Limitations when a hybrid connection is not configured
On Demand Recovery can restore cloud-only users and groups without a configured Recovery Manager for Active Directory hybrid connection. If a hybrid connection is not configured intentionally or Recovery Manager for Active Directory is not installed yet, recovery features for hybrid users and groups are limited. As a result, the following errors will occur: "Cloud restore was interrupted due to failed restore of the on-premise object" and "A hybrid connection is required to complete the restore of the on-premises attributes with RMAD".
- If a hybrid user is permanently deleted, On Demand Recovery will create a cloud object with cloud properties, including on-premises values, but actual values will be taken from the cloud backup, such as user surname, office, etc. If a hybrid user is recreated in the on-premises Active Directory by Recovery Manager for Active Directory or by any other on-premises recovery solution, this user object will be automatically synchronized by Azure AD Connect resulting in the full recovery of the hybrid user. If a hybrid user is not recreated, on-premises attributes will be missing, for example, on-premises groups membership, etc.
- If On Demand Recovery tries to restore a hybrid user that has not been deleted but has modified on-premises attributes, the task will fail with the following error: "Cannot restore attribute". This error occurs due to the "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing a migration" error. In this case, On Demand Recovery will show changes in the Difference report correctly, but will not be able to restore them.
- For a non-deleted hybrid group (modified in the cloud), cloud attributes such as licenses or assigned Enterprise applications can be restored. On Demand Recovery cannot restore a permanently deleted hybrid group that was synchronized by Azure AD Connect, so the error that Recovery Manager for Active Directory configuration is needed will be shown in the case of restoring of the permanently deleted group.
Hybrid connection widget
The Hybrid connection widget on the Dashboard screen shows issues with the hybrid connection. The widget state is synchronized automatically every time the page is updated.
When a customer does not want to configure a hybrid connection with Quest Recovery Manager for Active Directory, the corresponding connection error events can be deactivated by changing their severity from Error to Info. To do this, clear the Show hybrid restore errors if hybrid connection is not configured check box in the Configure hybrid connection dialog. For details, see Integration with Recovery Manager for Active Directory.
The widget has the following three states:
- If the hybrid connection is properly configured and works fine, the widget is green.
- If the hybrid connection is not configured because you do not need it, the widget is grey and advises you to configure the connection. In this case, the Show hybrid restore errors if hybrid connection is not configured check box is not selected in the Configure hybrid connection dialog.
- If the hybrid connection is not configured and the Show hybrid restore errors if hybrid connection is not configured check box is selected in the Configure hybrid connection dialog, the widget is yellow and has a warning sign.
Working with Inactive Mailboxes
On Demand Recovery supports restore of inactive mailboxes of hard-deleted users. The Federated Domain scenario is also supported. This feature requires Recovery Manager for Active Directory 9.0 or higher.
To preserve the original cloud mailbox of a hybrid user after restore, you have to select the If a hybrid user already exists in Azure Active Directory, delete it before the restore operation option in the Restore Object dialog.
- There is a hybrid user. This user is deactivated by the administrator for some reason. This means that the user account goes to the Recycle Bin. After 30 days, Azure AD cleans this account from the Recycle Bin.
- Then, the user returns and the account is enabled again by the administrator. After the activation, the user is recreated in the cloud with the new mailbox.
- We want to use the original cloud mailbox for the user. The only one way to do this is to restore the user from the backup. But before the restore, the newly created cloud user must be removed from Azure AD using this new option.
If you restore a hybrid user and their mailbox with On Demand Recovery
- For Non-Federated Domains, On Demand Recovery restores a cloud user and its mailbox without an on-premises user.
- For Federated Domains, restore of hybrid users requires Recovery Manager for Active Directory. In this scenario, On Demand Recovery restores a hybrid user and its mailbox in the cloud. Recovery Manager for Active Directory restores this hybrid user on premises, then it calls Azure AD Connect to synchronize the user back to the cloud and make the cloud user previously restored by On Demand Recovery be in the Federated Domain. Without Recovery Manager for Active Directory, the cloud user will be non-federated after restore and you will not log in with this user.
Hybrid Connection Port and Protocol Requirements
Hybrid configuration with Recovery Manager for Active Directory requires only outbound TCP/UDP port 443 to be opened on the Recovery Manager Portal server to access the internet. If the Recovery Manager Portal server already has access to the internet, you do not need to change the Firewall configuration.
Note: If you do not want to open all outbound IP addresses and your firewall or proxy allows DNS allow lists, you can add connections to <your name space>.servicebus.windows.net to your allow list.
Table 3: Hybrid connection port and protocol requirements
Figure 2: Hybrid Restore Components Diagram