Chat now with support
Chat with Support

Recovery Manager for AD Disaster Recovery Edition 10.0.1 - User Guide

Overview Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Creating backups Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Icons in the user interface Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up System State components Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Fault tolerance Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Install Active Directory from Media recovery method Install Active Directory recovery method Managing Forest Recovery Agent Rebooting domain controllers manually Specifying fallback IP addresses to access a domain controller Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Forest recovery overview Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Bare metal forest recovery Using Management Shell Creating virtual test environments Using Recovery Manager for Active Directory web interface Appendices
Frequently asked questions Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

General tab

The General tab displays general information about the selected backup.

Components tab

The Components tab displays a list of the System State components the backup includes.

The Backed up components box lists the system components included in the backup. In the list, each entry includes the following fields:

  • Component. Displays the name of the backed up component.
  • Unpacked. Indicates whether the component is unpacked (False or True.)
  • Size in Backup. Displays the size of a component in the backup, after data compression by Backup Agent.
  • Original Size. Displays the size of a component on the source system, before data compression by Backup Agent.
  • Path. Displays the path to the unpacked components, if any.

Getting started

Permissions required to use Recovery Manager for Active Directory

Note: From version 8.8, Recovery Manager for Active Directory supports environments with disabled NTLM authentication and the Protected Users security group.

The table below lists the minimum user account permissions required to perform some common tasks with Recovery Manager for Active Directory.

Table 3: Minimum permissions

Task Minimum permissions
Install Recovery Manager for Active Directory

The account must be a member of the local Administrators group on the computer where you want to install Recovery Manager for Active Directory. If during the installation you specify an existing SQL Server instance, the account with which Recovery Manager for Active Directory connects to that instance must have the following permissions on the instance:

  • Create Database
  • Create Table
  • Create Procedure
  • Create Function
Open and use the Recovery Manager Console

The account must be a member of the local Administrators group on the computer where the Recovery Manager Console is installed. The account must also have the following permissions on the SQL Server instance used by Recovery Manager for Active Directory:

  • Insert
  • Delete
  • Update
  • Select
  • Execute
Preinstall Backup Agent manually The account you use to access the target computer must be a member of the local Administrators group on that computer
Upgrade Backup Agent
Discover preinstalled Backup Agent instances

The account used to access the target domain controllers must:

  • Have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory that is located on the Recovery Manager for Active Directory computer.
  • Be a member of the Backup Operators group on each target domain controller.
Uninstall Backup Agent
Update information displayed about Backup Agent in the Recovery Manager Console
Automatically install Backup Agent and back up Active Directory data

To automatically install Backup Agent, the account must have:

  • Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory located on the Recovery Manager for Active Directory computer.
  • Local Administrator permissions on the target domain controller.

To back up data, the account must be a member of the Backup Operators group on the target domain controller.

Back up Active Directory using preinstalled Backup Agent

The account used to access the target domain controllers must:

  • Have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory that is located on the Recovery Manager for Active Directory computer.
  • Be a member of the Backup Operators group on each domain controller to be backed up.
Perform a complete offline restore of Active Directory by using the Repair Wizard

If you restore data to a domain controller where User Account Control (UAC) is not installed or disabled:

  • The account you use to access the domain controller must be a member of the Domain Admins group.

If you restore data to a domain controller where User Account Control (UAC) is enabled:

  • The account you use to access the domain controller must be the built-in Administrator on that computer.

In both these cases, the account you use to access the domain controller must have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory located on the Recovery Manager for Active Directory computer.

Perform a selective online restore of Active Directory objects

Agentless restore (used by default in Online Restore Wizard)

The account used to access target domain controllers must have:

  • Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory that is located on the Recovery Manager for Active Directory computer.
  • Reanimate Tombstones extended right in the domain where objects are to be restored.
  • Write permission on each object attribute to be updated during the restore.
  • Create All Child Objects permission on the destination container.
  • List Contents permission on the Deleted Objects container in the domain where objects are to be restored.

For more details, see Agentless method.

Agent-based restore

  • The account used to access target domain controllers must have domain administrator rights.

For more details, see Agent-based method.

Restore a Group Policy object

The account used to access the target domain controller must:

  • Be a member of the Group Policy Creator Owners group.
  • Have Full Control privilege on the Group Policy object.
  • Be a member of the Backup Operators group.
  • Have sufficient permissions to read/write Active Directory objects linked to the Group Policy object.
Automatically install Backup Agent and back up an AD LDS (ADAM) instance

The account used to access the computer hosting the instance must:

  • Have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory that is located on the Recovery Manager for Active Directory computer.
  • Be a member of the local Administrators group on the computer hosting the AD LDS (ADAM) instance
Back up an AD LDS (ADAM) instance using preinstalled Backup Agent

The account used to access the computer hosting the instance must:

  • Have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory located on the Recovery Manager for Active Directory computer.
  • Be a member of the local Administrators group on the computer hosting the AD LDS (ADAM) instance.
Restore an AD LDS (ADAM) instance

The account used to access the computer hosting the instance must:

  • Have the Write permission on the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory located on the Recovery Manager for Active Directory computer.
  • Be a member of the local Administrators group on the computer hosting the AD LDS (ADAM) instance.
Install or uninstall Recovery Manager Portal Be a local administrator on the target computer.
Access Recovery Manager Remote API Access service

To access a Recovery Manager for Active Directory instance, the Recovery Manager Portal requires the Recovery Manager Remote API Access service to be installed and running on the Recovery Manager for Active Directory computer. This service enables the following Recovery Manager for Active Directory features: integration with Recovery Manager Portal, RMAD console fault tolerance and support for hybrid environment.

For information about minimum permission requirements for the service, refer Step 1: Install Recovery Manager Remote API Access Service.

Start and use the Recovery Manager Portal

From version 8.7, Recovery Manager Portal can be run under Managed Service Account (in Windows Server 2008 or higher) or Group Managed Service Account (in Windows Server 2012 or higher). If you specify the MSA or gMSA account, add the '$' character at the end of the account name (e.g. domain\computername$) and leave the Password field blank (on the Specify Web Site Settings step of the wizard).

  • The Managed Service Account (in Windows Server 2008 or higher) or Group Managed Service Account (in Windows Server 2012 or higher) must be a member of the local Administrator group on the Recovery Manager for Active Directory machine.
  • In case of MSA or gMSA account, Recovery Manager Portal supports only Windows authentication to access the SQL Server databases.
To perform restore or undelete operation in Recovery Manager Portal

User must be a member of the "Recovery Manager Portal - Recovery Operators" security group on the computer where the Recovery Manager Portal is installed.

If you want to use the agentless recovery method, select the Configure a list of delegates that can perform the restore and undelete operations option on the Portal Settings tab. For more information about delegation, see Delegating restore or undelete permissions.

To perform the undelete operation in Recovery Manager Portal

User must be a member of the "Recovery Manager Portal - Undelete Operators" local security group on the computer where the Recovery Manager Portal is installed.

If you want to use the agentless recovery method, select the Configure a list of delegates that can perform the restore and undelete operations option on the Portal Settings tab. For more information about delegation, see Delegating restore or undelete permissions.

To modify the Recovery Manager Portal configuration and delegate restore permissions to other Recovery Manager Portal users

User must be a member of the "Recovery Manager Portal - Configuration Admins" local security group on the computer where the Recovery Manager Portal is installed.

To view the health summary and backup creation history for the Recovery Manager for Active Directory instances in Recovery Manager Portal User must be a member of the "Recovery Manager Portal - Monitoring Operators" local security group on the computer where the Recovery Manager Portal is installed.
Access the SQL reporting database

To access the SQL reporting database (%ProgramData%\Quest\Recovery Manager for Active Directory\DBReporting\RecoveryManager-Reporting-<host name>), the account must be assigned to db_datareader, db_datawriter roles and have rights to execute all the usp_* procedures, as follows:

  • usp_GetSummaryReportBody
  • usp_GetSessionErrors
  • usp_GetReportsList
  • usp_GetReportsHeader
  • usp_GetReportBody
  • usp_GetReplicationHistory
  • usp_GetOptionalObjects
  • usp_GetOptionalAttributes
  • usp_GetObjectChildren
  • usp_GetObjectAttributes
  • usp_GetAllObjects
  • usp_GetAllChildObjects
  • usp_GetAllAttributes
Related Documents