When recovering an Active Directory forest, you can use Recovery Manager for Active Directory Disaster Recovery Edition to selectively delete particular domains from the forest being recovered. You may need to delete domains when, for example, the account you use to recover an Active Directory forest does not have sufficient permissions to access and recover some domains in the forest. In this case, you may want to sacrifice these domains and recover the forest without them.
|
Important:
|
To delete a domain from the forest being recovered, you need to set the recovery method for all DCs in that domain to Do not recover. Then, after you run the recovery operation, Recovery Manager for Active Directory Disaster Recovery Edition does the following:
To delete a domain while recovering an Active Directory forest
Recovery Manager for Active Directory Disaster Recovery Edition provides the Fault Tolerance feature that allows you to resume the last forest recovery operation in case it was unexpectedly interrupted by one of these events:
|
Important: The Fault Tolerance feature does not allow you to resume a forest recovery operation you canceled from the Forest Recovery Console (for example, by clicking the Abort button). |
When the Fault Tolerance feature is enabled, it constantly saves the current forest recovery operation state to a dedicated SQL Server database named ForestRecovery-Persistence. Each time you start the Forest Recovery Console, a check is performed to see whether the last forest recovery operation was interrupted by any of the events listed earlier in this section. If that is true, the Forest Recovery Console prompts you to resume the forest recovery from the point at which it was interrupted.
In case you choose not to resume an interrupted forest recovery operation and select the Delete last recovery session data option in the Resume Recovery wizard, the saved session state will be permanently deleted from the ForestRecovery-Persistence database.
For the Fault Tolerance feature, all involved console instances must have the same SSL certificate that is used to communicate with Forest Recovery Agents without using the domain access credentials.
To share the SSL certificate between console instances
|
Important: Before you import the certificate file, you must uninstall Forest Recovery Agents on all domain controllers that were processed via this console, if any. For that, on the menu bar, select Tools | Manage | Forest Recovery Agent or DCs. In the dialog box that opens, select all domain controller and click the Uninstall Agent button. |
To modify the fault tolerance settings for a recovery project
Table 36: Recovery persistence settings
Option | Description |
---|---|
Enable fault tolerance | Allows you to enable or disable the Fault Tolerance feature by selecting or clearing this check box. |
SQL Server name and instance | Allows you to specify the SQL Server instance in which you want to store the current forest recovery operation state. To specify a SQL Server instance, use the format <SQLServerName>/<Instance>. The forest recovery operation state is saved to a SQL Server database named ForestRecovery-Persistence. If the ForestRecovery-Persistence database does not exist in the SQL Server instance you specify, it will be created there. If the ForestRecovery-Persistence database already exists in the SQL Server instance you specify, the data in that database will not be erased until you start a new forest recovery operation. Until that moment, you can resume the interrupted forest recovery operation whose state is held in the specified ForestRecovery-Persistence database. |
Authentication method |
Allows you to select a method for authenticating on the specified SQL Server.
|
List of consoles | Shows the list of Forest Recovery Consoles configured to support the Fault Tolerance feature. |
Recovery Manager for Active Directory Disaster Recovery Edition does not support recovering read-only domain controllers (RODCs) from backups.
The full list of recovery methods that can be applied to the RODCs in your recovery project:
For more information on selecting a recovery method for a domain controller in the current recovery project, see Domain controller recovery settings and progress
The Forest Recovery Console provides a tool that allows you to check the health of your forest. You can use the tool to run tests to ensure that domain controllers, Active Directory replication, domain trusts, user authentication, RID Master, and global catalog are working properly in your Active Directory forest.
The Forest Recovery Console automatically prompts you to check the forest health after the forest recovery has succeeded, so that you could ensure the forest works exactly the way you want. If necessary, you can manually run a health check on your forest at any time before or after the forest recovery operation.
|
NOTE: Recovery Manager for Active Directory Disaster Recovery Edition uses the domain controller access credentials to perform the forest health checks. Make sure, that the credentials are valid. For more details, refer Table 24 in the Settings tab section. |
What does Recovery Manager for Active Directory Disaster Recovery Edition check?
Items to check | Description |
Domain controllers |
|
Active Directory replication |
|
Domain trusts |
|
User authentication; RID Master and GC operation |
|
To run a forest health check
When the check health operation completes, use the Details tab to view information about the health of the selected items.
If you select the User authentication; RID Master and GC operation option on the Settings tab, you can specify a container for the test user account on the domain controller.
For the list of required permissions, see Recovery Manager .
To specify a container for the test user account
You should specify the relative container distinguished name for the HealthCheckContainer attribute. For example, if the full DN of the container is OU=test1,DC=rmad,DC=local, specify the DN name as OU=test1.
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy