Chat now with support
Chat with Support

NOTICE! We are upgrading our support telephone services, implementing Genesys, starting the week of May 19, 2025

Recovery Manager for AD Forest Edition 10.3.2 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Using Management Shell Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

How and where is LDAP used in RMAD?

When is LDAP used in RMAD?

LDAP is used to search AD-LDS (ADAM) to retrieve Active Directory object information. During the Online Restoration (agentless and agent-based) and Group Policy Restoration, the LDAP API is used to perform modifications to specified Active Directory objects.

Is LDAP used to authenticate?

RMAD does not use LDAP for authentication of credentials or for Domain Controller connectivity. RMAD is using LDAP version 3, and the password is not in plain text, but is "encrypted". RMAD uses the Generic Security Services Application Program Interface (GSSAPI) to authenticate user logon. GSSAPI is included in the Kerberos protocol.

Is LDAP used to transfer data from AD during backups?

RMAD does not use LDAP for transfer, but deploys a Backup Agent to the domain controller. The Backup agent will collect data and make a backup file. If you store the backup file on console side, the backup file will be transfer by encrypted RPC protocol; if you use Remote Storage and assign a UNC path, the backup is copied by SMB protocol. The user can assign a password to encrypt the backup file.

 

How does Recovery Manager for Active Directory select a DC for an authoritative (primary) restore of SYSVOL during forest recovery?

When recovering an Active Directory® forest, Recovery Manager for Active Directory (RMAD) automatically selects a DC in each domain to perform an authoritative (primary) restore of the SYSVOL folder. To select such a DC, RMAD uses a number of predefined criteria listed in this section. These criteria are listed in the order they are applied by RMAD. If no DC meets the first criteria in the list, RMAD tries to apply the next criteria. RMAD keeps going through the list of criteria, from top to bottom, until it finds a suitable DC.

Criteria used to determine if a DC is suitable for an authoritative (primary) restore of the SYSVOL (in the order of priority):

  1. DC has the PDC Emulator role.

  2. DC has the Domain Naming Master role or Schema Master role in the forest.

  3. DC has the RID Master role in the domain.

  4. DC is a DNS server in the domain.

  5. DC resides in the largest Active Directory® site (as compared to other DCs in the domain).

 

How does Recovery Manager for Active Directory isolate domain controllers during forest recovery?

The overall success of a domain or forest recovery operation very much depends on the domain controllers being restored from backups. Not only it is important to ensure these domain controllers are restored from recent and trusted backups, it is also necessary to temporarily isolate these domain controllers to guarantee that no dangerous or unwanted data will be replicated to them from their replication partners and to block requests to Active Directory® from client workstations during the recovery. Recovery Manager for Active Directory isolates domain controllers by creating a service dependency and using custom Internet Protocol security (IPSec) rules.

Before isolating the domain controllers being restored from backups, Recovery Manager for Active Directory backs up the IPSec settings existing in your environment to revert to these settings later.

Then, at the recovery step named Enable domain controller isolation, Recovery Manager for Active Directory does the following:

  1. Establishes a dependency between the IPsec Policy Agent (PolicyAgent) service and the Active Directory Domain Services (NTDS) service. As a result, the Active Directory Domain Services service cannot start until the IPsec Policy Agent service starts.

  2. Activates a number of custom IPSec rules defined in the IsolateDC.bat file.

The IsolateDC.bat file is located in the Recovery Manager for Active Directory installation folder (by default, this is %ProgramFiles%\Quest\Recovery Manager for Active Directory). The IPSec rules defined in the IsolateDC.bat file block all IP traffic between the domain controllers and their replication partners, except for the IP traffic generated by the following tools/services:

  • Remote Desktop Connection client

  • Ping command

  • File sharing services

  • Domain Naming System

These IPSec rules also apply to the IP traffic from the domain controllers to the Forest Recovery Console computer. Traffic from the Forest Recovery Console computer to the domain controllers is not affected by these IPSec rules.

Note

You can edit the IsolateDC.bat file to define the IPSec rules that become active during recovery. However, we cannot guarantee that problems that may occur if you incorrectly edit the IsolateDC.bat file can be solved. Edit the IsolateDC.bat file at your own risk.

At the recovery step named Ensure that domain controller isolation is disabled, Recovery Manager for Active Directory removes the dependency between the Active Directory Domain Services service and the NTDS service and uses the UnisolateDC.bat file to revert to the pre-recovery IPSec settings.

The UnisolateDC.bat file is located in the Recovery Manager for Active Directory installation folder (by default, this is %ProgramFiles%\Quest\Recovery Manager for Active Directory).

 

How does Recovery Manager for Active Directory select a DC to add the global catalog during forest recovery?

When recovering an Active Directory® forest, Recovery Manager for Active Directory adds the global catalog to the DCs that acted as global catalog servers before the recovery, provided that these DCs were successfully restored from backup.

If none of DCs that acted as global catalog servers before the recovery were successfully restored from backup, Recovery Manager for Active Directory adds the global catalog to the DC which was assigned the Schema Master role during the recovery.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating