Chat now with support
Chat with Support

Recovery Manager for AD Disaster Recovery Edition 10.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Clean OS Bare metal forest recovery Using Management Shell Creating virtual test environments Using Recovery Manager for Active Directory web portal Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory Descriptions of PowerShell commands
Add-RMADBackup Add-RMADCollectionItem Add-RMADFEComputer Add-RMADReplicationConsole Add-RMADStorageServer Backup-RMADCollection Close-RMADFEProject Compare-RMADObject Convert-RMADBackup ConvertTo-RMADRecycledObject Create-RMADStorageManagementAgentSetup Expand-RMADBackup Export-RMADBackup Export-RMADFERecoveryCertificate Export-RMADFEResult Get-RMADBackup Get-RMADBackupAgent Get-RMADBackupInfo Get-RMADBackupObject Get-RMADBackupSecurityStatus Get-RMADCollection Get-RMADCollectionItem Get-RMADDeletedObject Get-RMADFEComputer Get-RMADFEConsole Get-RMADFEDnsCache Get-RMADFEDomain Get-RMADFEEvent Get-RMADFEGlobalOptions Get-RMADFEOperation Get-RMADFEPersistenceConnection Get-RMADFEProject Get-RMADFERecoveryAgent Get-RMADFESchedule Get-RMADGlobalOptions Get-RMADLicenseInfo Get-RMADObject Get-RMADReplicationConsole Get-RMADReplicationSchedule Get-RMADReplicationSession Get-RMADReplicationSessionItem Get-RMADReportObject Get-RMADReportObjectAttributes Get-RMADReportObjectChildren Get-RMADReportSession Get-RMADSession Get-RMADSessionItem Get-RMADSessionItemEvent Get-RMADStorageServers Import-RMADBackup Import-RMADFERecoveryCertificate Install-RMADBackupAgent Install-RMADFERecoveryAgent New-RMADCollection New-RMADFEProject New-RMADFERecoveryMedia New-RMADSchedule Open-RMADFEProject Publish-RMADBackupSecurityStatus Remove-RMADBackup Remove-RMADBackupAgent Remove-RMADCollection Remove-RMADCollectionItem Remove-RMADFEComputer Remove-RMADFERecoveryAgent Remove-RMADFESchedule Remove-RMADReplicationConsole Remove-RMADReplicationSchedule Remove-RMADReplicationSession Remove-RMADStorageServer Remove-RMADUnpackedComponent Rename-RMADCollection Restore-RMADDeletedObject Restore-RMADDomainController Restore-RMADObject Resume-RMADFERecovery Save-RMADFEProject Set-RMADCollection Set-RMADFEComputer Set-RMADFEDnsCache Set-RMADFEDomain Set-RMADFEGlobalOptions Set-RMADFEPersistenceConnection Set-RMADFERecoveryMode Set-RMADFESchedule Set-RMADGlobalOptions Set-RMADReplicationConsole Set-RMADReplicationSchedule Start-RMADFERecovery Start-RMADFEVerification Start-RMADReplication Start-RMADReportViewer Stop-RMADFEWorkflow Update-RMADBackupAgent Update-RMADFEProject Update-RMADLicense

Forest recovery overview

In general, a forest recovery is necessary if none of the domain controllers in the forest can function normally or if the corrupted domain controllers can spread dangerous data to other domain controllers. Some examples of forest-wide failures include:

  • None of the domain controllers can replicate with its replication partner.

  • Changes cannot be made to Active Directory at any domain controller.

  • New domain controllers cannot be installed in any domain.

  • All domain controllers have been logically corrupted or physically damaged to a point that business continuity is impossible (for instance, all business applications that depend on Active Directory are non-functional).

  • A rogue administrator has compromised the Active Directory environment.

  • An adversary intentionally or an administrator accidentally runs a script that spreads data corruption across the Active Directory forest.

  • An adversary intentionally or an administrator accidentally extends the Active Directory schema with malicious or conflicting changes.


When you encounter the symptoms of a forest-wide failure, work with Microsoft Customer Support Service to determine the cause of the failure and evaluate any possible remedies. Because of the complexity and critical nature of the forest recovery process, the recovery of the entire Active Directory forest should be viewed as a last resort. Please consult Microsoft Customer Support Service before you take a definitive decision.


Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition)

The following diagram shows the Recovery Manager for Active Directory deployment:


Recovery Manager for Active Directory is designed to ensure intuitive operation and close integration with the Windows operating system.


Permissions required to use Forest Recovery Console

Install Forest Recovery Console

The best practice is to install the Forest Recovery Console on a standalone computer. This allows you to avoid situations where a corruption in Active Directory prevents you from using the Forest Recovery Console. But if you install Recovery Manager for Active Directory on a machine within a domain, it is recommended to use local Administrative credentials (non-AD user account) to access the Forest Recovery Console machine.

Start and use Forest Recovery Console

Have Read access to the Recovery Manager for Active Directory backup registration database.

Access domain controllers in the recovery project

Be a member of the Domain Users group on each target domain.

Install or uninstall Forest Recovery Agent

Be a member of the local Administrators group on the target domain controller.

Access a backup

The best practice is to use a local user account instead of domain credentials to access a backup. This allows you to avoid problems with access to the backup storage when domain controllers are not available during recovery.

Perform project verification

The account under which you run Forest Recovery Console or the account that is configured for scheduled verification should have:

  • Read access to the backup database

  • Be a member of the local Administrators group on the target domain controller

  • Write access to the debug logs folder (Optional)

Сheck forest health if the "User authentication; RID Master and GC" operation option is selected on the General tab in the Check Forest Health dialog.

For more details, refer Checking forest health.

Have either domain administrator rights or all of the following permissions on the container for the test user account:

  • Create/Delete user objects Applies to: This object and all descendant objects

  • Full Control

Applies to: Descendant User objects

For information about using the Forest Recovery Console, see Forest Recovery Console.


Forest Recovery Console

Recovery Manager for Active Directory provides a Forest Recovery Console where you can manage and monitor the recovery of the entire Active Directory forest or specific domains.

Where to Install the Forest Recovery Console?

The best practice is to install the Forest Recovery Console on a standalone computer. For more details, see Best practices for recovering a forest.

When opened for the first time, the Forest Recovery Console starts a wizard that helps you retrieve the Active Directory forest infrastructure information and create a recovery project for the forest. For more information, see Managing a recovery project.

The Forest Recovery Console has the following elements:


Forest Recovery Console elements
  • Menu Bar - Provides commands allowing you to create, open, save, and manage a recovery project. For more information, see Managing a recovery project.

  • Toolbar - Provides buttons for managing the current recovery project. For more information, see Toolbar.

  • Project Summary - Provides information about the current project and allows you to manage active recovery alerts and pauses in the project. For more information, see Project summary.

  • List of Domain Controllers - Provides a list of domain controllers in the current project. You can sort or filter the entries in the list by a number of criteria. For more information, see List of domain controllers.

  • Domain Controller Recovery Settings and Progress - Allows you to manage recovery settings and view recovery progress for the domain controllers currently selected in the list. For more information, see Domain controller recovery settings and progress.

  • Events - Displays warnings and critical errors, if any, for the recovery project. This area is located in the bottom-right corner of the Forest Recovery Console window. To view critical errors, point to the red cross. To view warnings, point to the yellow exclamation sign. The yellow exclamation sign and red cross become available only when there are any warnings or critical errors for you to view.

In this section:

For more information on permissions required to use the Forest Recovery Console and recover an Active Directory forest or specific domains, see Permissions required to use Forest Recovery Console.


Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating