With Recovery Manager for Active Directory, you can access the target domain controller by using either LDAP functions (agentless method) or Restore Agent supplied with Recovery Manager for Active Directory (agentbased method). Each of these methods has its advantages, limitations, and requirements.
Table 7: Table 1:Advantages and limitations of the agentless method
||To restore some object attributes, such as User Password and SID History, you need to modify the Active Directory schema. For more information, see “Restoring Passwords and SID History” in the User Cuide.|
The account with which Recovery Manager for Active Directory accesses the target domain controller must have specific permissions to perform data restore task
Table 8: Table 2: Required permissions
|Restore object attributes||Write access to the attributes to be restored|
|Restore a deleted object||
|Restore cross-domain group memberships||Write access to universal and domain local groups in other domains.|
Table 9: Advantages and limitations of the agent-based method
The account with which Recovery Manager for Active Directory accesses the target domain controller must:
To meet the above requirements, the account must be a member of
When undeleting an object by using the agentless method, the Online Restore Wizard employs LDAP functions along with the Restore Deleted Objects feature provided by the Windows operating system. This feature restores only the attributes preserved in the object’s tombstone. The other attributes are restored from a backup. However, some attributes, such as Password and SID History cannot be written using LDAP functions, and thus cannot be restored from a backup via the agentless method.
In many situations, the inability to restore the Password attribute from a backup is not a big problem as an object’s password can be reset after restoring the object. As for the SID History attribute, its restoration may be business-critical. An example is a situation where the domain from which the object was migrated is unavailable or decommissioned, and therefore SID History cannot be re-added.
To enable the restoration of these two attributes using the agentless method, the Active Directory schema may be modified so that these attributes are preserved in object tombstones. As a result, an undeleted object has the same Password and SID History as the object had when it was deleted.
As this solution requires schema modifications, it should be carefully considered. Microsoft recommends modifying or extending the schema only in extreme situations. Proceed with extreme caution, because making a mistake may render the directory service unstable, resulting in a reinstallation.
Often, organizations are reluctant to make changes to the schema because schema modifications may result in heavy replication traffic. It is not the case for the schema modifications described in this article as they do not affect the partial attribute set (PAS).
Note: Recovery Manager for Active Directory also provides an agent-based method for restoring or undeleting objects. With the agent-based method any attributes can be restored. The agent-based method does not require any schema modifications.