Chat now with support
Chat with Support

Recovery Manager for AD Disaster Recovery Edition 10.0.1 - User Guide

Overview Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Creating backups Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Icons in the user interface Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up System State components Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Fault tolerance Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Install Active Directory from Media recovery method Install Active Directory recovery method Managing Forest Recovery Agent Rebooting domain controllers manually Specifying fallback IP addresses to access a domain controller Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Forest recovery overview Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Bare metal forest recovery Using Management Shell Creating virtual test environments Using Recovery Manager for Active Directory web interface Appendices
Frequently asked questions Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Step 1: Install Recovery Manager Remote API Access Service

To access a Recovery Manager for Active Directory instance, the Recovery Manager Portal requires the Recovery Manager Remote API Access service to be installed and running on the Recovery Manager for Active Directory computer. This service enables the following Recovery Manager for Active Directory features: integration with Recovery Manager Portal, RMAD console fault tolerance and support for hybrid environment.

The Recovery Manager Remote API Access service is an optional feature and you must select this component when installing Recovery Manager for Active Directory Disaster Recovery Edition version 10.0.1. To check if this service is installed and running, you can use the Services tool (services.msc). If the service is not installed, complete the next steps to install it.

To install the Recovery Manager Remote API Access service

  1. Open the list of installed programs (appwiz.cpl).
  2. In the list of installed programs, locate and select Recovery Manager for Active Directory Disaster Recovery Edition.
  3. At the top of the list, click Change.
  4. Step through the wizard until you are on the Change, repair, or remove installation page.
  5. Click the Change button, and then select the Recovery Manager Remote API Access feature for installation.
  6. Follow the steps to complete the wizard.

The Quest Recovery Manager Remote API Access service runs under the Local System account by default.

However, you can specify another service account using the Services snap-in or command line.

To change the service account using the Services snap-in

  1. Open the Run dialog, type services.msc and press Enter.
  2. Find Quest Recovery Manager Remote API Access service in the list, and open its Properties.
  3. Switch to the Log On tab.
  4. Choose the This account option, Browse for a user account and specify the password.
  5. Click OK to close the Properties dialog.
  6. Restart the service.

To change the service account using the command line

  1. Start cmd.exe.
  2. Type the following command:
    sc config RecoveryMgrPortalAccess obj= "[account]" password= "[password]"
  3. Restart the service:
    net stop RecoveryMgrPortalAccess & net start RecoveryMgrPortalAccess
Minimum permission requirements for the service operations

The table below lists the minimum user account permissions required for different tasks.

Task Minimum permissions
Run the service

Have the Log on as a service permission.

To grant the permission:

  1. Run secpol.msc.
  2. In the Local Security Policy console, select Local Polices | User Rights Assignment | Log on as service.
  3. Right-click Log on as service and select Properties.
  4. Make sure that the target account is in the list or belongs to the groups listed on the Local Security Setting tab.
Connect to the configuration database Have the Read and Write permissions on RMAD database folder %PROGRAMDATA%\Quest\Recovery Manager for Active Directory.
Write the service log Have the Read and Write permissions on the folder RMAD log.
Invoke COM Surrogate (64-bit OS)

Have the Local Launch and Local Activation permissions on COM server "COM Surrogate" .

To grant permissions:

  1. Run comexp.msc.
  2. In the Component Services console, click Computer | My Computer | DCOM Config.
  3. Right-click {D023E270-1AB8-4F68-873E-7BD3304DC645} and select Properties.
  4. Go to the Security tab and select Customize under Launch and Activation Permissions and click the Edit button.
  5. Assign Local Launch and Local Activation to the target user.
Register COM at run time Have the Read and Write permissions for the registry keys "HKEY_CLASSES_ROOT", "HKEY_LOCAL_MACHINE\SOFTWARE\Classes" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes".
Access the backups folder Have the Read permission on the folder backups.
Access the unpacked backups folder Have the Modify permission on the folder unpacked backups.
Create Scheduled Tasks when using the Replication feature in the Full mode Have the Read permission on folder %SystemRoot%\system32\Tasks.
Create Scheduled Tasks when using the Replication feature in the Full mode on Windows Server 2016 and 2019 Be a member of the local Administrators group.

Step 2: Configure Recovery Manager for Active Directory

In this step, you need to configure the Recovery Manager for Active Directory instances for working with the Recovery Manager Portal.

To configure a Recovery Manager for Active Directory instance

  1. In each Active Directory domain, choose one domain controller whose backups the Recovery Manager Portal will use for recovery operations.
  2. In the appropriate instance of Recovery Manager for Active Directory, create a separate Computer Collection for each domain controller you have chosen.
  3. Add the domain controllers to their individual Computer Collections.
  4. Configure backup settings for these Computer Collections:

This is required because the Recovery Manager Portal can only restore data from unpacked backups.

The number of retained unpacked backups determines the number of available backup states to which you can restore Active Directory objects in the Recovery Manager Portal.

Step 3: Add Recovery Manager for Active Directory instances

In the Recovery Manager Portal, add the Recovery Manager for Active Directory instances you have configured in the previous step. By adding the instances, you make the unpacked backups they create available in the Recovery Manager Portal.

To add a Recovery Manager for Active Directory instance

  1. Connect to the Recovery Manager Portal with your Web browser.

Use the user account under which you installed the Recovery Manager Portal. By default, this account has all necessary permissions to modify the portal configuration.

  1. In the Recovery Manager Portal, open the Configuration tab.
  2. Expand Recovery Manager for Active Directory Instances.
  3. Click the Add instance button.
  4. Use the following options in the dialog box that opens:
    • Computer. Type the fully qualified domain name (FQDN) of the computer that hosts the Recovery Manager for Active Directory instance.
    • Access the computer using. Type the user name and password of the account with which you want to access the specified computer. The account must be a local administrator on the target computer.
  5. When finished, click OK.

Step 4: Configure recovery settings for Active Directory domains

To configure recovery settings

  1. In the Recovery Manager Portal, open the Configuration tab.
  2. Expand Active Directory Domains.
  3. Click a domain, and then do the following in the dialog box that opens:
  • Recovery Manager for Active Directory. Select the instance you have configured to back up a domain controller in the selected domain.
  • Backups of selected DC. Select the domain controller you have added to the Computer Collection in Step 2: Configure Recovery Manager for Active Directory.
  • Access the domain using. Specify the account under which you want the selected Recovery Manager for Active Directory instance to recover data in the domain.

    NOTE: If you leave the User name and Password text boxes blank, the account specified in Step 3: Add Recovery Manager for Active Directory instances (Access the computer using option) is used by default. If a collection contains domain controllers from other domains or forests, Recovery Manager Portal should be able to read Active Directory schema for all domains included in the collection. For that, you need to specify the access credentials for these domains.

  1. When finished, click OK.
Related Documents