Recovery Manager for Active Directory Disaster Recovery Edition provides the ability to set up and use dedicated cloud storage locations for backups. Cloud Storage, in combination with primary (Tier 1) storage options, ensure that your critical backups are always available in case of disaster.
By using Cloud Storage you can store your AD and BMR backups in the cloud ensuring that your backups are always accessible and protect your backup files with storage account properties such as immutability policies, and redundancy with different types of replication.
IMPORTANT |
Use of Cloud Storage requires a Recovery Manager for Active Directory Disaster Recovery Edition license. |
Requirements
Internet access available on the Recovery Manager for Active Directory console. A standard outbound HTTPS port 443 is used to upload data to Azure® Blob and Amazon S3 buckets.
Azure and/or Amazon S3 subscription(s) to create and manage both Azure Storage accounts and containers and/or Amazon S3 Storage accounts and buckets.
A method of creating and managing Azure and/or Amazon S3 Storage accounts, containers, buckets, and policies for the storage account (lifecycle, immutability and replication policies).
note |
Recovery Manager for Active Directory does not create or provide management features of the storage account. |
Best Practices
Recommend using immutable storage for your business-critical backups. By using immutable storage you can protect your backups from being overwritten or deleted. For further guidance on configuring immutability policies for containers reference Microsoft Azure documentation: Configure immutability policies for containers and for Amazon S3 documentation: Use Immutable Storage.
For high availability of your critical backups it is highly recommended to use geo-redundancy. For Azure Storage accounts there are two options: Geo-zone-redundant storage(GZRS) and Geo-redundant storage(GRS): Change how a storage account is replicated and for Amazon S3 Buckets there are two options: Cross-Region Replication (CRR) and Same-Region-Replication (SRR) Setting up replication.
To help identify immutable storage, a message will appear below the selected container, which if immutable states, Backups uploaded to an immutable storage container cannot be modified or deleted for a user-specified interval. By configuring immutable policies in (Azure Portal or AWS Management Console), you can protect your backups from overwrites and deletes.
Recommend minimum TLS version 1.2
NOTE |
When an immutable S3 bucket is provisioned, it’s important to enable default retention for newly placed objects as immutability is not going to work immediately out of the box. There are two different retention modes which can be selected depending on project requirements: |
User Scenario
Backup data for all domain controllers can be accumulated on primary storage, and at the same time, you can make a copy of your backup on Cloud Storage. If disaster strikes, you could lose your backups on the primary (Tier 1) storage and even your installation of Recovery Manager for Active Directory but your Cloud Storage will remain in place.
To add Azure® Cloud Storage
Access to Azure Cloud (Blob) Storage container is accomplished using a storage account connection string or Shared Access Signatures (SAS). A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources.. This can be done with account level SAS or container level SAS. Using the account level SAS, you are able to see a list of containers for given storage account. Using the container level SAS you are able to only see the selected container in the list of containers.
In the Recovery Manager for Active Directory console, expand the Storage node and click the Cloud Storage node.
Click on the Add Storage button at the bottom of the Cloud Storage pane. The Add Cloud Storage dialogue box will now appear in the user interface.
In the Storage Provider dropdown, select the Azure Blob Storage.
Type an identifying name in the Display Name field. This name is used in the Recovery Manager console for the registered Azure cloud storage account and selected container.
To register a cloud storage in Recovery Manager for Active Directory, specify the storage account connection string in the field Connection String or Shared Access Signature URI. The connection string will be protected and will not be displayed.
To retrieve your Azure® storage account connection string:
Log in to the Azure® portal.
Select your Storage account and navigate to Access keys under the Security + networking section.
Click on the Show button and copy the Connection string.
In the Recovery Manager for Active Directory console, paste the Connection string in the Connection String or Shared Access Signature URI.
To register a cloud storage in Recovery Manager for Active Directory using account level SAS URI, specify the account level SAS URI in the field Connection String or Shared Access Signature URI. The connection string will be protected and will not be displayed.
To retrieve your Azure® storage account connection string using account level SAS URI:
Log in to the Azure® portal.
Select your Storage account and navigate to Shared Access Signature under the Security + networking section.
Select all Allowed services.
Select all Allowed resource types.
Under Allowed permissions select Read, Write and List.
Optional to enable Blob versioning permissions (not required for storage upload).
Optional to enable Allowed blob index permissions (not required for storage upload)
Ensure the Start and expiry date/time is set to something other that the default 8 hours or your backups will fail due to the Blob service SAS URL expiring.
Click Generate SAS and connection string.
Copy the Blob service SAS URL.
In the Recovery Manager for Active Directory console, paste the Blob service SAS URL in the Connection String or Shared Access Signature URI.
To register a cloud storage in Recovery Manager for Active Directory using container level SAS URI, specify the container level SAS URI string in the field Connection String or Shared Access Signature URI. The connection string will be protected and will not be displayed.
To retrieve your Azure® storage account connection string using container level SAS URI:
Log in to the Azure® portal.
Select your Storage Account and select Containers under the Data Storage Section.
Select the Container you require the container level SAS URI string for.
Navigate to Shared access tokens under Settings.
Select Read, Write and List permissions under the Permissions drop-down.
Ensure the Start and expiry date/time is set to something other that the default 8 hours or your backups will fail due to the Blob SAS URL expiring.
Click on the Generate SAS Token and URL button and copy the Blob SAS URL.
In the Recovery Manager for Active Directory console, paste the Blob SAS URL in the Connection String or Shared Access Signature URI.
Select the Container. The available containers in the Azure® Cloud Storage will be displayed in the drop down list for the connected storage account. Containers protected with an immutability policy will be displayed with (immutable) after the container name.
note: To validate the connection to the correct Azure® storage account, compare the available containers in the drop down field on the Add Cloud Storage dialog with the created containers in the Azure® portal. In the Azure® portal, the Containers are listed under Data storage. RMAD support only with Container types. In the case a storage account has no containers, the dialog box will prompt you to create at least one container in the Azure® Portal, or specify a connection string to another storage account.
Select one or more computer collections by selecting the checkbox by the computer collection name in the section Backups from selected collections will be copied to the cloud storage.
Once a backup is created, the Active Directory® and BMR backups on primary storage (Tier 1) are copied to the registered and configured cloud storage container (Tier 2).
Click OK.
NOTE |
If Email is configured, then email notifications are sent for both Errors or Successful upload sessions to Cloud Storage. If the Send notification upon errors or warnings only setting is selected, then a notification will only be sent if the backup failed. |
To add an Amazon Web Services® (AWS®) Cloud Storage
In the Recovery Manager for Active Directory console, expand the Storage node and click the Cloud Storage node.
Click on the Add Storage button at the bottom of the Cloud Storage pane. The Add Cloud Storage dialogue box will now appear in the user interface.
In the Storage Provider dropdown, select the Amazon S3 Storage.
Type an identifying name in the Display Name field. This name is used in the Recovery Manager console for the registered AWS® cloud storage account and selected bucket.
Note: An AWS Identity and Access Management (IAM) user account will be needed in advance to create and finalize the AWS bucket location. See IAM Access Keys for more information.
To Create an IAM account:
Create an IAM user, see Creating an IAM user in your AWS account for details
Create or add a policy for the IAM User created above, that has at least the LIST and WRITE access to the S3 bucket where the RMAD backups are to be stored. This allows the account to see the intended bucket in the list and is able to write to that bucket. This ensures that the account has the minimum permissions necessary to perform the backups.
Note the user's access key ID and secret access key
Note: To manage an IAM account or to generate a new access key for an existing user account see Managing access keys for IAM users for more information.
In the Access Key ID enter the ID for the AWS® Cloud Storage IAM account you are using. See Access Key ID and Secret Access Key for more details.
In the Secret Key enter the key to access the AWS® Cloud Storage. See IAM Access Keys for more details.
Select the Region. The available regions will be displayed in the drop down list for the connected storage account.
Select the Container. The available buckets in the AWS® Cloud Storage will be displayed in the drop down list for the connected storage account. Containers protected with an immutability policy will be displayed with (immutable) after the container name.
Select one or more computer collections by selecting the checkbox by the computer collection name in the section Backups from selected collections will be copied to the cloud storage.
Once a backup is created, the Active Directory® and BMR backups on primary storage (Tier 1) are copied to the registered and configured cloud storage container (Tier 2).
Click OK.
NOTE |
If Email is configured, then email notifications are sent for both Errors or Successful upload sessions to Cloud Storage. If the Send notification upon errors or warnings only setting is selected, then a notification will only be sent if the backup failed. |
To view all registered Cloud Storage in Recovery Manager for Active Directory
In the Recovery Manager for Active Directory console, expand the Storage node.
Select the Cloud Storage node in the console tree.
All registered cloud storage will be displayed in the Cloud Storage pane. The storage name, the assigned storage container or bucket, all associated computer collections, the storage type, and an indicator of the upload sessions success or fail will be displayed.
To export a list of all registered Cloud Storage to a text file
In the Recovery Manager for Active Directory console, select the Storage node, then Cloud Storage and right click.
In menu shown click on Export Servers…
In the Export storage servers dialog, select a location to save the file, enter a file name, and click Save .
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center