Chat now with support
Chat with Support

Recovery Manager for AD Forest Edition 10.0.1 - User Guide

Overview Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Creating backups Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Icons in the user interface Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up System State components Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Fault tolerance Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Install Active Directory from Media recovery method Install Active Directory recovery method Managing Forest Recovery Agent Rebooting domain controllers manually Specifying fallback IP addresses to access a domain controller Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Forest recovery overview Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Using Management Shell Creating virtual test environments Using Recovery Manager for Active Directory web interface Appendices
Frequently asked questions Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Descriptions of recovery or verification steps

The next table describes the steps you may encounter in the Recovery Plan or on the Progress tab in the Forest Recovery Console while running a restore or verify settings operation.

Table 41: Recovery or verification steps

Step Description
Add global catalog

Adds the global catalog to the DC if:

  • The global catalog was removed from the DC during the recovery.
  • The recovery project settings specify to rebuild the global catalog.

If no global catalog servers were successfully restored from backup, the global catalog is added to the DC that was assigned the Schema Master role during the recovery.

Bring all disks online Makes all disks on the recovered domain controller online.
Check if promoting paths are valid Checks whether the specified 'DIT database path", "Log files path" and "SYSVOL path" are available.
Change global catalog partition occupancy level Sets the appropriate global catalog partition occupancy level to advertise the global catalog servers in DNS according to the recovery project settings. For more information on advertising the global catalog servers, see Specifying recovery project settings.
Clean up metadata of removed domain controllers Removes metadata of all domain controllers that were not restored from backup. This includes the domain controllers whose restore from backup has failed and those for which a recovery method other than Restore from backup has been selected.
Clean up metadata for domains that were not restored if necessary Cleans up metadata of the domains in which no DCs were successfully restored from backup or for which you specified to not recover any DCs.
Check if BitLocker is enabled Checks whether BitLocker Drive Encryption is enabled on the DC. Gets the BitLocker configuration if BitLocker is enabled.
Check if domain controller is read-only Checks whether the DC is read-only (RODC).
Check if computer is a domain controller Checks if the computer is a domain controller to ensure that restore from backup is possible.
Copy the backup file to domain controller If a backup was configured, then copies the backup file specified in the DC recovery settings to the DC. If there was no backup configured, this step will be skipped.
Configure Forest Recovery Agent on restored machine Deploys and configures Forest Recovery Agent on the recovered domain controller.
Configure DNS server

Updates DNS server delegation and forwarding in accordance with the new IP address of a target machine.

When Active Directory-integrated DNS is used, Recovery Manager for Active Directory Forest Edition restores DNS Servers from a backup and checks if there are any DNS Servers in different DNS zones. If there are such DNS servers, Recovery Manager for Active Directory Forest Edition restores delegation and forwarding between domain DNS zones. All restored DNS Servers from a particular domain will be configured as delegation and forwarding targets.

Detect current mode (DSRM or normal) Checks whether the DC is in normal mode or DSRM.
Disable BitLocker Disables BitLocker Drive Encryption if it is enabled on the DC.
Disable custom filters for passwords Disables any third-party custom password filters enabled on the DC. This step is required to ensure the filters do not block any password reset operations during the recovery.
Disable Windows Update Disables Microsoft Windows Update on the DC for the duration of the recovery to prevent the installation of updates and possible reboots of the DC.
Enable BitLocker Enables BitLocker Drive Encryption if it was disabled on the domain controller earlier in the recovery process.
Enable custom filters for passwords Enables the third-party custom password filters that were disabled on the DC earlier in the recovery process.
Enable domain controller isolation

Uses IPsec policies to restrict all traffic on the DC except for the following:

  • Network traffic to/from the Forest Recovery Console
  • Incoming RDP traffic
  • Incoming and outgoing ICMP traffic
  • Incoming and outgoing DNS traffic
  • File share access traffic
  • Internal TCP traffic

This step does not delete any existing IPsec policies.

If the DC is running Windows Server 2008 or later, this step sets certain additional parameters to avoid AD DS being unavailable until the replication of a writable directory partition has completed.

Enable the use of global catalog for user authentication Enables the use of the global catalog for user logon validation.
Enable Windows Update Re-enables Microsoft Windows Update on the DC.
Enable BitLocker Enables BitLocker Drive Encryption if it was disabled on the domain controller earlier in the recovery process.
Ensure global catalog is available Performs all necessary operations to ensure a global catalog server is available in the forest and functioning properly.
Ensure that the SYSVOL share is available Checks that the SYSVOL share is available on the DC.
Ensure that domain controller isolation is disabled

Disables any IPsec policies that were enabled during the recovery. Enables the IPsec policies that were in effect before the recovery started.

If the DC is running Windows Server 2008 or later, this step sets certain additional parameters. These parameters require a DC that restarts and holds operations master roles to have successful AD DS replication with its known replica partners before it advertises itself as DC.

Ensure that Forest Recovery Agent is installed and running Checks the installed version of Forest Recovery Agent. If necessary, installs the agent or upgrades it to the version supplied with the Forest Recovery Console you are using.
Extract the backup file components Extract backup components data on the target server.
Get information about domain controller

Collects the following information from the DC:

  • IP addresses of all network adapters
  • IP addresses of all DNS servers on all network adapters
  • DNS names of all FSMO role holders in the forest
  • Installed Forest Recovery Agent version (if any)
  • Whether the current DC is a RODC
  • Operating system version
Get replication data from the DC Collects replication data from the DC. The collected data will be used later to determine if lingering objects are present.
Raise RID pool Raises the value of available RID pools by the value specified in the Forest Recovery Console configuration file (100,000 by default).
Invalidate RID pool

Invalidates the current RID pool.

This operation revents the restored domain controller from re-issuing RIDs from the RID pool that was assigned at the time the backup was created.

Install Active Directory Domain Services

Installs Active Directory Domain Services (AD DS) on the computer.

Enables Global Catalog if corresponding option is set in the DC recovery settings.

Restarts the computer after the AD DS installation completes.

Install Active Directory from media
  • Install Active Directory Domain Services using the provided backup data.
  • Enables Global Catalog if corresponding option is set in the DC recovery settings.
  • Restarts the computer after the AD DS installation completes.
Reinstall Active Directory Domain Services Installs Active Directory Domain Services (AD DS) on the computer. Restarts the computer after the AD DS installation completes.
Adjust to Active Directory changes Global Catalogs from excluded domains are adjusted to the state of recovered domains. This step involves the Repadmin tool. If particular changes performed by the Repadmin tool do not succeed, then the Global Catalog on this domain controller will be reset. For details about the 'Adjust to Active Directory changes' operation, see here.
Remove global catalog Removes the global catalog from the DC.
Remove global catalog if necessary Removes the global catalog from the DC if necessary, provided that the DC is a global catalog server.
Remove temporary files Deletes the backup file from the DC if the file was copied to the DC during the recovery.
Replicate FSMO role owners Replicates FSMO role owners to DCs.
Reset computer account passwords

Resets computer account passwords twice to an automatically generated value. The passwords are reset for the current DC and all other DCs in the project.

By default, the automatically generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.

Reset DSRM administrator password Resets the DSRM administrator password to the value specified in the DC recovery settings.
Reset global catalog

Removes the global catalog from the DC if all of the following is true:

  • The DC is a global catalog server
  • You selected an option in the recovery project settings to rebuild the global catalog to ensure no lingering objects are present.

Then, adds the global catalog back to the DC.

Reset the Krbtgt password Resets the Krbtgt password twice to an automatically generated value. By default, the automatically generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.
Reset trust passwords

Resets the trust passwords twice to an automatically generated value.

By default, the automatically generated password value includes 12 characters: at least one lower-case English letter, one upper-case English letter, one digit, and one non-alphanumeric character.

This operation is performed for all implicit and explicit trusts between this domain and all other trusted domains in the forest. Trust passwords for any external trusts are not reset.

Restart domain controller in DSRM if necessary If DSRM is not the current mode, restarts the domain controller in DSRM and resets the DSRM password.
Restart domain controller in the DSRM mode Reboots recovered domain controller into Directory Service Restore Mode and resets the password for the domain administrator account.
Restart domain controller in normal mode

Restarts the DC in normal mode for the changes to take effect.

When performing this step on a DC restored from backup, Recovery Manager for Active Directory Forest Edition also resets the user password to the value specified in the DC recovery settings. This password reset overwrites the old password restored from backup.

Restore data from backup, if there is one Restores the Active Directory database (.dit file), SYSVOL, and system registry entries from the backup specified in the DC recovery settings. Disables the use of global catalog for user logon validation. This allows users other than the built-in Administrator to log on during the recovery.
Restore initial global catalog partition occupancy level Sets the global catalog partition occupancy level to the value that existed before the recovery. For more information on the recovery project settings that may cause Recovery Manager for Active Directory Forest Edition to change the global catalog partition occupancy level during recovery, see Specifying recovery project settings.
Run pre-recovery checks

If the Restore from backup or SYSVOL Restore recovery method is selected for the DC, this step checks that:

  • The DSRM password specified in the DC recovery settings meets the password complexity criteria.
  • The backup file specified in the DC recovery settings is accessible (mandatory requirement for domain or forest recovery).
  • There is a sufficient amount of free disk space on the DC to accommodate the backup file (mandatory requirement for domain or forest recovery).
  • A preferred DNS server is specified for the DC in the recovery settings. If this is true, then this step checks the validity of the DNS server.

If either Reinstall Active Directory or Uninstall Active Directory recovery method is selected for the DC, this step checks that:

  • The DSRM password specified in the DC recovery settings meets the password complexity criteria.
  • A preferred DNS server is specified for the DC in the recovery settings. If this is true, then this step checks the validity of the DNS server.
Seize FSMO roles Seizes FSMO roles for the DCs automatically selected for each role.
Select preferred DNS server

Selects a properly functioning DNS server for all network adapters on the DC. This step uses the following order of priority to select a DNS server:

  1. Preferred DNS server specified in the DC recovery settings.
  2. Primary and alternate DNS servers that were selected for the DC before the recovery.
  3. DNS servers selected for other DCs in the same domain.
  4. All other DNS servers in the forest.

AD-integrated DNS servers hosted on DCs that were not successfully restored from backup are excluded from the list of possible DNS servers.

Save start types of Windows services Save start types of Windows services that can be changed during recovery.
Uninstall Active Directory Domain Services Demotes the DC to a member server joined to the workgroup named WORKGROUP. Resets the local Administrator password to the value specified in the Set DSRM password option in the DC recovery settings.
Wait for a global catalog server to become available Waits for at least one global catalog server to become available in the forest. This step may take a significant time to complete.

Backup Wizard

Backup wizard

The Backup Wizard helps you create backups of domain controllers' System State, including Active Directory and Group Policy data. With this wizard you can select domain controllers whose System State is to be backed up, specify where to store backups, run backup immediately or schedule it for later, view and modify backup options, such as what System State components are to be backed up.

The wizard has the following steps:

What to Back Up

Use this page to select computers whose system state you want the wizard to back up. You can back up selected computers or computers that reside in a specific container.

  • Selected objects. The Selected objects list includes the names and descriptions of computers and containers the wizard will process. You can modify the list using the Add and Remove buttons.
  • Add. When you click Add, the wizard presents you with these commands:
    • Domain Controller. Selects and adds domain controllers by name.
    • Container. Selects and adds a container. The wizard will back up all computers that are in that container.
    • AD LDS (ADAM) Host. Selects and adds AD LDS (ADAM) hosts by name.
    • Import Computers. Use a text file, one computer name per line, to add computers to the list.
  • Remove. Removes the selected entries from the Selected objects list.

To add a computer by name

  1. Click Add and then click Add Computer.
  2. In the Select Computers dialog box, supply the name of the computer you want to add to the list.

With the Select Computers dialog box, you can select multiple computers. The Select Computers dialog box only allows you to add computers by computer account name. If you want to add computers by IP address, DNS name, or NetBIOS name, use an import file.

To add computers using an import file

  1. Create a text file that contains computer names, one name per line.
  2. Click Add and then click Import Computers.
  3. Use the Open dialog box to locate and open the text file.

To add a container

  1. Click Add and then click Add Container.
  2. In the Domain box, select or type the DNS name of a domain. If you typed the DNS name, click Connect to refresh the tree in the Containers box.
  3. In the Containers box, select the container to add.

If you select computers or containers before starting the Backup Wizard, the Selected objects list includes the objects you have selected.

Where to Store Backups

Use this page to specify the path and name format for backup files.

  • Backup file path and name format. Provides a space for you to specify format for paths and names of .bkf files where you want the wizard to store backups. You can use UNC names to store backups in a shared network folder. The path format may include optional expressions that enable the automatic creation of subfolders. The file name format may also include expressions. For example, you might specify C:\DIRNAME\%COMPUTERNAME%\%DATETIME%.

As a result, backups for different computers will be saved in separate subfolders named by a computer name. In addition, the file name of each backup will be composed of the date and time of the backup creation.

  • Expression. Click this button to specify optional path and file name notations in Backup file path and name format. You can choose the following expressions:
    • Default backup storage (%BACKUPS%). Path to the default backup storage folder. Unless modified during the installation of Recovery Manager for Active Directory Forest Edition, it points to the folder %AllUsersProfile%\Application Data\Quest\Recovery Manager for Active Directory Forest Edition\Backups.
    • Domain (%DOMAIN%). Name of the home domain of the computer being backed up.
    • Computer name (%COMPUTERNAME%). Name of the computer being backed up.
    • Date and Time (%DATETIME%). Date and time of the backup creation.
  • Browse. Click this button to locate the folder where backups are to be stored.
  • Sample path and file name matching the specified format. This box displays an example of the path and file name that matches the format string supplied in Backup file path and name format.
Related Documents