RMAD console, open the hybrid credential file saved from step 3. This will automatically populate all the required fields.
- Provide Microsoft Entra Connect host settings.
- Enter the domain username, password and primary computer for each domain discovered in the backup.
For more information on this, go to Hybrid Recovery with On Demand Recovery.
To configure Recovery Manager Portal to enable integration with Recovery Manager for Active Directory - v.10.2.1 or earlier
- Connect to the Recovery Manager Portal with your Web browser.
- In the Recovery Manager Portal, open the Configuration tab.
- Expand Portal Settings
- Recommended: Select the Automatically unpack backups for restore operations option to automatically unpack the required backup. If the option is not selected, the restore operation may fail because the backup was not unpacked or was removed due to retention policies for the unpack operation. For more details, see the Recovery Manager for Active Directory User Guide.
- Click On Demand integration. In the On Demand integration dialog, select the Enable integration check box and specify the Relay URL and credentials. To get these parameters, go to On Demand Recovery and perform the following steps:
- On the Dashboard screen, click Configure hybrid connection.
- In the Configure hybrid connection dialog, click Download hybrid credentials to download a configuration file with Relay credentials.
- When a customer does not want to configure a hybrid connection with Quest Recovery Manager for Active Directory, the corresponding connection error events can be deactivated by changing their severity from Error to Info. To do this, clear the Show hybrid restore errors if hybrid connection is not configured check box.
- Save the file to the folder of your choice.
- Go back to the On Demand integration dialog, click Choose file and select the configuration file. For security reasons, you should remove this file from your computer after the credentials will be specified in the Recovery Manager Portal.
Note: Microsoft Entra Connect synchronization occurs automatically after the restore operation. But On Demand Recovery forces synchronization cycles and requires credentials for the machine where Microsoft Entra Connect is installed.
- On the Dashboard screen, click Configure hybrid connection.
- Specify Microsoft Entra Connect host name and credentials. If Microsoft Entra Connect and Recovery Manager Portal are installed on the same machine, leave the fields blank.
|
Note: You may get an error related to the proxy settings while configuring integration with On Demand Recovery. To resolve this issue, perform the following actions:
|
For more information about integration with Recovery Manager for Active Directory, see Integration with On Demand Recovery.
What can be restored in hybrid configuration?
- On-premises groups
- User licenses (e.g. Microsoft 365 licenses and assignedLicenses property for cloud users) and cloud group membership
- Deleted on-premises users and groups
- Service principals' appRoleAssignments to on-premises users
- appRoleAssignments to non-Microsoft groups (used for SSO and App Roles)
- Directory roles: Global Administrator, Exchange Administrator, Compliance Administrator
- Other cloud-only properties: such as Block sign in, Authentication contact information, Minors and Consent
- Conditional Access policies
|
Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects. |
Important Considerations
- To restore on-premises objects, On Demand Recovery uses attribute values from the RMAD backup that is closest in time but older than the cloud backup unpacked in the On Demand Recovery user interface. If the closest on-premises backup is 24 hours older than the cloud backup, you will receive the warning message.
By default, the search of the closest in time on-premises backup is performed among the backups that were unpacked in Recovery Manager Portal. You can use the Automatically unpack backups for restore operations option on Portal Settings of the Configuration tab in the Recovery Manager Portal – in this case, the on-premises backup will be unpacked automatically during the restore operation. (RMAD v10.2.1 or earlier)
- On Demand Recovery displays only cloud-synchronized on-premises attributes and cloud-only attributes for the selected object when you click Browse in the Restore Objects dialog. This does not include on-premises only attributes. To restore on-premises only attributes, you must select the Restore all attributes option in the Restore Objects dialog.
- After the hybrid restore operation, On Demand Recovery forces Microsoft Entra Connect synchronization to push on-premises changes to the cloud and wait until it completes the synchronization. Restore events can be used to track steps of Microsoft Entra Connect synchronization, such as export and import.
- To restore 'member' or 'memberOf' attributes for an object, restore the group from the Unpacked Objects view. Restoring of group memberships from the Differences report is not supported in hybrid environments.
- On Demand Recovery supports one hybrid connection per On Demand organization. If you need to manage multiple hybrid tenants, create a separate On Demand organization for each Hybrid Microsoft Entra tenant.
- One instance of Recovery Manager Portal can be used with one Microsoft Entra tenant and one Microsoft Entra Connect server. Install multiple RMAD web portals if you need to work with multiple Microsoft Entra tenants and Microsoft Entra connect servers.
- On Demand Recovery restores Back Link attributes: 'memberOf' (the back link for the 'member' attribute) and 'directReports' (the back link for the 'manager' attribute). These attributes can be selected along with all other attributes when you click Browse in the Restore Objects dialog.
- Separate Microsoft Azure Relay service is used for each hybrid connection (one per On Demand organization). On Demand Recovery creates WCF Relay per On Demand organization. No changes to On-Premises Firewall settings are required.
To perform a restore operation in On Demand Recovery
- Unpack a backup.
- Go to the Objects screen and select on-premises objects to restore.
- Click Restore.
- In the Restore Objects dialog, if you select the Restore all attributes option, On Demand Recovery will restore all on-premises attributes and cloud-only attributes from the backup.
- You can perform the restore of on-premises objects from the Differences report as well.
NOTE: You can restore a hybrid user using only On Demand Recovery without configuring a hybrid connection. In this case, do not forget to clear the Show hybrid restore errors if hybrid connection is not configured check box in the Configure hybrid connection dialog. If the hybrid connection is not configured, On Demand Recovery restores a cloud user and their cloud attributes without an on-premises user. For more information, see How does On Demand Recovery Handle Object Attributes? This scenario does not work for Federated Domains. |