Stopping online restore
When you choose to stop the online restore operation, the wizard neither forces the replication nor restores linked attributes.
This choice implies that you wait until the undeleted objects are replicated to all domain controllers, and then restore those objects once more using the wizard. In that scenario, the second path of the wizard is used to restore the linked attributes on the undeleted objects. Stop the operation if the enforcement of replication in your domain is inadmissible for some reasons, but you want to be sure that linked attributes be represented correctly on all domain controllers.
Using agentless or agent-based method
When comparing or restoring Active Directory objects with the Online Restore Wizard, you can choose whether to use LDAP functions only (Agentless method) or Online Restore Agent (Agent-based method).
Note that some AD DS and AD LDS (ADAM) object attributes cannot be restored by using Recovery Manager for Active Directory. For more information on these attributes, see Quest Knowledge Base Article 59039 “AD DS and AD LDS Object Attributes That Recovery Manager for Active Directory Cannot Restore” at support.quest.com.
The following table contains performance test results of agentless and agent-based restore operations on the machine running Windows Exchange Server 2008 R2. The agent-based restore is performed by a single Restore Agent instance.
Configuration of the test lab:
| Operating System | CPU | RAM,GB |
|---|---|---|
| Windows Server 2008 R2 | 2 x Intel Xeon E5-2651 v2 1,8 GHz | 7,5 |
Performance test results:
| Recovery method | Number of objects | Required time |
|---|---|---|
| Agent-based restore | 1000 | 20 - 40 sec |
| 10000 | 4 - 6 min | |
| 50000 | 23 - 34 min | |
| Agentless restore | 1000 | 40 - 70 sec |
| 10000 | 6 - 10 min | |
| 50000 | 30 - 50 min |
Agentless method
The method that uses LDAP functions is referred to as agentless method. The agentless method has both advantages and limitations. The use of LDAP functions makes the wizard operations less intrusive on the domain controller. Also, you can deliberately choose the target domain controller and you can perform restore and compare operations without having administrative access to the target domain controller.
However, some object attributes, such as User Password and SID History, cannot be compared or restored.
The ability to perform an online restore using the agentless method builds on the Restore Deleted Objects feature. This feature extends the LDAP API to enable the restoration of deleted objects. However, this feature restores only the essential attributes required for the object's existence. Other attributes, such as those relating to membership in security and distribution groups, must be restored from a backup.
With the agentless method, you can perform a restore without having administrative access to the target domain controller. For more information, see Performing a restore without having administrator privileges.
To use the agentless method
In the Online Restore Wizard, on the Domain Access Options page, make sure the Use agentless method to access domain controller check box is selected. This ensures that only LDAP functions are used to access the domain controller.
Agent-based method
To overcome the limitations of the agentless method, the Online Restore Wizard provides the alternative, agent-based method. With the agent-based method, you can compare and restore any objects (including deleted ones) and any attributes (including User Password and SID History). A restore can be performed on a domain controller running any operating system supported by Recovery Manager for Active Directory.
However, the agent-based method has the following drawbacks:
- The target domain controller must be the same as that from which the backup was created. No ability to choose the target domain controller for the restore and compare operations.
- The restore or compare operation is more intrusive: Online Restore Agent is installed on the domain controller when you start the compare or restore operation in the Online Restore Wizard and removed when you close the wizard.
- Domain administrator rights on the target domain controller are required.
|
|
NOTE: If Microsoft Defender Advanced Treat Protection is enabled on the recovered domain controller, Recovery Manager for Active Directory cannot perform the agent-based restore operations. To overcome this problem, you need to disable the Local Security Authority Process (Lsass.exe) protection rule or add an exception for Recovery Manager for Active Directory. To add an exception, run the following cmdlet in an administrative PowerShell session: Add-MpPreference -AttackSurfaceReductionOnlyExclusions "$env:SystemRoot\RecoveryManagerAD\EriAgent.exe". To disable the protection rule, edit the group policy object "Customize attack surface reduction rules" - set 0 for the rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)". For details, see Customize attack surface reduction rules. |
To use the agent-based method
In the Online Restore Wizard, on the Domain Access Options page, make sure the Use agentless method to access domain controller check box is cleared, so that Recovery Manager for Active Directory employs Online Restore Agent to perform the restore or compare operation.
To set a default method for compare and restore operations performed in the Online Restore Wizard
- Select the Recovery Manager for Active Directory console tree root.
- On the main menu, select Actions | Settings.
In the dialog box that opens, on the General tab, under Default method for compare and restore operations, select the preferable method, and click OK. You can change the set default method later when using the Online Restore Wizard.