By default the Recovery Manager console uses its own set of TLS keys to communicate with the Secure Storage server. To set up a Secure Storage server to be available on multiple Recovery Manager consoles you must use the same set of TLS keys on each console.
Add Secure Storage server in primary console. Refer to Adding a Secure Storage server
Open or create a recovery project in Forest Recovery Console.
On the menu bar, select Tools | Fault Tolerance.
Click Export communication keys….
In File name:, the communication key file defaults to a location and file name, for example: C:\Users\administrator.RMAD.001\Documents\RMAD_NODE_2022-04-05_11-18.pfx
Enter and confirm a password to protect the file.
Click OK to save the key file.
IMPORTANT: Ensure communication keys and access credentials are kept secret and protected.
Then, launch the other instance of Forest Recovery Console.
On the menu bar, select Tools | Fault Tolerance | Import secure communication keys…. Browse and select the Secure Communication Keys file saved in step 7 and click Open.
Open the other instance of the Recovery Manager console.
In the Recovery Manager for Active Directory console, click the Secure Storage node.
In the Secure Storage Servers pane, click Add Server.
Type the DNS name or IP address of original existing Secure Storage server.
In the Agent port field, type port number used when Secure Storage server was first created.
From the Agent installation method drop-down list, select Manual (recommended).
Click OK.
After the Recovery Manager console connects to the existing Secure Storage agent running on the existing Secure Storage server, all backups will appear in the console for viewing.
WARNING |
It is not recommended to use Recovery Manager consoles that are in different forests because if one of the forests is breached it may affect the backups of the other forest. |
The Secure Storage server is used to store critical backups. A server can have multiple volumes available for storage of backup files. Recovery Manager for AD provides the ability to configure which volumes are allowed to store backups, the order of the volumes to be used or you can allow RMAD to determine which volume to use automatically.
If no policy is set for allowed volumes, the Secure Storage server will use the first volume found. The system drive with the operating system will only be selected if it is the only available volume on the server.
Ensure your Secure Storage server has sufficient space for storing of backup files. The amount of space used on each volume is displayed for the Secure Storage server and the available free space. Recommendation is to monitor available free space and ensure that there is space available for backups. If a volume is running out of free space, a warning icon will be displayed in the Properties dialog.
To configure the policy for allowed volumes on Secure Storage server
During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.
On the Secure Storage server, run Windows PowerShell®. The module will automatically be imported.
To configure backup retention policy, run the cmdlet Set-RMADStorageServerAllowedVolumes. For further details on Set-RMADStorageServerAllowedVolumes see the Management Shell Guide supplied with this release of the product.
To get the current policy for allowed volumes on Secure Storage server
During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.
On the Secure Storage server, run the PowerShell® console. The module will automatically be imported.
To configure backup retention policy, run the cmdlet Get-RMADStorageServerAllowedVolumes. For further details on Get-RMADStorageServerAllowedVolumes see the Management Shell Guide supplied with this release of the product.
After a Secure Storage server has been added, backups can be copied to the Secure Storage server. To enable and configure backups on the Secure Storage server you must enable backups for each Computer Collection separately. For more information on configuring backups on a Secure Storage server refer to Secure Storage server backups.
To view backups on Secure Storage server
In the Recovery Manager for Active Directory console, expand the Secure Storage node.
Select the Secure Storage server to view available backups on the server.
All backups will be listed in the Backups on the Secure Storage Servers pane.
Backups are displayed with information about the backup on the server including name of the domain controller, the domain, the date of the backup, the size of the backup, the OS version of the system backed up, status of any integrity check done on the backup, and the path of the location of the backup.
NOTE: Integrity checks are recorded as a Windows Eventlog event on the console during the integrity check. The events can be found in Applications and Services Log | Recovery Manager for Active Directory. If Email is configured, then email notifications are sent for integrity checks that are performed either after creating a backup (controlled by the Run an integrity check after creating a backup setting); or after creating a scheduled backup for the previous N sessions (controlled by the Check the integrity of previously created backups after a scheduled backup setting). The integrity check results are combined with the backup creation results and sent as a single message. If the Send notification upon errors or warnings only setting is selected, then an notification will only be sent if the integrity check report contains the results Backup file is corrupted or Integrity check failed. If all integrity checks are successful, no email notification will be sent.
Secure Storage is enabled and configured for each Computer Collection separately. When a backup is run for a Computer Collection with Secure Storage enabled, a copy of the backup is saved to the Secure Storage server.
Depending on what primary storages are set, backup can be sent from the local storage (console server), directly from domain controller or remote storage location. If only local storage is selected, then backup will be written to the console and then sent secure storage server from the console side. If remote storage is selected, the backup will be sent from remote storage despite the local storage setting.
NOTE |
If you use remote storage option and specify remote UNC path, be aware that the backup data will need to be transferred back to domain controller to be sent to secure storage server. To eliminate excessive traffic, set local path on domain controller either in Primary backup path or Additional backup path fields. The backup copy will be created locally and sent directly to secure storage server from domain controller. |
Prerequisites
You must have completed the following steps before you can copy backups to your Secure Storage server.
Secure Storage servers must be created and hardened.
Computer Collections must be created.
The backup type, either Standard (Active Directory®) or Full (Bare Metal Recovery), must be set for the Computer Collection.
NOTE |
Both Active Directory® and Bare Metal Recovery backups can be copied to a Secure Storage server. |
To enable a Secure Storage server for a Computer Collection
In the Recovery Manager for Active Directory console, expand the Computer Collections node.
Right-click the Computer Collection and select Properties.
On the Secondary Storage tab, select the Enable a Secure Storage server check box. Select the drop down box below Enable a Secure Storage server to choose the storage server to copy backup to. After creation and saving of backup to primary storage locations, a copy of the backup will be saved to the Secure Storage server.
Enable Secure Storage and select Secure Storage locations: Select this checkbox to enable Secure Storage. After creation and saving of backup to primary storage locations, a copy of the backup will be made to the configured Secure Storage locations. Select the checkbox for each registered Secure Storage location to be used for this backup. Computer collections can also be selected in Properties on the Secure Storage node.
An account to read data from remote storage location: Select an account that has read permission to the remote storage location. This account will be used to read the backup from remote storage and copy (upload) to Secure Storage. If the account is incorrect and does not have the proper permissions, the copy of the backup to Secure Storage will fail.
IMPORTANT |
Access credentials are required for reading backups on remote storage to copy to Secure Storage. There may be some cases where credentials have to be specified for both remote and local storage based on the types of primary and secondary storage configured for the computer collection. |
To create backups and copy them to the Secure Storage server
In the Recovery Manager for Active Directory console, expand the Computer Collections node.
Right-click the Computer Collection and select Create Backup.
After the backup file is created and saved to primary storage locations, the backup will be pushed to the configured Secure Storage server.
TIP |
You can schedule backup creation on the Schedule tab on the Computer Collections Properties window. |
To perform an integrity check
When a backup is created, a checksum is calculated for the backup file and saved in the backup file when the backup is registered. An integrity check recalculates the checksum and compares it to the checksum stored in the backup file.
In the Recovery Manager for Active Directory console, click on Secure Storage and expand the server node(s).
Click the Secure Storage server that contains the backup you want to perform the integrity check on.
In the Backups on the Secure Storage Server pane, click the backup to check, right click and select Check Integrity.
The following statuses can be displayed after running the integrity check:
Status | Description |
---|---|
Passed | The newly calculated checksum value matches the previously calculated checksum stored in the backup file. |
Unknown | The integrity check was not performed. |
Running | The integrity check is in progress. |
Failed | The backup is not accessible (wrong credentials) or may have been moved from the path. |
No Checksum | The previously calculated checksum could not be read. This could be due to the backup being created by a previous version of the product. The backup also may have been damaged in such a way that the checksum was also affected. |
Corrupted | The newly calculated checksum value does not match the previously calculated checksum stored in the backup file. |
NOTE: Integrity checks are recorded as a Windows Eventlog event on the console during the integrity check. The events can be found in Applications and Services Log | Recovery Manager for Active Directory. If Email is configured, then email notifications are sent for integrity checks that are performed either after creating a backup (controlled by the Run an integrity check after creating a backup setting); or after creating a scheduled backup for the previous N sessions (controlled by the Check the integrity of previously created backups after a scheduled backup setting). The integrity check results are combined with the backup creation results and sent as a single message. If the Send notification upon errors or warnings only setting is selected, then an notification will only be sent if the integrity check report contains the results Backup file is corrupted or Integrity check failed. If all integrity checks are successful, no email notification will be sent.
You can copy backups stored on the Secure Storage server to another location.
In the Recovery Manager for Active Directory console, click on Secure Storage and expand the server node(s).
Select the Secure Storage server that you want to copy backups from.
In the Backups on the Secure Storage Server pane, right-click the backup you want to copy and select Copy to. To select multiple backups, hold down CTRL, and click the backups.
In the Network path to copy the backup to field, type a network share where you want to copy the backup files.
In the User name and Password fields, type credentials that has write permissions for the network share.
Click OK.
The backups are copied to the provided network share and can now be registered for use within a recovery project. In the share, a new folder is created having the name of the parent folder the backups are stored in on the Secure Storage. Inside these folders, are the backups from the Secure Storage and have the same name as the backups on Secure Storage.
For example, if the backups on your Secure Storage are stored at:
\\172.16.0.4\D$\Recovery Manager Backups\ProgramData\Quest\
Recovery Manager for Active Directory\Backups\January\
then the folder, January will be created on the share and the backups will be in that folder.
NOTE |
If NTLM is disabled in your environment, the method Copy Backup is not available. |
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center