Chat now with support
Chat with Support

Recovery Manager for AD Forest Edition 10.2 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Using Management Shell Creating virtual test environments Using Recovery Manager for Active Directory web portal Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory Descriptions of PowerShell commands
Add-RMADBackup Add-RMADCollectionItem Add-RMADReplicationConsole Add-RMADStorageServer Backup-RMADCollection Close-RMADFEProject Compare-RMADObject Convert-RMADBackup ConvertTo-RMADRecycledObject Copy-RMADFEBackup Create-RMADStorageAgentSetup Expand-RMADBackup Export-RMADBackup Export-RMADFERecoveryCertificate Export-RMADFEResult Export-RMADSecureStorageBackup Get-RMADBackup Get-RMADBackupAgent Get-RMADBackupInfo Get-RMADBackupObject Get-RMADBackupSecurityStatus Get-RMADCollection Get-RMADCollectionItem Get-RMADDeletedObject Get-RMADFEAvailableSubnet Get-RMADFEComputer Get-RMADFEConsole Get-RMADFEDnsCache Get-RMADFEDomain Get-RMADFEEvent Get-RMADFEGlobalOptions Get-RMADFEOperation Get-RMADFEPersistenceConnection Get-RMADFEProject Get-RMADFERecoveryAgent Get-RMADFESchedule Get-RMADGlobalOptions Get-RMADLicenseInfo Get-RMADObject Get-RMADReplicationConsole Get-RMADReplicationSchedule Get-RMADReplicationSession Get-RMADReplicationSessionItem Get-RMADReportObject Get-RMADReportObjectAttributes Get-RMADReportObjectChildren Get-RMADReportSession Get-RMADSession Get-RMADSessionItem Get-RMADSessionItemEvent Get-RMADStorageServer Get-RMADStorageServerHardeningStatus Get-RMADStorageServerRetentionPolicy Import-RMADBackup Import-RMADFERecoveryCertificate Install-RMADBackupAgent Install-RMADFERecoveryAgent New-RMADCollection New-RMADFEProject New-RMADFERecoveryMedia New-RMADSchedule Open-RMADFEProject Protect-RMADSecureStorageServer Publish-RMADBackupSecurityStatus Refresh-RMADStorageServer Register-RMADSecureStorageBackups Remove-RMADBackup Remove-RMADBackupAgent Remove-RMADCollection Remove-RMADCollectionItem Remove-RMADFERecoveryAgent Remove-RMADFESchedule Remove-RMADReplicationConsole Remove-RMADReplicationSchedule Remove-RMADReplicationSession Remove-RMADStorageServer Remove-RMADUnpackedComponent Rename-RMADCollection Restore-RMADDeletedObject Restore-RMADDomainController Restore-RMADObject Resume-RMADFERecovery Save-RMADFEProject Set-RMADCollection Set-RMADFEComputer Set-RMADFEDnsCache Set-RMADFEDomain Set-RMADFEGlobalOptions Set-RMADFEPersistenceConnection Set-RMADFERecoveryMode Set-RMADFESchedule Set-RMADGlobalOptions Set-RMADReplicationConsole Set-RMADReplicationSchedule Set-RMADStorageServerRetentionPolicy Start-RMADFERecovery Start-RMADFERecoveryAgentOperation Start-RMADFEVerification Start-RMADReplication Start-RMADReportViewer Stop-RMADFEWorkflow Test-RMADSecureStorageBackup Unprotect-RMADStorageServer Update-RMADBackupAgent Update-RMADFEProject Update-RMADLicense

Deleting domains during recovery

When recovering an Active Directory forest, you can use Recovery Manager for Active Directory to selectively delete particular domains from the forest being recovered. You may need to delete domains when, for example, the account you use to recover an Active Directory forest does not have sufficient permissions to access and recover some domains in the forest. In this case, you may want to sacrifice these domains and recover the forest without them.

Important:

  • You cannot selectively recover domains and delete domains at the same time. During recovery, use only one of these two features. For more information about selectively recovering domains, see Selectively recovering domains in a forest.

  • You cannot delete the root domain of the forest being recovered.

To delete a domain from the forest being recovered, you need to set the recovery method for all DCs in that domain to Do not recover. Then, after you run the recovery operation, Recovery Manager for Active Directory does the following:

  • Deletes the domain’s partition.

  • Cleans up metadata of all DCs in the domain from the forest.

To delete a domain while recovering an Active Directory forest
  1. In the Forest Recovery Console, open or create a recovery project.

  2. Set the recovery method for all DCs in the domain you want to delete to Do not recover:

    1. Select a DC in the list.

    2. On the General tab, from the Recovery method list, select Do not recover.

  3. Specify other settings for your recovery project as appropriate, and then click Start Recovery on the toolbar.

 

Resuming an interrupted forest recovery

Recovery Manager for Active Directory provides the Fault Tolerance feature that allows you to resume the last forest recovery operation in case it was unexpectedly interrupted by one of these events:

  • You close the Forest Recovery Console while the forest recovery operation is still running.

  • The Forest Recovery Console unexpectedly shuts down partway through the forest recovery operation.

  • The computer running the Forest Recovery Console powers off while the forest recovery operation is still running.

Important

The Fault Tolerance feature does not allow you to resume a forest recovery operation you canceled from the Forest Recovery Console (for example, by clicking the Abort button).

When the Fault Tolerance feature is enabled, it constantly saves the current forest recovery operation state to a dedicated SQL Server database named ForestRecovery-Persistence. Each time you start the Forest Recovery Console, a check is performed to see whether the last forest recovery operation was interrupted by any of the events listed earlier in this section. If that is true, the Forest Recovery Console prompts you to resume the forest recovery from the point at which it was interrupted.

Note

If you chose to reset password for domain users in privileged groups when you started a forest recovery, you need to do it again when you resume the forest recovery because the console does not store passwords. However, if the password resetting was already completed for a domain controller before the recovery was interrupted, the passwords will not be reset again for the domain controller after you resume the operation.

In case you choose not to resume an interrupted forest recovery operation and select the Delete last recovery session data option in the Resume Recovery wizard, the saved session state will be permanently deleted from the ForestRecovery-Persistence database.

Permissions required to access the ForestRecovery-Persistence database
  • Add an account that is used to access the ForestRecovery-Persistence database as the Security Login in SQL Server Management Studio. The public role will be automatically granted to the user account on the Server Roles tab of Login Properties.

  • Add users mapped to this Login and assign the db_datareader role on the User Mapping page of the Login Properties to use the account as the Forest Recovery project reader.

  • Explicitly grant the Execute right on the Permissions tab of the ForestRecovery-Persistence database Properties.This permits to use the account for the Restore operation.

For the Fault Tolerance feature, all involved console instances must have the same communication keys that is used to communicate with Forest Recovery Agents without using the domain access credentials.

To share secure communication keys between console instances
  1. Open or create a recovery project in Forest Recovery Console.

  2. On the menu bar, select Tools | Fault Tolerance.

  3. Click Export secure communication keys… and specify the "secure communication keys" file location and access credentials.

Note

Do not select Export Agent Communication Keys. This option is intended for exporting only Agent communication keys, not Console keys.

Resources/Images/Export_Comm_key_Console.png

  1. Save the "secure communication keys" file.

  2. Then, launch another instance of Forest Recovery Console.

  3. On the menu bar, select Tools | Fault Tolerance | Import secure communication keys…, specify the "secure communication keys" file and click Open.

  4. Reinstall the agents if they were uninstalled.

  5. For security reasons, remove the "secure communication keys" file from your computer after the Fault Tolerance feature will be configured.

To modify the fault tolerance settings for a recovery project
  1. In Forest Recovery Console, select Tools | Fault Tolerance | Settings from the toolbar.

  2. In the Fault Tolerance Settings dialog, use the following options:

Recovery persistence settings
Enable fault tolerance

Allows you to enable or disable the Fault Tolerance feature by selecting or clearing this check box.

SQL Server name and instance

Allows you to specify the SQL Server instance in which you want to store the current forest recovery operation state. To specify a SQL Server instance, use the format <SQLServerName>/<Instance>. The forest recovery operation state is saved to a SQL Server database named ForestRecovery-Persistence. If the ForestRecovery-Persistence database does not exist in the SQL Server instance you specify, it will be created there. If the ForestRecovery-Persistence database already exists in the SQL Server instance you specify, the data in that database will not be erased until you start a new forest recovery operation. Until that moment, you can resume the interrupted forest recovery operation whose state is held in the specified ForestRecovery-Persistence database.

Authentication method

Allows you to select a method for authenticating on the specified SQL Server.

  • Use Windows authentication. Allows you to authenticate with the user account under which the Forest Recovery Console is currently running.

  • Use SQL authentication. Allows you to authenticate with the user name and password specified in this option. This authentication method is recommended when Recovery Manager for Active Directory uses the ForestRecovery-Persistence database that is hosted on an external SQL Server computer and not on the computer where Recovery Manager for Active Directory is running.

List of consoles

Shows the list of Forest Recovery Consoles configured to support the Fault Tolerance feature.

 

Recovering read-only domain controllers (RODCs)

Recovery Manager for Active Directory supports recovering read-only domain controllers (RODCs) from backups.

The full list of recovery methods that can be applied to the RODCs in your recovery project:

  • Restore SYSVOL

    This method allows you to perform the non-authoritative restore of RODCs

  • Reinstall Active Directory or Reinstall Active Directory from Media on the RODCs

  • Install Active Directory or Install Active Directory from Media on the RODCs

  • Uninstall Active Directory from the RODCs.

  • Do not recover the RODCs.

If you want to recover a read-only DC, you need to select the Install the domain controller as a read-only option on the General tab for the Install Active Directory (with IFM option) or Reinstall Active Directory (with IFM option) method in Forest Recovery Console. A read-only DC can be installed using a backup created only from the RODC.
Depending on whether the option is selected or not, you can only choose backups that DC Type corresponds to the type of domain controller (ReadOnly, Writable).

Note

DC Type of backups that were created in the version 10.0 or earlier, and was registered manually, will be shown as Unknown. Such backups can only be selected manually, and the user must make sure that the type of domain controller being restored matches the type of domain controller for which the backup was created, otherwise, recovery of the domain controller will fail.

 

Checking forest health

The Forest Recovery Console provides a tool that allows you to check the health of your forest. You can use the tool to run tests to ensure that domain controllers, Active Directory replication, domain trusts, user authentication, RID Master, and global catalog are working properly in your Active Directory forest.

The Forest Recovery Console automatically prompts you to check the forest health after the forest recovery has succeeded, so that you could ensure the forest works exactly the way you want. If necessary, you can manually run a health check on your forest at any time before or after the forest recovery operation.

NOTE

Recovery Manager for Active Directory uses the domain controller access credentials to perform the forest health checks. Make sure, that the credentials are valid. For more details, refer Table 24 in the General tab section.

What does Recovery Manager for Active Directory check?

Domain controllers

  • Verifies that every domain controller in a forest is accessible and running using the LDAP bind request to the directory root (RootDSE) of a domain controller.

  • Checks that Forest Recovery Agents are installed on domain controllers and accessible using the RPC call to get information about agents and domain controller states.

Active Directory replication

  • Forces the replication for one random object on every replication partner for every partition of a domain controller using the replicateSingleObject operation.

Domain trusts

  • Checks that all trust relationships between domains configured in Active Directory forest are fully established.

User authentication; RID Master and GC operation

  • Verifies that a user account is created in the default or specified container on each domain controller. Then, LDAP authentication is performed using this account to check that the Global Catalog server is available for the domain controller.

To run a forest health check

  1. Open your recovery project.

  2. In the Forest Recovery Console, from the main menu, select Tools | Diagnose | Check Forest Health.

  3. In the dialog box that opens, on the Settings tab, select the check boxes next to the items whose health you want to check.

  4. When finished, click the Check Health button.

When the check health operation completes, use the Details tab to view information about the health of the selected items.

If you select the User authentication; RID Master and GC operation option on the Settings tab, you can specify a container for the test user account on the domain controller.

For the list of required permissions, see Recovery Manager .

To specify a container for the test user account

  1. Close the Forest Recovery console.

  2. Open the project (.frproj) file that was created by the Console and edit the '<Domains>' section, as shown in the following example.

You can specify different containers for different domains.

<Domains>
  <Domain DomainName="rmad.local" HealthCheckContainer="OU=test1" />
  <Domain DomainName="second.rmad.local" HealthCheckContainer="OU=test2” />
</Domains>

To specify the same container for different domains, you can use the asterisk wildcard (*), for example:

<Domains>
  <Domain DomainName="*" HealthCheckContainer="OU=test1" />
</Domains>

You should specify the relative container distinguished name for the HealthCheckContainer attribute. For example, if the full DN of the container is OU=test1,DC=rmad,DC=local, specify the DN name as OU=test1.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating