Chat now with support
Chat with Support

Recovery Manager for AD Forest Edition 10.3.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Using Management Shell Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Specifying an access account for Backup Agent and backup storage

For each Computer Collection (applicable to all domain controllers within a collection), you can specify a user account that will be used to access the following:

  • Backup Agent that is manually or automatically installed on domain controllers in the Computer Collection. The account is used for the following operations:

    • backup creation

    • discover Backup Agent instances or update Backup Agent information

    • install, upgrade or uninstall Backup Agent instances

  • Locations on target domain controllers or UNC shares where backup files created for the Computer Collection are to be saved. For more information on how to specify these locations, see Remote Storage tab section in Properties for an existing Computer Collection.

These credentials are also used to connect to Active Directory® in the following cases:

  • Show or refresh the content of collections that contain containers

  • Operate on collections that contain container-items

  • This account is used for backup unpacking only if no account is configured on the Remote Storage tab

For example: modifying an exclusion list for a container; installing the Backup Agent from a collection menu, collecting diagnostic data, etc.

To specify an access account
  1. In the Recovery Manager Console tree, select the Computer Collection for which you want to specify an access account.

  2. From the main menu, select Action | Properties.

  3. On the Agent Settings tab, select the Use the following account to access Backup Agent check box.

  4. Click Select Account, and specify the user name and password of the account with which you want to access Backup Agent, backup storages, and global catalog servers.

  5. When finished, click OK.

Note

Recovery Manager for Active Directory has deprecated support for a group managed service account (gMSA) to be specified as the account to connect to the backup agent for manually triggered backups. Managed service accounts will continue to be supported for scheduled backup tasks. In accordance with Microsoft®, it is recommended to not use a group managed service account (gMSA) for interactively initiated network connections such as Recovery Manager for Active Directory manually triggered backups. To enforce this recommendation and to address the vulnerability CVE-2023-21524 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21524), Microsoft has limited the usages of managed service accounts with a Windows Update. By removing support for a gMSA to connect to the backup agent, this ensures an attacker does not exploit the RMAD backup agent to perform actions or access resources over the network. To utilize the benefits and security provided by a group managed service account (gMSA), we highly recommend that a gMSA account is used for the scheduled backup task. See Setting user account for scheduled tasks

You can also specify a separate account that will be used to access the backup storage on the Remote Storage tab.

If no access account is specified on the Agent tab and no scheduled tasks exist for the Computer Collection, Recovery Manager for Active Directory (RMAD) will use the account under which the Recovery Manager Console is currently running.

If no access account is specified and a backup creation task is scheduled for the Computer Collection, RMAD will use the account under which the scheduled task is run. You can view and change this account on the Schedule tab in the Properties dialog box for a Computer Collection. For more information, see Schedule tab subsection in Properties for an existing Computer Collection.

Note

The scheduled task account is not used to access the Remote Storage from the agent side. The agent uses a local system account on a domain controller for this operation.

For additional information about the account requirements, please refer Permissions required for the Backup operation.

 

Adding domain controllers to a Computer Collection

You can add specific domain controllers to a Computer Collection. You can select domain controllers in the details pane after browsing the console tree and selecting the container that holds the domain controllers you want to add. Domains available for a forest are located under the Active Directory/Forest <Name> node; containers are located under domain nodes. You can add forests to the Active Directory node by using the Connect to Forest command on the node’s Action menu. A Computer Collection can hold domain controllers from multiple containers.

To add domain controllers to a selected Computer Collection
  1. Right-click the Computer Collection, select Add, and then click Domain Controller.

  2. In the Select Computers dialog box, enter the domain controller name or select Advance then Find Now and select the domain controller from the list and click OK. The Select Computers dialog box allows you to specify multiple domain controller names.

To add domain controllers to a Computer Collection
  1. Browse the console tree select and expand Active Directory, expand Domains then expand the domain and select the container that holds the domain controllers you want to add.

  2. In the details pane, select the domain controllers you want to add. To select multiple domain controllers, hold down CTRL, and click the domain controllers.

  3. On the Action menu or right click the select domain controllers, click Add to Collection.

  4. In the dialog box that opens, select an existing Computer Collection or click New Collection to create and select a new Computer Collection.

  5. In the dialog box, click OK.

Note

Alternatively, you can drag the domain controllers selected in the details pane to the target Computer Collection in the console tree or use the Copy and Paste commands.

You can add domain controllers to a Computer Collection by using an import file that contains a list of domain controller names or IP addresses. Importing domain controllers from a file overcomes the limitations inherent to the Select Computers dialog box and is convenient when you need to add a large group of domain controllers.

An import file is a text file that contains one domain controller name or IP address per line. For example:

123.123.123.123
Domain Controller Name 1
Domain Controller Name 2
213.213.213.213

To add domain controllers by using an import file
  1. Create an import file that contains domain controller names or IP addresses.

  2. Right-click the Computer Collection, point to Add, and then click Import Computers.

  3. Use the Open dialog box to locate and open the import file.

 

Adding containers to a Computer Collection

You can add containers such as Active Directory® domains, sites, or organizational units to a Computer Collection. When a Computer Collection includes a container, it implicitly includes all domain controllers that are in that container. You can select containers in the details pane after browsing the console tree and selecting a node that holds the containers you want to add.

Domains are located under the Active Directory/Forest <Name> node, organizational units are located under domain nodes. You can add Active Directory® forests to the Active Directory node by using the Connect to Forest command on the node’s Action menu.

To add a container to a selected Computer Collection
  1. Right-click the Computer Collection, point to Add, and then click Container.

  2. In the Domain box, select the domain that includes the container or type the DNS name of the domain. If you typed the domain name, click Connect to redraw the tree in the Containers box.

  3. Browse the directory tree in the Containers box to locate and select the container.

  4. In the dialog box, click OK.

Note

For a Computer Collection that includes a container, backups are created for all domain controllers in the container, including the newly created DCs that are not explicitly present in the Computer Collection .

Alternatively, you can add containers to a Computer Collection using the following procedure
  1. Browse the Recovery Manager Console tree to select the node that holds the containers you want to add.

  2. In the details pane, select the containers you want to add. To select multiple containers, hold down CTRL, and click the containers.

  3. On the Action menu, click Add to Collection.

  4. In the dialog box that opens, select an existing Computer Collection or click New Collection to create and select a new Computer Collection.

  5. In the dialog box, click OK.

Note

Also you can drag the containers selected in the details pane to the target Computer Collection in the console tree or use the Copy and Paste commands.

To view and modify an exclusion list for a container

This option lets you specify an explicit list of the domain controllers that will not be included in the backup.

  1. In the Recovery Manager Console tree, select the Computer Collection that holds the container.

  2. In the details pane, right-click the container and select Properties.

  3. In the Properties dialog box, click Modify.

  4. Select domain controllers that you want to exclude from the Available domain controllers list and click Add.

  5. Click OK.

 

Adding AD LDS (ADAM) hosts and instances to a Computer Collection

You can add AD LDS (ADAM) hosts and instances to a Computer Collection. AD LDS (ADAM) instances available for a selected AD LDS (ADAM) configuration set are located under the Active Directory/AD LDS (ADAM) Configuration Set/All Instances node. To add an AD LDS (ADAM) configuration set to a Computer Collection, you need to connect to AD LDS (ADAM).

To connect to AD LDS (ADAM)
  1. In the Recovery Manager Console tree, select the Active Directory node.

  2. From the main menu, select Action | Connect to AD LDS (ADAM).

  3. In the dialog box that opens, do the following:

    • In the AD LDS (ADAM) host box, type the full DNS name of the host to which you want to connect.

    • In the Port number box, type the port number used by AD LDS (ADAM).

    • In the User name and Password boxes, type the user name and password with which you want to access the AD LDS (ADAM) host. Note that to display these boxes, you may need to click the Options button.

  4. When finished, click OK.

To add AD LDS (ADAM) hosts to a particular Computer Collection
  1. Right-click the Computer Collection, point to Add, and then click AD LDS (ADAM) Host.

  2. In the Select Computers dialog box, enter the names of the AD LDS (ADAM) hosts you want to add or select the hosts from the list and click Add. The Select Computers dialog box allows you to specify multiple AD LDS (ADAM) host names.

Recovery Manager for Active Directory backs up all AD LDS (ADAM) instances hosted on the computer you have added to a Computer Collection.

To add AD LDS (ADAM) instances to a Computer Collection
  1. In the Recovery Manager Console tree, expand the appropriate Active Directory/AD LDS (ADAM) Configuration Set node, and then click All Instances.

  2. In the details pane, select the instances you want to add. To select multiple instances, hold down CTRL, and click the instances.

  3. On the Action menu, click Add to Collection.

  4. In the dialog box that opens, select an existing Computer Collection or click New Collection to create and select a new Computer Collection.

  5. In the dialog box, click OK.

Note

Alternatively, you can drag the selected AD LDS (ADAM) instances to the target Computer Collection in the console tree or use the Copy and Paste commands.

You can also select a Computer Collection, and then add AD LDS (ADAM) hosts to the selected Collection.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating