It is recommended to regularly back up the Recovery Manager for Active Directory Disaster Recovery Edition configuration, so that you could quickly reinstall the product and restore its configuration to the last backed up state in case Recovery Manager for Active Directory Disaster Recovery Edition becomes inoperable due to a failure. All the Recovery Manager for Active Directory Disaster Recovery Edition configuration data is held in the following location on the Recovery Manager for Active Directory Disaster Recovery Edition computer:
%AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory The Recovery Manager Console saves its configuration data in the following files:
As a rule, the overall size of these .mdb files does not exceed 10 MB.
The Forest Recovery Console saves all its configuration data in the Forest Recovery Project (.frproj) file.
The next table describes the steps you may encounter in the Recovery Plan or on the Progress tab in the Forest Recovery Console while running a restore or verify settings operation.
Table 41: Recovery or verification steps
Step | Description |
---|---|
Add global catalog |
Adds the global catalog to the DC if:
If no global catalog servers were successfully restored from backup, the global catalog is added to the DC that was assigned the Schema Master role during the recovery. |
Bring all disks online | Makes all disks on the recovered domain controller online. |
Check if promoting paths are valid | Checks whether the specified 'DIT database path", "Log files path" and "SYSVOL path" are available. |
Change global catalog partition occupancy level | Sets the appropriate global catalog partition occupancy level to advertise the global catalog servers in DNS according to the recovery project settings. For more information on advertising the global catalog servers, see Specifying recovery project settings. |
Clean up metadata of removed domain controllers | Removes metadata of all domain controllers that were not restored from backup. This includes the domain controllers whose restore from backup has failed and those for which a recovery method other than Restore from backup has been selected. |
Clean up metadata for domains that were not restored if necessary | Cleans up metadata of the domains in which no DCs were successfully restored from backup or for which you specified to not recover any DCs. |
Check if BitLocker is enabled | Checks whether BitLocker Drive Encryption is enabled on the DC. Gets the BitLocker configuration if BitLocker is enabled. |
Check if domain controller is read-only | Checks whether the DC is read-only (RODC). |
Check if computer is a domain controller | Checks if the computer is a domain controller to ensure that restore from backup is possible. |
Copy the backup file to domain controller | If a backup was configured, then copies the backup file specified in the DC recovery settings to the DC. If there was no backup configured, this step will be skipped. |
Configure Forest Recovery Agent on restored machine | Deploys and configures Forest Recovery Agent on the recovered domain controller. |
Configure DNS server |
Updates DNS server delegation and forwarding in accordance with the new IP address of a target machine. When Active Directory-integrated DNS is used, Recovery Manager for Active Directory Disaster Recovery Edition restores DNS Servers from a backup and checks if there are any DNS Servers in different DNS zones. If there are such DNS servers, Recovery Manager for Active Directory Disaster Recovery Edition restores delegation and forwarding between domain DNS zones. All restored DNS Servers from a particular domain will be configured as delegation and forwarding targets. |
Detect current mode (DSRM or normal) | Checks whether the DC is in normal mode or DSRM. |
Disable BitLocker | Disables BitLocker Drive Encryption if it is enabled on the DC. |
Disable custom filters for passwords | Disables any third-party custom password filters enabled on the DC. This step is required to ensure the filters do not block any password reset operations during the recovery. |
Disable Windows Update | Disables Microsoft Windows Update on the DC for the duration of the recovery to prevent the installation of updates and possible reboots of the DC. |
Enable BitLocker | Enables BitLocker Drive Encryption if it was disabled on the domain controller earlier in the recovery process. |
Enable custom filters for passwords | Enables the third-party custom password filters that were disabled on the DC earlier in the recovery process. |
Enable domain controller isolation |
Uses IPsec policies to restrict all traffic on the DC except for the following:
This step does not delete any existing IPsec policies. If the DC is running Windows Server 2008 or later, this step sets certain additional parameters to avoid AD DS being unavailable until the replication of a writable directory partition has completed. |
Enable the use of global catalog for user authentication | Enables the use of the global catalog for user logon validation. |
Enable Windows Update | Re-enables Microsoft Windows Update on the DC. |
Enable BitLocker | Enables BitLocker Drive Encryption if it was disabled on the domain controller earlier in the recovery process. |
Ensure that Quest Recovery Media is available |
For the Bare Metal Active Directory Recovery recovery method: Checks that the Quest Recovery Media is created for the domain controller. If it is not found, the recovery media with corresponding settings will be created for the domain controller. |
Ensure global catalog is available | Performs all necessary operations to ensure a global catalog server is available in the forest and functioning properly. |
Ensure that the SYSVOL share is available | Checks that the SYSVOL share is available on the DC. |
Ensure that domain controller isolation is disabled |
Disables any IPsec policies that were enabled during the recovery. Enables the IPsec policies that were in effect before the recovery started. If the DC is running Windows Server 2008 or later, this step sets certain additional parameters. These parameters require a DC that restarts and holds operations master roles to have successful AD DS replication with its known replica partners before it advertises itself as DC. |
Ensure that Forest Recovery Agent is installed and running | Checks the installed version of Forest Recovery Agent. If necessary, installs the agent or upgrades it to the version supplied with the Forest Recovery Console you are using. |
Extract the backup file components | Extract backup components data on the target server. |
Get information about domain controller |
Collects the following information from the DC:
|
Get information about computer from backup |
Collects the following information from the backup for the Bare Metal Active Directory Recovery recovery method:
|
Get replication data from the DC | Collects replication data from the DC. The collected data will be used later to determine if lingering objects are present. |
Raise RID pool | Raises the value of available RID pools by the value specified in the Forest Recovery Console configuration file (100,000 by default). |
Invalidate RID pool |
Invalidates the current RID pool. This operation revents the restored domain controller from re-issuing RIDs from the RID pool that was assigned at the time the backup was created. |
Install Active Directory Domain Services |
Installs Active Directory Domain Services (AD DS) on the computer. Enables Global Catalog if corresponding option is set in the DC recovery settings. Restarts the computer after the AD DS installation completes. |
Install Active Directory from media |
|
Reinstall Active Directory Domain Services | Installs Active Directory Domain Services (AD DS) on the computer. Restarts the computer after the AD DS installation completes. |
Adjust to Active Directory changes | Global Catalogs from excluded domains are adjusted to the state of recovered domains. This step involves the Repadmin tool. If particular changes performed by the Repadmin tool do not succeed, then the Global Catalog on this domain controller will be reset. For details about the 'Adjust to Active Directory changes' operation, see here. |
Remove global catalog | Removes the global catalog from the DC. |
Remove global catalog if necessary | Removes the global catalog from the DC if necessary, provided that the DC is a global catalog server. |
Remove temporary files | Deletes the backup file from the DC if the file was copied to the DC during the recovery. |
Replicate FSMO role owners | Replicates FSMO role owners to DCs. |
Reset computer account passwords |
Resets computer account passwords twice to an automatically generated value. The passwords are reset for the current DC and all other DCs in the project. By default, the automatically generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character. |
Reset DSRM administrator password | Resets the DSRM administrator password to the value specified in the DC recovery settings. |
Reset global catalog |
Removes the global catalog from the DC if all of the following is true:
Then, adds the global catalog back to the DC. |
Reset the Krbtgt password | Resets the Krbtgt password twice to an automatically generated value. By default, the automatically generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character. |
Reset trust passwords |
Resets the trust passwords twice to an automatically generated value. By default, the automatically generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character. This operation is performed for all implicit and explicit trusts between this domain and all other trusted domains in the forest. Trust passwords for any external trusts are not reset. |
Restart domain controller in DSRM if necessary | If DSRM is not the current mode, restarts the domain controller in DSRM and resets the DSRM password. |
Restart domain controller in the DSRM mode | Reboots recovered domain controller into Directory Service Restore Mode and resets the password for the domain administrator account. |
Restart domain controller in normal mode |
Restarts the DC in normal mode for the changes to take effect. When performing this step on a DC restored from backup, Recovery Manager for Active Directory Disaster Recovery Edition also resets the user password to the value specified in the DC recovery settings. This password reset overwrites the old password restored from backup. |
Restore data from backup, if there is one | Restores the Active Directory database (.dit file), SYSVOL, and system registry entries from the backup specified in the DC recovery settings. Disables the use of global catalog for user logon validation. This allows users other than the built-in Administrator to log on during the recovery. |
Restore initial global catalog partition occupancy level | Sets the global catalog partition occupancy level to the value that existed before the recovery. For more information on the recovery project settings that may cause Recovery Manager for Active Directory Disaster Recovery Edition to change the global catalog partition occupancy level during recovery, see Specifying recovery project settings. |
Restore disks from a Windows Server Backup |
For the Bare Metal Active Directory Recovery recovery method: Performs bare-metal recovery of the machine from Windows Server Backup. |
Run pre-recovery checks |
If the Restore from backup or SYSVOL Restore recovery method is selected for the DC, this step checks that:
If either Reinstall Active Directory or Uninstall Active Directory recovery method is selected for the DC, this step checks that:
If the Bare Metal Active Directory Recovery recovery method is selected for the DC, this step checks that:
|
Seize FSMO roles | Seizes FSMO roles for the DCs automatically selected for each role. |
Select preferred DNS server |
Selects a properly functioning DNS server for all network adapters on the DC. This step uses the following order of priority to select a DNS server:
AD-integrated DNS servers hosted on DCs that were not successfully restored from backup are excluded from the list of possible DNS servers. |
Save start types of Windows services | Save start types of Windows services that can be changed during recovery. |
Uninstall Active Directory Domain Services | Demotes the DC to a member server joined to the workgroup named WORKGROUP. Resets the local Administrator password to the value specified in the Set DSRM password option in the DC recovery settings. |
Wait for a global catalog server to become available | Waits for at least one global catalog server to become available in the forest. This step may take a significant time to complete. |
Wait for the target machine booted from Quest Recovery Media. |
For the Bare Metal Active Directory Recovery recovery method: Checks that the target machine is boot from Quest Recovery Media. Waits until the target host is booted into windows Recovery environment from the recovery media. |
Wipe all disks on the target machine |
For the Bare Metal Active Directory Recovery recovery method: Wipe all data on remote machine disks before restoring backup. |
The Backup Wizard helps you create backups of domain controllers' System State, including Active Directory and Group Policy data. With this wizard you can select domain controllers whose System State is to be backed up, specify where to store backups, run backup immediately or schedule it for later, view and modify backup options, such as what System State components are to be backed up.
The wizard has the following steps:
Use this page to select computers whose system state you want the wizard to back up. You can back up selected computers or computers that reside in a specific container.
To add a computer by name
With the Select Computers dialog box, you can select multiple computers. The Select Computers dialog box only allows you to add computers by computer account name. If you want to add computers by IP address, DNS name, or NetBIOS name, use an import file.
To add computers using an import file
To add a container
If you select computers or containers before starting the Backup Wizard, the Selected objects list includes the objects you have selected.
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy