Chat now with support
Chat with Support

Recovery Manager for AD Forest Edition 10.3.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Using Management Shell Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Scanning backups for viruses

Recovery Manager for Active Directory scans BMR and Active Directory® backups for malware as a part of the verification process (not recovery). The anti-virus checks are performed on the Forest Recovery Console machine running Windows Server® 2016 or higher by means of antivirus software installed on the machine. The best practice is to use the scheduled verification to have up-to-date backup scan results and to run anti-malware checks in the background because this process is time-consuming. To configure the verification schedule, refer Scheduling project verification.

Supported antivirus software

  • Microsoft Defender

  • FEATURE PREVIEW Symantec™ Endpoint Protection 14.x; Broadcom Endpoint Security (former name: Symantec™ Endpoint Protection 15)

Note

Recovery Manager for Active Directory Disaster Recovery Edition only supports scanning of BMR backups.

Virus scanning general recommendations

  • The scan performance highly depends on the network speed to the remote backup storage.

  • It is not recommended to scan more than 5-10 BMR backups in parallel - this means that only 5-10 DCs should be configured to restore from the BMR backup. It is a risk to restore some DC from scanned BMR backup, and others from not scanned backups that can potentially contain malware.

  • If you have remote sites with slow network connection, consider installing other instances of RMAD there, and configure backup metadata replication. For details, see Consolidating backup registration data.

  • In some cases, depending on a host environment and the size of the backed-up data, the host machine can experience a high CPU load while scanning a backup. To avoid this, a user can limit CPU utilization in the antivirus software settings. For example, a user can change the ScanAvgCPULoadFactor setting if Windows Defender Antivirus is used. For details, see Configure Microsoft Defender Antivirus scanning options. You can use this formula to estimate a possible setting value: (number of parallel backups) * ScanAvgCPULoadFactor < (desired overall CPU usage by RMAD scan process).

  • For all antivirus vendors, real-time protection mode can affect Active Directory® backup scans.

Symantec™ Endpoint Protection limitations

  • A parallel backup scan is not yet supported for Symantec™ Endpoint Protection. Therefore, the scan operation with Symantec™ may take longer than a scan using Windows Defender.

  • Make sure that AD backup checks are not run together with any other file system scans on the Forest Recovery Console machine.

  • For Symantec™ Endpoint Protection: If you cancel the project verification, the virus scan will continue running due to the Tamper Protection feature of Symantec Endpoint Protection (SEP). To resolve this problem, there are two workarounds:

    • Stop the current antivirus scan from Symantec™ Endpoint Protection Manager.

    • Then, end the ccSvcHst.exe process. This process is a common scanning process for the SEP client, so this action will drop all scanning tasks on the machine. See Symantec™ Endpoint Protection for details.

Features supported by different anti-virus scanners

Supported features Backup type Windows Defender Symantec™ Endpoint Protection, Broadcom Endpoint Security
Parallel scan BMR backup, AD backup
Scan with enabled Real-Time Protection mode BMR backup, AD backup Supported for BMR backup only* Supported for BMR backup only*
Completely cancel the verification process BMR backup, AD backup
Warn if the anti-virus database is outdated BMR backup, AD backup

* If Real-Time Protection is disabled, Active Directory backups can also be scanned.

Note

Only Windows Defender supports parallel scanning of backups. Other anti-virus solutions scan backups in sequential mode. This must be taken into account when planning the verification schedule.

How to enable virus scanning in Recovery Manager for Active Directory

Recovery Manager for Active Directory automatically detects antivirus software and you do not need to explicitly specify it in the configuration file (%ProgramFiles%\Quest\Recovery Manager for Active Directory\Management\AntivirusConfiguration.json). The AntivirusToUse parameter value is empty by default. If this parameter contains any value, the autodetect feature will not work. Recovery Manager for Active Directory detects only antivirus software specified in the "Antiviruses" section of the configuration file, using Prechecks. Make sure that all the PrecheckTarget parameter values are correct. If you have more than one antivirus software supported by RMAD in your environment, the autodetect feature will use the first found antivirus software for backup scans.

IMPORTANT

If you upgrade or reinstall Recovery Manager for Active Directory, the settings from AntivirusConfiguration.json will be reset to the default settings.

To enable scan for viruses

In Forest Recovery Console, select the Advanced Actions tab and then check the AV Scan to scan the selected backup with Microsoft Defender Antivirus during the project verification option.

Resources/Images/virus_scan.png

The backup scan status is shown next to the backup in Recovery Manager for Active Directory Console and Forest Recovery Console. Also, Recovery Manager for Active Directory Console gives a better representation of scan results.

Resources/Images/virus_scan.png

Anti-virus check statuses:

  • Resources/Images/MalwareGreen.png Passed - All antimalware checks have passed successfully.

  • Resources/Images/MalwareYellow.png Passed with warnings - This status appears if antimalware checks have passed successfully but with minor issues.

  • Resources/Images/MalwareRed.png Infected - The backup is infected.

  • Resources/Images/MalwareRedShield.png Corrupted - This status appears when malware checks are not performed because the selected backup cannot be mounted or unpacked by RMAD.

  • Resources/Images/MalwareRedShield.png Check failed - This status is returned by the antimalware script and appears when malware checks cannot be performed, for example, if antimalware software is not installed, etc.

  • Resources/Images/MalwareGray.png Unknown - The backup has not been checked yet but the check operation is enabled on the General tab for this DC.

Note

You can get the Passed with warnings status if your antivirus database is older than the specified time limit. According to security best practices, this limit is set to 3 days by default. Depending on the policies of your organization, you can configure this parameter in the AntivirusConfiguration.json file that is mentioned above. Change the AntivirusSignatureAgeThresholdInDays property to the desired value. In case of any security incident or data breach, it is recommended that you run an antivirus scan using the latest database for your antivirus software.

Resources/Images/virus_check_status.png

If you use the backup criteria to automatically select a backup

If you set the project to automatically select backups using the backup selection criteria, the following logic is applied:

Backups, #3 is
the latest backup
Backup selected
and scanned for Verify
Backup selected
for Recovery
Comments
#3 Not scanned X X The latest backup will be used for the settings verification or recovery. You will get a warning before the recovery process.
#2 Not scanned    
#1 Not scanned    
 
#3 Passed X X The latest backup with the "Passed" status will be rescanned and will be used for the settings verification or recovery if there are no newer backups.
#2 Not scanned    
#3 Not scanned    
 
#3 Infected     If only the latest backup is scanned and has the "Infected" status, the latest not scanned backup will be selected for settings verification or recovery.
#2 Not scanned X X
#1 Not scanned    
 
#3 Infected     If the latest backup is scanned and is infected, and there are several scanned backups that have passed the virus checks - the latest backup with the "Passed" status will be selected for settings verification or recovery.
#2 Passed X X
#1 Not scanned    
 
#3 Not scanned X X If there are a scanned backup with the "Passed" status and the newer non-scanned backup, the latest not scanned backup is selected for settings verification or recovery. You will get a warning before the recovery process. To avoid this scenario, configure the regular anti-virus scan in accordance with the BMR backup schedule.
#2 Passed    
#1 Not scanned    
 
#3 Infected   X If all the existing backups are infected, an anti-virus scan can be skipped, and the latest backup is selected for recovery. You will get a warning before the recovery process.
#2 Infected    
#1 Infected    
 
#3 Not scanned X X The latest backup will be used for the settings verification or recovery. You will get a warning before the recovery process.
#2 Infected    
#1 Not scanned    

 

Scheduling project verification

To automate running of the verify settings operation on a regular basis, you can schedule this operation for the recovery project.

To create a schedule for the verify settings operation
  1. In Forest Recovery Console, create or open an existing recovery project.

  2. Click Schedule Verify… on the tool bar.

  3. In the Configure Schedule dialog box, click Modify….

  4. In the dialog that appears, click New… and configure the schedule.

  5. Then you will be able to see a list of configured schedules in the Configure Schedule dialog. The Enable schedule option is selected by default.

  6. To specify a user account for the project verification, click Select account… in the Configure Schedule dialog. If you skip this step, you will be prompted for a user name and password when saving the schedule. You must use the Administrator user account.

  7. Click OK to save the schedule.

To change the project schedule settings
  1. In Forest Recovery Console, open an existing recovery project.

  2. Click Schedule Verify… on the tool bar.

  3. To enable or disable the schedule, use the Enable Schedule check box in the Configure Schedule dialog.

  4. To change the schedule, click Modify…..

  5. In the dialog box that opens, configure the new schedule and click OK.

  6. To change the schedule account, click Select account… in the Configure Schedule dialog.

  7. Enter new credentials, then you will be prompted for the account which is currently used for this schedule. Enter the current credential and click OK.

  8. Click OK to save the changes in the Configure Schedule dialog. If you have not changed the account, you will be prompted for the current credentials.

To remove a schedule for the project:
  1. In Forest Recovery Console, open an existing recovery project.

  2. Click Schedule Verify… on the tool bar.

  3. Click Modify….

  4. Delete all schedules and click OK.

  5. Click OK in the Configure Schedule dialog and you will be prompted for the current schedule account.

  6. Enter the current credentials and click OK.

 

Specifying recovery settings for a DC

You can set individual recovery settings for each domain controller in your recovery project. For more information about these settings, see Domain controller recovery settings and progress.

To specify recovery settings for a domain controller
  1. Create or open a recovery project.

  2. In the list of domain controllers, select the domain controller for which you want to specify recovery settings.

  3. Use the General tab to specify recovery settings.

 

Selecting backups for recovery

You can only restore domain controllers from backups created with Recovery Manager for Active Directory. The Forest Recovery Console provides the following methods for you to select backups for recovery:

The next sections describe each of these methods.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating