Chat now with support
Chat with Support

NOTICE! We are upgrading our support telephone services, implementing Genesys, starting the week of May 19, 2025

Recovery Manager for AD Disaster Recovery Edition 10.3.2 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Cloud Storage Secure Storage Server Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Installed Active Directory method Restore Active Directory on Clean OS method Bare metal forest recovery Using Management Shell Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Create virtual machines in VMware ESXi

The process of booting the virtual machine with the Quest® Recovery Environment image can be automated by VMware ESXi®. You can then use the Restore Active Directory® to Clean OS recovery method or the Install Active Directory recovery method to restore Active Directory® on the virtual machine.

Supported versions

VMware vCenter® / VMware ESXi™ Server 6.0, 6.5, 6.7, 7.0 and 8.0

For Clean OS recovery

To create a virtual machine in VMware ESXi™

  1. In Forest Recovery Console, select the DC that you want to recover and open the Infrastructure tab.

  2. Select the Domain Controller to be created as a virtual machine in VMware ESXi™.

  3. From the Recovery Method drop-down list, select Restore Active Directory on Clean OS.

    Resources/Images/Azure_V_v2_Clean.png

For Install Active Directory recovery

To create a virtual machine in VMware ESXi™

  1. In Forest Recovery Console, select the DC that you want to recover and open the Infrastructure tab.

  2. Select the Domain Controller to be created as a virtual machine in VMware ESXi™.

  3. From the Recovery Method drop-down list, select Install Active Directory.

    Resources/Images/Azure_V_v2_Clean.png

  4. In the Server access credentials section, type the user name and password that you want to be created as a local account on the new virtual machine in VMware ESXi™. These credentials are used during the Forest Recovery process.

    NOTE: You cannot use 'Administrator' in the Local user name field as this name is reserved in VMware ESXi™.

  5. In Additional Settings section, make the selections for Domain Controllers.

    • Install the domain controller as a read only: Select the check box to install the domain controller as a read only domain controller.

    • Configure the domain controller as a global catalog server: Select the check box (default) to configure the domain controller as a global catalog server.

    • Install DNS server on the domain controller: Select the check box (default) to install the DNS server on the domain controller.

    • Preferred DNS server: The default is Select automatically. Click on the change button to change the settings.

    • Replication source DC: Displays the Replication source domain controller.

  6. In the Backup Access Credentials section, type the user name and password to access the selected backup file. Note that the Backup Access Credentials are not required if the backup is located on target domain controller. The backup file must be accessible from the Forest Recovery Console and from the newly created DCs in Azure®. For example, if your backup is located on a file share in VMware ESXi™, supply credentials with access to the file share.

    NOTE: The backup file must be accessible from both the Forest Recovery Console server and the newly created DCs in the VMware ESXi™ virtual network. For example, backup may be located on VMware ESXi™ File Share or access to backup files located on premise from the VMware ESXi™ virtual network may be configured by setting up a Site-To-Site VPN connection.

    Users can set their OS default timezone, as well as Locale (Only applicable to Hyper V and VMWare):

    Set-RMADFEGlobalOptions -OSImageDefaultTimeZone "Atlantic Standard Time" -Save
    Set-RMADFEGlobalOptions -OSImageDefaultLocale "fr-FR" -Save

    NOTE: When Verify Settings is run, the .ISO image is created. If you wish to set the RMADFEGlobalOptions after Verify Settings, you must first delete the ISO Image from both the RMAD console server and storage location for the VM, run it again to re-generate the ISO:

    For example:
    The OS Image is found on the console server at:
    C:\ProgramData\Quest\Recovery Manager for Active Directory\Cache\OSImage

    The OS image is then copied to Storage location set from the infrastructure tab in The FRConsole.
    for example
    B:\vms\QuestRecoveryImages

Configuring in a VMware ESXi™ Environment

  1. Select the infrastructure tab then Select VMWare ESXi from the drop-down menu.

    Resources/Images/VMware_ESXi_V_v1_Clean.png

  2. To configure infrastructure template, click Edit. For more information see, Specifying recovery project settings.

  3. Specify the connection settings for the VMware ESXi™ host.

    • Server: - Select the drop down for http:// or https://, enter the Fully Qualified Domain Name for the VMware ESXi™ host, and the port 80 or 443.

    • User name: - Enter the user name to access the VMwareESXi™ host.

    • User password: - Enter the password to access the server.

  4. Specify the Infrastructure Settings for the VMware ESXi™ host.

    • ESXi host: - Using the drop down, select the VMware ESXi™ host. Click on the Refresh button to get a list of hosts available.

    • Network: - Using the drop down, select the virtual network associated with the VMware ESXi™ host.

    • Storage: - Use the drop down and select the storage that the VMware ESXi™ host is to use.

  5. Under the Target Virtual Machine, use the Name text box and enter a name for the virtual machine on the VMware ESXi™ host.

  6. Specify the Virtual machine settings for Target Virtual Machine on the VMware ESXi™ host with the following settings:

    • Overwrite the virtual machine if exists - Check this box to overwrite any virtual machine which exists that has the same name as the one you are creating.

    • Number of CPUs: - Specify the number of processors you want to have on the target virtual machine.

    • Memory size (GB): - Set the amount of random access memory you want to allocate to the target virtual machine.

    • Disk size - Select Auto Size or Set Size in GB, for the disk size you want to allocate to the target virtual machine.

  7. Specify the Windows image for the Operating System installation.

    • Image path - Specify the path for the Operating System image. The provided image should be in ISO/WIM format. The image can be either a standard one provided by Microsoft or a custom customer created golden image used in the organization to provision new servers. The provided image should be in ISO/WIM format. Once the image is specified, an edition (e.g. Standard, Datacenter + Core/UI) should be selected. Click on the Browse… button to browse for the location of the image you wish to use.

    • Edition - Select the edition (e.g. Standard, Datacenter + Core/UI) for the Operating System.

    • Product key - The product key should be provided for the installation. If no key is specified a generic volume license key will be used.

    • VMWare Tools path: - Specify the path for the VMWare Tools which will be installed on the Operating System. Click on the Browse… button to browse for the location of the VMWare Tools to use.

  8. To configure infrastructure template for vCenter, click Edit. For more information see, Specifying recovery project settings.


  1. Specify the connection settings for the VMware vCenter® host.

    Resources/Images/VMware_ESXi_V_v3_Clean.png

  2. Specify the connection settings for the VMware vCente® host.

    • Server: - Select the drop down for http:// or https://, enter the Fully Qualified Domain Name for the VMware vCente® host, and the port 80 or 443.

    • User name: - Enter the user name to access the VMware vCente® host.

    • User password: - Enter the password to access the server.

  3. Specify the Infrastructure Settings for the VMware vCenter® host.

    • ESXi host: - Select the drop down and select the VMware vCenter® host. Click on the Refresh button to get a list of hosts available.

    • VM Folder: - Select the drop down and select a folder on the VMware vCenter® host to use.

    • Network: - Select the drop down and select the virtual network associated with the VMware vCenter® host.

    • Storage: - Select the storage that the VMware vCenter® host is to use.

  4. For Target Virtual Machine, use the Name text box to type a name for the virtual machine on the VMware vCenter® host.

  5. Specify the Virtual machine settings for Target Virtual Machine on the VMware vCenter® host with the following settings:

    • Overwrite the virtual machine if exists - Check this box to overwrite any virtual machine which exists that has the same name as the one you are creating.

    • Number of CPUs: - Specify the number of processors you want to have on the target virtual machine.

    • Memory size (GB): - Set the amount of random access memory you want to allocate to the target virtual machine.

    • Disk size - Select Auto Size or Set Size in GB, for the disk size you want to allocate to the target virtual machine.

  6. Specify the Windows image for the Operating System installation.

    • Image path - Specify the path for the Operating System image. The provided image should be in ISO/WIM format. The image can be either a standard one provided by Microsoft or a custom customer created golden image used in the organization to provision new servers. The provided image should be in ISO/WIM format. Once the image is specified, an edition (e.g. Standard, Datacenter + Core/UI) should be selected. Click on the Browse… button to browse for the location of the image you wish to use.

    • Edition - Select the edition (e.g. Standard, Datacenter + Core/UI) for the Operating System.

    • Product key - The product key should be provided for the installation. If no key is specified a generic volume license key will be used.

    • VMWare Tools path: - Not used for VMware vCenter® host.

    • ESXI host user name: - Enter the user name to access the VMwareESXi™ host.

    • ESXI host user password: - Enter the password to access the VMware ESXi™ host.

NOTE

A custom image, Golden Image, that has been configured with any other software considered standard can be used for deployment. The image may, or may not be prepared with sysprep ahead of time and must be in ISO format only (WIM will not function).

  1. In the Server access credentials section, type the user name and password that you want to be created as a local account on the new virtual machine in VMware ESXi™. These credentials are used during the Forest Recovery process.

  2. In the Backup Access Credentials section, type the user name and password to access the selected backup file. Note that the Backup Access Credentials are not required if the backup is located on target domain controller. The backup file must be accessible from the Forest Recovery Console and from the newly created DCs in VMware ESXi™. For example, if your backup is located on a file share in VMware ESXi™, supply credentials with access to the file share.

    NOTE: The backup file must be accessible from both the Forest Recovery Console server and the newly created DCs in the VMware ESXi™ virtual network. For example, backup may be located on VMware ESXi® File Share or access to backup files located on premise from the VMware ESXi™ virtual network may be configured by setting up a Site-To-Site VPN connection.

The product key should be provided for the installation. If no key is specified a generic volume license key will be used.

VMWare tools are required for VM provisioning. If the VMWare tools are not specified in the configuration, DRE will try to download the latest image from the hypervisor. ESXi credentials (if connected to vCenter) are required. The tools can also be downloaded manually from https://packages.vmware.com/tools/esx/

To run the OS install process automatically without any user interaction, the answer files (unattend.xml) will be used. See Windows Setup Automation Overview

The Windows image, VMWare tools and answer file are used to create the virtual disk image (iso) with OS ready for automatic installation. Image is cached in the “%ProgramData%\Quest\Recovery Manager for Active Directory\Cache\OSImage” location to be reused for subsequent recoveries.

Cache can be enabled/disabled via EnableOSImageCache FR Console setting: Set-RMADFEGlobalOptions -EnableOSImageCache $false -Save

Local cache location can be changed via OSImageCachePath FR Console setting: Set-RMADFEGlobalOptions -OSImageCachePath “C:\Cache“ -Save).

OS image is then coped to the QuestRecoveryImages folder in the selected VMWare datastore and used to create a new VM.

The Windows installation is performed automatically, including the initial system configuration (setting up the administrator credentials, disabling the firewall, configuring the locale, etc.…). After the OS installation is complete, the network configuration setup is run based on the settings in the forest recovery project and disks layout created based on the information from backup.

After the network setup the Clean OS recovery workflow will proceed with AD recovery the same way as it does now.

 

Bare metal forest recovery

Active Directory® failure, which includes corrupted, completely lost, or unbootable domain controllers, is something that scares any administrator. There can be a lot of reasons for the loss of valuable data. It can be caused by any error, a virus, or a natural disaster. With our disaster recovery plan, you get an insurance policy for your business information.

This section contains recommendations for recovering an Active Directory® forest if forest-wide failure renders all domain controllers (DCs) in the forest incapable of functioning normally.

 

Bare metal recovery requirements and limitations

NOTE

Domain controllers that are running on virtual machines in Amazon Web Services™ (AWS™) or Microsoft Azure® cannot be restored with the Bare Metal Active Directory® Recovery method because there is no way to boot such DCs from an ISO image.

Backup storage requirements

  • If you do not want to encrypt BMR backups, we recommend that you enable the Server Message Block (SMB) Encryption feature (SMB version 3.0 and higher ) on the network share to secure network connection. For more details on how to turn on SMB Encryption, see SMB security enhancements. Note that backed up domain controllers must support SMB Encryption as well.

  • The best practice is to store backups in the repository that is located in the same Active Directory® site due to faster network.

  • For Windows Server® 2008 R2, BMR backups that are stored on the Forest Recovery Console host are not supported.

  • The account that is used to access the BMR backups location must have Read and Write permissions for that location.

  • If the process of creating a Windows Server® 2008 R2 BMR backup completes with an error similar to "The sector size of the physical disk on which the virtual disk resides is not supported", make sure that the disk sector size on the target machine (NAS device or similar) is equal to 512 bytes. For instance, NetApp® ONTAP® operating system uses the following command:

    vserver cifs options modify -file-system-sector-size 512.

Backup requirements and limitations

Active Directory® does not allow the use of a backup with an age that exceeds the Active Directory® tombstone lifetime (default is 180 days). But if there is a RMAD BMR backup that is older than 180 days and a more recent Active Directory® backup, you can successfully perform the restore operation.

Blue Screens on Bare Metal Restore

When running a BMR project Verify Settings, it succeeds, but when running the actual restore task, the VMs are created, but after running for a while the VMs will blue screen and go into automatic repair mode.

This is caused by a known problem with the WinRe.wim file for Windows Server® 2019. The only workaround is to use the WinRe.wim from Windows Server® 2022 or 2025.

The file can be found on the Windows Server® 2022 or 2025 installation media. Load a Windows Server® 2022 or 2025 distributive ISO then use the following command to mount install.wim (C:\MNT is empty folder to mount):

dism /mount-wim /wimfile:D:\sources\install.wim /index:1 /mountdir:C:\MNT /Readonly

Locate the file winre.win in C:\MNT\Windows\System32\Recovery\WinRe.wim.

Copy it to some place and unmount install.wim with:

dism /unmount-wim /mountdir:C:\MNT /discard

and unmount the distributive ISO.

When you obtain WinRe.wim copy it to the RMAD server and place it in the path:

C:\ProgramData\Quest\Recovery Manager for Active Directory\Cache\WinRe\10.0\WinRe.wim

and run your project again.

If you don't have a Windows Server® 2022 or 2025 image or ISO, you may download one directly from Microsoft Evaluation Center Site - Windows Server 2022 or Microsoft Evaluation Center Site - Windows Server 2025.

Additional Information
The WinRe.wim file will be marked as a System and Hidden file by default so you may not be able to see this using Windows Explorer. To confirm the existence of this file, navigate to the folder described in the above and from an administrative command prompt, type in Dir -AH. This should then list files with hidden attributes to confirm the file exists and you can then copy via command prompt to the locations required.

During, Perform restore from backup, if the RMAD console loses connection to the Forest Recovery Agent on the domain controller during the BMR recovery, a message will be presented and inform you to access Quest Knowledge Base article 4369133 and provides a link for more info.


Target system requirements

  • The number of physical disks on the target computer must be equal to or exceed the number of critical disks on the source machine at the time the backup was created. A critical disk contains critical volumes (volumes that contain the operating system's state).

  • The order of system partitions must be the same on the target disk as on the source one.

  • The physical disks on the target computer must be of the same size as the critical disks or larger.

  • If a source machine with the legacy BIOS firmware has physical disks of different sizes, it is critical to have the same physical disks order on the target machine. For example, if a source has two disks - disk 0 (90 GB), disk 1 (40 GB), the target should have the same 90-40 order.

  • The firmware on the target computer must be compatible with the configuration of the source disks.

    • If the physical disks on the source computer have the GPT partition style, the target computer must have UEFI firmware and must be booted in the UEFI mode.

    • If the physical disks on the source computer have the MBR partition style, then the target machine should be booted in the BIOS-compatibility mode (or just legacy BIOS mode).

Source partition style BIOS (Target firmware) UEFI (Target firmware)
GPT Incompatible Compatible
MBR Compatible Compatible (legacy BIOS-compatibility mode)
Bare Metal Backup encryption

  • It is recommended that you encrypt your Bare Metal Recovery backup by selecting the Encrypt and protect backups with password option (by default, this option is disabled) on the Backup tab in the collection properties. For details, see Creating BMR and Active Directory backups. In this case, not only the backup data stored on the remote share is encrypted, but the data transferred over the network during the backup operation is encrypted as well.

  • If Active Directory® backup encryption is enabled, the RMAD BMR backup will be encrypted by BitLocker. Recovery Manager for Active Directory uses a virtual hard disk encrypted by BitLocker as a container for the backup (256-bit AES encryption).

  • An encryption key for the backup is derived from the backup password and is not tied to a TPM chip (if any). This means that the encrypted RMAD BMR can be used on another machine, without or with another TPM chip. Only a backup password is required.

  • The BitLocker Drive Encryption feature should be installed on all backed up domain controllers and on the Forest Recovery Console machine to support encrypted BMR backups. But note that the BitLocker feature does not encrypt DC drives automatically. After the feature is installed, it is required to reboot the machine.

NOTE

After disaster recovery, volumes on the restored machine will not be BitLocker-protected. You must enable the BitLocker protection again, if required.

To enable backup encryption, see Enabling backup encryption.

 

Preparing backups

To restore the Active Directory data in case of failure, you must occasionally create a BMR backup for at least one domain controller in each domain in your environment along with the Active Directory® data backup.

What should you do?

  • Decide on a Backup Location For BMR backups, the best practice in an enterprise environment is to deploy a dedicated backup server performing the role of an SMB repository with high disk I/O throughput to cope with the amount of backup data. You need to specify custom access credentials for the share to access the backup data even when Active Directory® is unavailable.

  • Create Backups The backup schedule is defined by customer based on the available resources and desired level of protection.

    • Bare Metal Recovery (BMR) Backup It is recommended to prepare a BMR backup for a forest recovery because it can be restored to different hardware instances. The best practice is to create BMR backups only once a week to minimize the required storage space. Now only system critical volumes are included in a BMR backup by default. If you need to include additional volumes, see Creating BMR and Active Directory® backups.

    • Active Directory Backup Standard Active Directory backup includes Active Directory-specific data, e,g. Active Directory data, registry, etc. It is recommended to create Active Directory® backup daily. In case of critical failures (such as DC hardware failure or malware) it will be possible to fully restore the domain with the combination of the most recent BMR backups and latest Active Directory® Backups.

For details on how to create backups, see Creating BMR and Active Directory backups.

Resources/Images/WindowsBackup-01.png

Converting a Windows Server Backup to a RMAD BMR backup

Recovery Manager for Active Directory (RMAD) has the option to convert a Windows Server Backup to a RMAD BMR backup. Note that а Windows Server Backup cannot be converted to an encrypted backup.

Note: Such a converted BMR backup will have some minor limitations comparing to the DRE BMR backups. DRE BMR backups have an extra metadata information about source DC, which is not a part of a native Windows Server Backup BMR backups.

To convert a Windows Server Backup and then register the resulting backup, use the following command:

PS C:\> Convert-RMADBackup \\backup_srv01\wsb\WindowsImageBackup \\backup_srv01\backups\dc1.vhdx | Add-RMADBackup

For Windows Server Backups, you have to specify the full path to the WindowsImageBackup folder.

For more details about RMAD PowerShell® Help, see the Management Shell Guide supplied with this release of the product.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating