Overview
About Recovery Manager for Active Directory Disaster Recovery Edition
Features and benefits
Backing up data
Comprehensive Active Directory recovery options
AD LDS (ADAM) recovery
Granular, selective restore
Group Policy recovery
Centralized remote administration
Audit of objects and operations
Management Shell
Scheduling and automation
Scalability and performance
Rapid economic justification
Simplified restoration of an Active Directory forest
Bare metal forest recovery
Granular, domain-level recovery
Integration with On Demand Recovery
Automation of manual operations
Creation of virtual test environments
Remote quarantine
Fault tolerance
Simultaneous system recovery
Support for native Windows tools for restoring domain controllers
Recovery pauses
Recovery plan
Running custom scripts
Technical overview
Permissions required for the Backup operation
Managing Backup Agent
Restoring data
Installing Backup Agent automatically
Preinstalling Backup Agent manually
Discovering preinstalled Backup Agent
Updating Backup Agent information
Upgrading Backup Agent
Uninstalling Backup Agent
Removing a Backup Agent entry from the Backup Agent Management node
Using a least-privileged user account to back up data
Creating backups
Retrying backup creation
Enabling backup encryption
Backing up AD LDS (ADAM)
Method 1: Back up AD LDS (ADAM) from the Recovery Manager Console
Method 2: Schedule backup creation for AD LDS (ADAM)
Backing up cross-domain group membership
Backing up distributed file system (DFS) data
Backup scheduling
Setting performance options
Setting advanced backup options
Using Forest Recovery Agent
Unpacking backups
Configuring default settings to unpack backups
Configuring Computer Collection-specific settings to unpack backups
Unpacking a backup manually
Deleting data unpacked from a backup
Using e-mail notification
Viewing backup creation results
Sessions node properties
Computer properties
Computer session properties
Backups node properties
Filtering backups
Properties of registered AD and AD LDS (ADAM) backups
Getting started
Permissions required to use Recovery Manager for Active Directory
Recovery Manager Console
Icons in the user interface
Getting and using help
Configuring Windows Firewall
Using Computer Collections
Creating Computer Collections
Renaming Computer Collections
Modifying Computer Collection properties
Deleting Computer Collections
Specifying an access account for Backup Agent and backup storage
Adding domain controllers to a Computer Collection
Adding containers to a Computer Collection
Adding AD LDS (ADAM) hosts and instances
Removing items from a Computer Collection
Managing Recovery Manager for Active Directory configuration
Preparing for working with Active Directory or AD LDS (ADAM) backups
Settings
Default properties for Computer Collections
Properties for an existing Computer Collection
Licensing
Backup tab
Components tab
Schedule tab
Alerts tab
Logging tab
Performance tab
Advanced tab
Agent Settings tab
Console Storage tab
DC Storage tab
Unpacked Backups tab
Container and site properties
Properties for a domain or organizational unit
Properties for an Active Directory site
Properties for an AD LDS (ADAM) site
Sessions node properties
Forest properties
Domain properties
Domain controller properties
AD LDS (ADAM) partition properties
AD LDS (ADAM) instance properties
Showing or hiding AD LDS (ADAM) partitions
Showing or hiding domains
Showing or hiding sites
Getting started with Active Directory recovery
Fault tolerance
Consolidating backup registration data
Monitoring Recovery Manager for Active Directory
Choosing an Active Directory recovery method
Implications of the online restore
Using agentless or agent-based method
Managing deleted or recycled objects
Restoring backed up System State components
Using granular online restore
Restoring AD LDS (ADAM)
Method 1: Restore an AD LDS (ADAM) instance from a backup created with Recovery Manager for Active Directory
Method 2: Restore an AD LDS (ADAM) database from a backup created with third-party software
Selectively restoring Active Directory object attributes
Restoring objects in an application directory partition
Restoring object quotas
Restoring cross-domain group membership
Performing a restore without having administrator privileges
Reports about objects and operations
Reports about Active Directory objects
Reports about AD LDS (ADAM) objects
Reports about Group Policy objects
Reports about who modified Active Directory objects
Using complete offline restore
Offline restore implications
Restoring SYSVOL authoritatively
Performing a granular restore of SYSVOL
Recovering Group Policy
Restoring data from third-party backups
Using the Extract Wizard
Creating a Windows Server 2008-based domain controller from a backup
Creating a Windows Server 2012-based domain controller from a backup
Restoring passwords and SID history
Supported versions of Microsoft Operations Manager
Importing Management Pack
Rules provided in Microsoft System Center Operations Manager
Health dashboards
Recovering an Active Directory forest
Permissions required to use Forest Recovery Console
Forest Recovery Console
Bare metal forest recovery
Toolbar
Project summary
List of domain controllers
Domain controller recovery settings and progress
Configuring advanced settings
Managing a recovery project
Creating a recovery project
Opening a recovery project
Opening a legacy recovery project
Saving a recovery project
Updating a recovery project
Specifying recovery project settings
Verifying recovery project settings
Scheduling project verification
Specifying recovery settings for a DC
Selecting backups for recovery
Using recovery alerts
Using recovery pauses
Copying a backup file to a new location
Install Active Directory from Media recovery method
Install Active Directory recovery method
Managing Forest Recovery Agent
Installing or upgrading Forest Recovery Agent
Viewing installed Forest Recovery Agent version
Uninstalling Forest Recovery Agent
Rebooting domain controllers manually
Specifying fallback IP addresses to access a domain controller
Resetting DSRM Administrator Password
Purging Kerberos Tickets
Managing the Global Catalog servers
Managing FSMO roles
Manage DNS Client Settings
Configuring Windows Firewall
Forest recovery overview
Developing a custom forest recovery plan
Backing up domain controllers
Assigning a preferred DNS server during recovery
Forest recovery methods
Selectively recovering domains in a forest
Recovery method 1: Restore as many domain controllers from backups as possible
Recovery method 2: Restore one domain controller from backup in each domain
Deciding which backups to use
Running custom scripts while recovering a forest
Overview of steps to recover a forest
Viewing forest recovery progress
Viewing recovery plan
Viewing a report about forest recovery or verify settings operation
Handling failed domain controllers
Adding a domain controller to a running recovery operation
Step 1: Select domains to recover
Step 2: Specify recovery settings for domain controllers
Step 3: Start recovery
Recovering SYSVOL
Deleting domains during recovery
Resuming an interrupted forest recovery
Recovering read-only domain controllers (RODCs)
Checking forest health
Collecting diagnostic data for technical support
Bare metal recovery requirements and limitations
Prepare backups
Restore from Standard RMAD backup
NIC teaming support
Disaster recovery workflow
Custom Quest Recovery Media with additional driver
Using Management Shell
Creating virtual test environments
About Active Directory Virtual Lab
Permissions
Communication ports
Support for VMware DRS Clusters
Deployment
User interface
Using Recovery Manager for Active Directory web interface
Toolbar
List of source computers
Virtual machine creation settings and events
Virtual lab project default settings
How to create a virtual test environment
About Recovery Manager Portal
Installing Recovery Manager Portal
Connecting to Recovery Manager Portal
Administering Recovery Manager Portal
Appendices
Configuring portal for working with Recovery Manager for Active Directory
Viewing health summary for Recovery Manager for Active Directory instances
Viewing backup creation history
Recovering data using Recovery Manager Portal
Step 1: Install Recovery Manager Remote API Access Service
Step 2: Configure Recovery Manager for Active Directory
Step 3: Add Recovery Manager for Active Directory instances
Step 4: Configure recovery settings for Active Directory domains
Modifying recovery settings for domains
Assigning roles to portal users
Delegating restore or undelete permissions
Configuring e-mail notification
How Recovery Manager Portal recovers data
Integration with On Demand Recovery
Frequently asked questions
Why do I need to restore deleted users or groups, rather than re-create them?
How can I restore a user or group in Active Directory?
How does online restore work?
When an object is undeleted, what is restored from the tombstone and what is restored from the backup?
What's the difference between an online restore and an authoritative restore?
What's the difference between the agentless restore method and the agent-based restore method?
Can I undelete a mailbox-enabled user?
In the Group Policy Restore Wizard, a GPO link is shown as deleted, but the link actually exists in Active Directory. What's wrong?
What is a primary restore of the SYSVOL?
How do I change the Backup Agent port number?
How does Recovery Manager for Active Directory Disaster Recovery Edition select a DC for an authoritative (primary) restore of SYSVOL during forest recovery?
How does Recovery Manager for Active Directory Disaster Recovery Edition isolate domain controllers during forest recovery?
How does Recovery Manager for Active Directory Disaster Recovery Edition select a DC to add the global catalog during forest recovery?
Best practices for creating backups for forest recovery
How many instances of the Recovery Manager Console to deploy?
How many domain controllers to back up?
How many domain controllers to back up at once?
What data to back up?
Using data compression
Using unpacked backups
Best practices for recovering a forest
How many Instances of the Forest Recovery Console to deploy?
Where to Install the Forest Recovery Console?
Backing up the Recovery Manager for Active Directory Disaster Recovery Edition configuration
Descriptions of recovery or verification steps
Backup Wizard
What to Back Up
Where to Store Backups
When to Back Up
Computer Collection Name (optional)
Completing the Backup Wizard
Online Restore Wizard
Wizard Operation Mode
Domain Selection
Backup Selection
Backup for Comparison (optional)
Unpacked Backups Folder Selection
Backup Data Preparation
Domain Access Options
Objects to Be Processed
Operation Selection
Processing Options
Additional Options
Operation Start
Operation Progress
Operation Option
Objects to Be Restored
Where to Restore Deleted Objects
Operation Results
Completing the Online Restore Wizard
Online Restore Wizard for AD LDS (ADAM)
Wizard Operation Mode
AD LDS (ADAM) Instance Selection
Backup Selection
Backup for Comparison
Unpacked Backups Folder Selection
Backup Data Preparation
AD LDS (ADAM) Access Options
Objects to Be Processed
Processing Options
Reporting Options
Operation Start
Operation Progress
Operation Option
Objects to Be Restored
Operation Results
Completing the Online Restore Wizard for AD LDS (ADAM)
Group Policy Restore Wizard
Backup Source Domain
Backup Selection
Unpacked Backups Folder Selection
Backup Data Preparation
Target Domain Controller
Group Policy Object Selection
GPO Restore Options
Link Restore Options
Restore Process Start
Completing the Group Policy Restore Wizard
Repair Wizard
Computer and Backup Selection
Target Computer
Computer Restart
Primary Restore of SYSVOL
Restore Process Start
Restore Progress
Authoritative Restore Selections
Computer Restart in Normal Mode
Completing the Repair Wizard
Extract Wizard
Events generated by Recovery Manager for Active Directory
Step 1: Install Recovery Manager Remote API Access Service
Using Recovery Manager for Active Directory web interface > Administering Recovery Manager Portal > Configuring portal for working with Recovery Manager for Active Directory > Step 1: Install Recovery Manager Remote API Access Service
To access a Recovery Manager for Active Directory instance, the Recovery Manager Portal requires the Recovery Manager Remote API Access service to be installed and running on the Recovery Manager for Active Directory computer. This service enables the following Recovery Manager for Active Directory features: integration with Recovery Manager Portal, RMAD console fault tolerance and support for hybrid environment.
The Recovery Manager Remote API Access service is an optional feature and you must select this component when installing Recovery Manager for Active Directory Disaster Recovery Edition version 10.0.1. To check if this service is installed and running, you can use the Services tool (services.msc). If the service is not installed, complete the next steps to install it.
To install the Recovery Manager Remote API Access service
- Open the list of installed programs (appwiz.cpl).
- In the list of installed programs, locate and select Recovery Manager for Active Directory Disaster Recovery Edition.
- At the top of the list, click Change.
- Step through the wizard until you are on the Change, repair, or remove installation page.
- Click the Change button, and then select the Recovery Manager Remote API Access feature for installation.
- Follow the steps to complete the wizard.
The Quest Recovery Manager Remote API Access service runs under the Local System account by default.
However, you can specify another service account using the Services snap-in or command line.
To change the service account using the Services snap-in
- Open the Run dialog, type services.msc and press Enter.
- Find Quest Recovery Manager Remote API Access service in the list, and open its Properties.
- Switch to the Log On tab.
- Choose the This account option, Browse for a user account and specify the password.
- Click OK to close the Properties dialog.
- Restart the service.
To change the service account using the command line
- Start cmd.exe.
- Type the following command:
sc config RecoveryMgrPortalAccess obj= "[account]" password= "[password]" - Restart the service:
net stop RecoveryMgrPortalAccess & net start RecoveryMgrPortalAccess
Minimum permission requirements for the service operations
The table below lists the minimum user account permissions required for different tasks.
| Task | Minimum permissions |
| Run the service |
Have the Log on as a service permission. To grant the permission:
|
| Connect to the configuration database | Have the Read and Write permissions on RMAD database folder %PROGRAMDATA%\Quest\Recovery Manager for Active Directory. |
| Write the service log | Have the Read and Write permissions on the folder RMAD log. |
| Invoke COM Surrogate (64-bit OS) |
Have the Local Launch and Local Activation permissions on COM server "COM Surrogate" . To grant permissions:
|
| Register COM at run time | Have the Read and Write permissions for the registry keys "HKEY_CLASSES_ROOT", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes". |
| Access the backups folder | Have the Read permission on the folder backups. |
| Access the unpacked backups folder | Have the Modify permission on the folder unpacked backups. |
| Create Scheduled Tasks when using the Replication feature in the Full mode | Have the Read permission on folder %SystemRoot%\system32\Tasks. |
| Create Scheduled Tasks when using the Replication feature in the Full mode on Windows Server 2016 and 2019 | Be a member of the local Administrators group. |
Step 2: Configure Recovery Manager for Active Directory
Using Recovery Manager for Active Directory web interface > Administering Recovery Manager Portal > Configuring portal for working with Recovery Manager for Active Directory > Step 2: Configure Recovery Manager for Active Directory
In this step, you need to configure the Recovery Manager for Active Directory instances for working with the Recovery Manager Portal.
To configure a Recovery Manager for Active Directory instance
- In each Active Directory domain, choose one domain controller whose backups the Recovery Manager Portal will use for recovery operations.
- In the appropriate instance of Recovery Manager for Active Directory, create a separate Computer Collection for each domain controller you have chosen.
- Add the domain controllers to their individual Computer Collections.
- Configure backup settings for these Computer Collections:
- Specify to unpack backups. For instructions, see Configuring Computer Collection-specific settings to unpack backups.
This is required because the Recovery Manager Portal can only restore data from unpacked backups.
- Configure a retention policy for the unpacked backups. For instructions, see Unpacked Backups tab in Properties for an existing Computer Collection.
The number of retained unpacked backups determines the number of available backup states to which you can restore Active Directory objects in the Recovery Manager Portal.
Step 3: Add Recovery Manager for Active Directory instances
Using Recovery Manager for Active Directory web interface > Administering Recovery Manager Portal > Configuring portal for working with Recovery Manager for Active Directory > Step 3: Add Recovery Manager for Active Directory instances
In the Recovery Manager Portal, add the Recovery Manager for Active Directory instances you have configured in the previous step. By adding the instances, you make the unpacked backups they create available in the Recovery Manager Portal.
To add a Recovery Manager for Active Directory instance
- Connect to the Recovery Manager Portal with your Web browser.
Use the user account under which you installed the Recovery Manager Portal. By default, this account has all necessary permissions to modify the portal configuration.
- In the Recovery Manager Portal, open the Configuration tab.
- Expand Recovery Manager for Active Directory Instances.
- Click the Add instance button.
- Use the following options in the dialog box that opens:
- Computer. Type the fully qualified domain name (FQDN) of the computer that hosts the Recovery Manager for Active Directory instance.
- Access the computer using. Type the user name and password of the account with which you want to access the specified computer. The account must be a local administrator on the target computer.
- When finished, click OK.
Step 4: Configure recovery settings for Active Directory domains
Using Recovery Manager for Active Directory web interface > Administering Recovery Manager Portal > Configuring portal for working with Recovery Manager for Active Directory > Step 4: Configure recovery settings for Active Directory domains
To configure recovery settings
- In the Recovery Manager Portal, open the Configuration tab.
- Expand Active Directory Domains.
- Click a domain, and then do the following in the dialog box that opens:
- Recovery Manager for Active Directory. Select the instance you have configured to back up a domain controller in the selected domain.
- Backups of selected DC. Select the domain controller you have added to the Computer Collection in Step 2: Configure Recovery Manager for Active Directory.
- Access the domain using. Specify the account under which you want the selected Recovery Manager for Active Directory instance to recover data in the domain.
NOTE: If you leave the User name and Password text boxes blank, the account specified in Step 3: Add Recovery Manager for Active Directory instances (Access the computer using option) is used by default. If a collection contains domain controllers from other domains or forests, Recovery Manager Portal should be able to read Active Directory schema for all domains included in the collection. For that, you need to specify the access credentials for these domains.
- When finished, click OK.