Chat now with support
Chat with Support

Recovery Manager for AD Forest Edition 10.0.1 - User Guide

Overview Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Creating backups Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Icons in the user interface Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up System State components Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Fault tolerance Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Install Active Directory from Media recovery method Install Active Directory recovery method Managing Forest Recovery Agent Rebooting domain controllers manually Specifying fallback IP addresses to access a domain controller Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Forest recovery overview Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Using Management Shell Creating virtual test environments Using Recovery Manager for Active Directory web interface Appendices
Frequently asked questions Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Opening a legacy recovery project

This section describes how to open a legacy Recovery Project (.frproj) file created with Forest Recovery Console 8.2 or earlier if FIPS-compliant algorithms are enabled on the Forest Recovery Console 8.6 or later computer.

Forest Recovery Console version 8.2 or earlier used hashing and encryption algorithms incompatible with FIPS. For this reason, to open a legacy .frproj file created with Forest Recovery Console version 8.2 or earlier, you need to temporarily disable FIPS-compliant algorithms on the Forest Recovery Console 8.6 or later computer.

To open a legacy recovery project

  1. On the Forest Recovery Console 8.6 or later computer, disable FIPS-compliant algorithms:
    1. Start the Group Policy Object Editor tool (gpedit.msc).
    2. In the console tree, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then select Security Options.
    3. In the right pane, double-click System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
    4. In the dialog box that opens, select Disabled and click OK.
  2. Restart the computer.
  3. In Forest Recovery Console 8.6 or later, open the legacy .frproj file, and then save it.

By doing so, you update the project to use FIPS-compliant algorithms.

  1. Enable FIPS-compliant algorithms on the Forest Recovery Console 8.6 or later computer.

Note: To protect its data, the Forest Recovery Console version 8.6 or later uses the SHA-1 hashing algorithm and the Triple DES encryption algorithm that are FIPS-compliant. For more information about FIPS-compliant algorithms, see Microsoft Knowledge Base article 811833 “The effects of enabling the ‘System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing’ security setting in Windows XP and in later versions of Windows” at http://support.microsoft.com.

Saving a recovery project

To save the changes made to a recovery project

  • On the menu bar, select File | Save Project.

Updating a recovery project

It is recommended to regularly update your recovery project so that it reflects the changes occurred in your Active Directory forest.

To update a recovery project

  1. Open the recovery project you want to update.
  2. On the menu bar, click Tools | Update Project with Changes in Active Directory.
  3. Follow the steps in the wizard to update your project.

Specifying recovery project settings

Each recovery project has a number of project-specific settings that allow you to control the various aspects of recovery. For example, you can use these settings to select how to handle the global catalog during recovery, configure balloon notifications displayed in the Forest Recovery Console, configure e-mail notification settings, select the Active Directory domains you want to recover, and enable or disable the Recovery Persistence feature that provides protection from an inadvertent shutdown of the Forest Recovery Console.

To specify the recovery project settings

  1. Open or create a recovery project.
  2. On the menu bar, select Tools | Recovery Project Settings.
  3. Use the tabs described in the table below to view or modify the recovery project settings.

Table 25: Recovery project settings

Tab Description
Recovery Mode

Displays a list of all domains in the current recovery project.

On this tab, you can use the following options:

  • Specify which type of restore operation you want to perform:

  • Specify the domains you want to selectively recover in the forest. For more information on how to selectively recover domains, see Selectively recovering domains in a forest.
  • For each domain, you can configure the domain controller where authoritative restore of SYSVOL will be performed.
  • You can specify default credentials to access domain controllers in the selected domain.
Global Catalog

Allows you to select how to handle the global catalog during recovery. This tab provides the following options:

  • Rebuild GC, advertise normally. Uses a standard Active Directory mechanism to remove and add the global catalog. By removing and then adding the global catalog you ensure that it contains no lingering objects and thus can avoid replication inconsistencies.

To advertise the rebuilt global catalog servers in DNS, this option uses the existing Global Catalog Partition Occupancy level specified in the system registry.

By default, a global catalog server is considered as ready to be advertised in DNS when all read-only directory partitions have been fully replicated to the new global catalog server. However, your particular forest may use a different setting. For this reason, it is recommended that you check the Catalog Partition Occupancy level specified in the system registry. If the default setting is used, then the Rebuild GC, advertise normally option is the safest and most reliable way to rebuild and advertise the global catalog during the recovery.

This option rebuilds the global catalog in the entire forest regardless of how many domains you are recovering.

  • Rebuild GC, advertise fast. Uses a standard Active Directory mechanism to remove and then add the global catalog. This option offers a faster way to advertise the rebuilt global catalog servers in DNS. As a result, this option can help you make a number of forest-wide services (for example, user logon and Exchange Server messaging) available to the users more quickly after the recovery.

When you select this option, the rebuilt global catalog servers will be advertised in DNS without waiting for the read-only directory partitions replication to fully complete. The trade-off of using this option is that the global catalog may include some inconsistencies until the global catalog servers have received the complete information from all the other domains in the forest.

This option rebuilds the global catalog only in the domains that you recover by using Recovery Manager for Active Directory Forest Edition.

  • Keep GC intact. Does not rebuild or change the global catalog in any way during the recovery. With this option, the global catalog servers will remain either in the state in which they were before the recovery started (this is true for the servers that are located in the domains you selected not to recover) or in the state to which they were restored from backup during the recovery.

In certain situations, this option might help you avoid global catalog downtime and make some forest-wide services available to the users more quickly. However, using this option greatly increases the risk of introducing lingering objects into the global catalog, which can lead to a corrupt forest. It might happen if you use a set of backups for the domain controllers with large age difference. That is, backups may contain inconsistencies that will lead to introducing lingering object.

If you use this option, it is recommended that you manually reset the global catalog to ensure it does not include inconsistencies.

Notifications

Allows you to configure balloon notifications in the Forest Recovery Console to inform you if the backups selected for recovery were created at different points in time or if your recovery project is outdated.

  • Age difference of selected backups exceeds <Number> hours. When selected, notifies you if the age difference of backups selected for recovery exceeds the number of hours you specify in this option. This option helps you ensure that the backups you select are created at a similar point in time and therefore hold similar Active Directory states.
  • Recovery project was updated more than <Number> days ago. When selected, notifies you if the current recovery project was last updated more than the number of days you specify in this option.
  • Forest topology has changed (only checked at console startup). When selected, causes the Forest Recovery Console to check if the forest topology information in the current recovery project is outdated. This check is performed each time the Forest Recovery Console starts up.

Allows you to send e-mail notifications to specific recipients when the verification or recovery process is completed.

  • Verification process is completed When the option is selected, the specified recipients will be notified that the verification process has been completed.
  • Recovery process is completed When the option is selected, the specified recipients will be notified that the recovery process has been completed.
  • E-mail address Use this text box to specify e-mail recipients.
E-mail

On this tab, you can configure e-mail notification settings. Recovery Manager for Active Directory Forest Edition will use these SMTP settings to send e-mail notification after the verification or recovery process has been completed.

NOTE: SSL data encryption is not supported for email notifications.

  • SMTP server Specify the SMTP server for outgoing messages.
  • SMTP port Specify the port number that will be used to connect to your SMTP server.
  • Sender email address Specify the return address for your e-mail notification messages. It is recommended that you specify the e-mail address of the Recovery Manager for Active Directory administrator.
  • SMTP server requires authentication When the option is selected, you will be prompted to provide credentials to log on to the SMTP server.
  • User name Specify the account name used to log on to the SMTP server.
  • Password Specify the user password.
  • Test settings Sends a test notification message to the address specified in the Sender email address text box. Use this button to verify that the specified e-mail notification settings are valid.
Agents

On this tab, you can specify TCP ports that will be used by Forest Recovery Console to communicate with Forest Recovery Agent and Management Agent.

  • Connect to Management Agent using a specific TCP port. This agent is used to deploy other agents to the target server. Allows you to specify the TCP port number that will be used to connect to Management Agent installed on a target domain controller. If the option is not selected, RPC dynamic port range is used by default.
  • Management Agent will configure Windows Firewall exceptions. If this option is selected, Windows Firewall settings will be configured automatically for Management Agent.
  • Connect to Forest Recovery Agent using a specific TCP port. Allows you to specify the TCP port number that will be used to connect to Forest Recovery Agent installed on a target domain controller. If the option is not selected, RPC dynamic port range is used by default.
  • Forest Recovery Agent will configure Windows Firewall exceptions. If this option is selected, Windows Firewall settings will be configured automatically for Forest Recovery Agent.
Related Documents