Chat now with support
Chat with Support

Recovery Manager for AD Forest Edition 10.0.1 - User Guide

Overview Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Creating backups Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Icons in the user interface Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up System State components Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Fault tolerance Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Install Active Directory from Media recovery method Install Active Directory recovery method Managing Forest Recovery Agent Rebooting domain controllers manually Specifying fallback IP addresses to access a domain controller Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Forest recovery overview Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Using Management Shell Creating virtual test environments Using Recovery Manager for Active Directory web interface Appendices
Frequently asked questions Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Step 3: Start recovery

To start the recovery

  • On the toolbar, click Start Recovery.

Recovering SYSVOL

Recovery Manager for Active Directory Forest Edition supports authoritative restore of SYSVOL on the selected domain controllers. Authoritative SYSVOL restores are used in case of critical situations such as divergence of data in the content of the SYSVOL share.


  • If you have very large backups and the backup data is stored on a remote computer (not on domain controllers), you do not need to specify the backups for non-authoritative domain controllers in Forest Recovery Console to restore the SYSVOL data. When the backup is not selected, the SYSVOL data is replicated from the authoritative domain controller by the replication service. In this case, the full backup information is not copied to the domain controller that saves the disk space.

  • Along with the SYSVOL restore, Recovery Manager for Active Directory Forest Edition allows you to perform the non-authoritative restore of RODCs using the Restore SYSVOL recovery method.

To restore the SYSVOL folder from backup, perform the following steps

  1. Open your recovery project where the authoritative restore of SYSVOL will be performed.
  2. On the menu bar, click Tools | Recovery Project Settings.
  3. Open the Recovery Mode tab.
  4. In the Recovery scope drop-down list, select SYSVOL Recovery. If the SYSVOL Recovery scope is selected, the Restore SYSVOL method is set on the Settings tab in the domain controller recovery settings and cannot be changed.
  5. Select the check boxes next to the domains you want to recover and specify a domain controller for each domain to perform the authoritative restore. If the domain controller is not specified, it will be selected automatically. For more information, see How does Recovery Manager for Active Directory Forest Edition select a DC for an authoritative (primary) restore of SYSVOL during forest recovery.
  6. Optionally, you can specify default credentials to access domain controllers in the selected domains.
  7. Click OK.

Deleting domains during recovery

When recovering an Active Directory forest, you can use Recovery Manager for Active Directory Forest Edition to selectively delete particular domains from the forest being recovered. You may need to delete domains when, for example, the account you use to recover an Active Directory forest does not have sufficient permissions to access and recover some domains in the forest. In this case, you may want to sacrifice these domains and recover the forest without them.


  • You cannot selectively recover domains and delete domains at the same time. During recovery, use only one of these two features. For more information about selectively recovering domains, see Selectively recovering domains in a forest.
  • You cannot delete the root domain of the forest being recovered.

To delete a domain from the forest being recovered, you need to set the recovery method for all DCs in that domain to Do not recover. Then, after you run the recovery operation, Recovery Manager for Active Directory Forest Edition does the following:

  • Deletes the domain’s partition.
  • Cleans up metadata of all DCs in the domain from the forest.

To delete a domain while recovering an Active Directory forest

  1. In the Forest Recovery Console, open or create a recovery project.
  2. Set the recovery method for all DCs in the domain you want to delete to Do not recover:
    1. Select a DC in the list.
    2. On the Settings tab, from the Recovery method list, select Do not recover.
  3. Specify other settings for your recovery project as appropriate, and then click Start Recovery on the toolbar.

Resuming an interrupted forest recovery

Recovery Manager for Active Directory Forest Edition provides the Fault Tolerance feature that allows you to resume the last forest recovery operation in case it was unexpectedly interrupted by one of these events:

  • You close the Forest Recovery Console while the forest recovery operation is still running.
  • The Forest Recovery Console unexpectedly shuts down partway through the forest recovery operation.
  • The computer running the Forest Recovery Console powers off while the forest recovery operation is still running.

Important: The Fault Tolerance feature does not allow you to resume a forest recovery operation you canceled from the Forest Recovery Console (for example, by clicking the Abort button).

When the Fault Tolerance feature is enabled, it constantly saves the current forest recovery operation state to a dedicated SQL Server database named ForestRecovery-Persistence. Each time you start the Forest Recovery Console, a check is performed to see whether the last forest recovery operation was interrupted by any of the events listed earlier in this section. If that is true, the Forest Recovery Console prompts you to resume the forest recovery from the point at which it was interrupted.

In case you choose not to resume an interrupted forest recovery operation and select the Delete last recovery session data option in the Resume Recovery wizard, the saved session state will be permanently deleted from the ForestRecovery-Persistence database.

Permissions required to access the ForestRecovery-Persistence database
  • Add an account that is used to access the ForestRecovery-Persistence database as the Security Login in SQL Server Management Studio. The public role will be automatically granted to the user account on the Server Roles tab of Login Properties.
  • Add users mapped to this Login and assign the db_datareader role on the User Mapping page of the Login Properties to use the account as the Forest Recovery project reader.
  • Explicitly grant the Execute right on the Permissions tab of the ForestRecovery-Persistence database Properties.This permits to use the account for the Restore operation.

For the Fault Tolerance feature, all involved console instances must have the same SSL certificate that is used to communicate with Forest Recovery Agents without using the domain access credentials.

To share the SSL certificate between console instances

  1. Open or create a recovery project in Forest Recovery Console.
  2. On the menu bar, select Tools | Fault Tolerance.
  3. Click Export certificates... and specify the certificate file location and access credentials.
  4. Save the certificate file.
  5. Then, launch another instance of Forest Recovery Console.

    Important: Before you import the certificate file, you must uninstall Forest Recovery Agents on all domain controllers that were processed via this console, if any. For that, on the menu bar, select Tools | Manage | Forest Recovery Agent or DCs. In the dialog box that opens, select all domain controller and click the Uninstall Agent button.

  6. On the menu bar, select Tools | Fault Tolerance| Import certificates..., specify the certificate file and click Open.
  7. Reinstall the agents if they were uninstalled.
  8. For security reasons, remove the certificate file from your computer after the Fault Tolerance feature will be configured.

To modify the fault tolerance settings for a recovery project

  1. In Forest Recovery Console, select Tools | Fault Tolerance| Settings from the toolbar.
  2. In the Fault Tolerance Settings dialog, use the following options:

Table 36: Recovery persistence settings

Option Description
Enable fault tolerance Allows you to enable or disable the Fault Tolerance feature by selecting or clearing this check box.
SQL Server name and instance Allows you to specify the SQL Server instance in which you want to store the current forest recovery operation state. To specify a SQL Server instance, use the format <SQLServerName>/<Instance>. The forest recovery operation state is saved to a SQL Server database named ForestRecovery-Persistence. If the ForestRecovery-Persistence database does not exist in the SQL Server instance you specify, it will be created there. If the ForestRecovery-Persistence database already exists in the SQL Server instance you specify, the data in that database will not be erased until you start a new forest recovery operation. Until that moment, you can resume the interrupted forest recovery operation whose state is held in the specified ForestRecovery-Persistence database.
Authentication method

Allows you to select a method for authenticating on the specified SQL Server.

  • Use Windows authentication. Allows you to authenticate with the user account under which the Forest Recovery Console is currently running.
  • Use SQL authentication. Allows you to authenticate with the user name and password specified in this option. This authentication method is recommended when Recovery Manager for Active Directory Forest Edition uses the ForestRecovery-Persistence database that is hosted on an external SQL Server computer and not on the Recovery
List of consoles Shows the list of Forest Recovery Consoles configured to support the Fault Tolerance feature.
Related Documents