Backups created with Recovery Manager for Active Directory can be stored in multiple locations. Primary storage of backups allows for backup files to be saved on a distributed network, or on selected computers with physically restricted access. Recovery Manager considers these locations as primary storage and is referred to as Tier 1 storage.
Recovery Manager for Active Directory provides options for primary storage in local and remote locations. Local storage is refers to storage on the Recovery Manager console computer, where remote storage is storage on the backed up domain controller or other remote servers on network shares. These locations are remote due to not being on the Recovery Manager console computer. See the Local Storage tab and Remote Storage tab. For both local and remote storage locations, a primary backup path can be provided and an alternate backup path.
Primary storage is for the original backup files to be saved to the a safe location. For primary storage, the backup agent creates the backup file, compresses the data and then the file is saved to the configured storage locations. In the diagram below see line number 1 to view the process that is taken to save the backup file to primary storage locations. The RPC protocol is used to save backups files to the console computer. For saving to remote storage locations SMB protocols are used.
The figure illustrates how Recovery Manager for Active Directory creates and saves backup files to primary storage locations.
NOTE |
For Recovery Manager for Active Directory 10.1 or higher: Make sure that you use the Backup Agent version supplied with this release of Recovery Manager for Active Directory. |
Recovery Manager for Active Directory employs a Backup Agent to back up remote domain controllers and AD LDS (ADAM) hosts. This is because some backup APIs provided by the operating system cannot be used to access a target domain controller or AD LDS (ADAM) host from the Recovery Manager Console. Therefore, Backup Agent must be installed on a remote domain controller or AD LDS (ADAM) host in order to gain access to its specific objects. RMAD can automatically install Backup Agent before starting a backup, and remove it upon the completion of backup operation. Alternatively, you can preinstall Backup Agent manually. For more information on the advantages of using preinstalled Backup Agent, see Using preinstalled Backup Agent below.
The Recovery Manager for Active Directory (RMAD) employs a Backup Agent when creating backups. The Backup Agent is installed on domain controllers DC1 and DC2 and compresses the data and transfers the compressed data to storage location.
Since Backup Agent compresses the data before sending it over the network, the network load is decreased significantly. The average compression ratio is 7:1. The use of Backup Agent also provides increased scalability and performance by allowing the creation of backups on multiple domain controllers in parallel.
RMAD allows to run Backup Agent in the security context of a specific user account. Since RMAD needs administrative access to the domain controller in order to run Backup Agent, the account under which RMAD is running must belong to the Administrators group on that domain controller or AD LDS (ADAM) host, providing administrative access to the entire domain. If RMAD cannot be started under such an account, separate credentials (user logon name and password) should be specified, so that Backup Agent is run under an account that has sufficient privileges.
RMAD allows you to back up Computer Collections using Backup Agent manually preinstalled on each target domain controller. This method enables you to
Perform a backup operation without having domain administrator privileges. It is sufficient if RMAD runs under a backup operator's credentials.
Reduce network traffic when backing up the Computer Collection.
Back up domain controllers in domains that have no trust relationships established with the domain in which RMAD is running, solving the so-called “no trust” problem.
NOTE |
For Recovery Manager for Active Directory 10.3 or higher, the option to Use preinstalled Backup Agent is selected by default for all new computer collections. |
Recovery Manager for Active Directory (RMAD) enables the recovery of a portion of the directory or the entire directory, in the event of corruption or inadvertent modification. The granular, object-level, online restore may also be used to undelete directory objects. These powerful, security-sensitive functions of RMAD should only be performed by highly trusted directory administrators.
If certain objects are inadvertently deleted or modified in Active Directory, they can be restored from a backup of domain controller’s Active Directory® components, without restarting the domain controller or affecting other objects. If the Active Directory® database on a particular domain controller has been corrupted, the entire database can be restored from a Active Directory® backup created for that domain controller. All the restore operations are administered remotely.
Recovery Manager for Active Directory offers the following restore methods:
Granular online restore. Allows you to select Active Directory® objects from a backup, and then restore them to Active Directory®. This method allows for the recovery of individual Active Directory® objects, and selected attribute values in Active Directory® objects, with the least amount of administrative effort.
Complete offline restore. Restarts the target domain controller in Directory Services Restore mode, restores the Active Directory® database from the selected backup, and then restarts the domain controller in normal operational mode. This method enables the recovery of the entire Active Directory® database on a domain controller, and is most useful when recovering from database corruption.
Recovery Manager for Active Directory supports granular online restore from BMR backups.
Recovery Manager for Active Directory (RMAD) enables the recovery of Group Policy data from corruption or inadvertent modification, which can be caused by either hardware failure or human error.
If specific Group Policy objects or links are inadvertently deleted or modified, they can be restored from a backup of a domain controller’s Active Directory® components, without restoring the entire Active Directory®, restarting the domain controller, or affecting other objects.
Recovery Manager for Active Directory includes the following options for Group Policy recovery:
Policy settings restore. If the Group Policy object was modified since the backup was created, this option restores all policy settings to the state they were in at the time of the backup. If the Group Policy object was deleted, this option creates a new object with the same name and policy settings as the backed-up object.
Security settings restore. Restores all security information contained in the Group Policy object. As a result, all users and security groups receive the access permissions that were specified in the Group Policy object at the time it was backed up.
GPO links restore. Restores all links associated with the Group Policy object to the state they were in at the time the backup was created. As a result, the object is once again used by the same sites, domains, and organizational units that were linked to it at the time the backup was created.
Comparison reports. Shows whether Group Policy object was deleted or modified since the backup time.
You can use any combination of these options. For example, suppose some links to a Group Policy object are accidentally deleted. If your backup contains an outdated version of the Group Policy object, you can restore only the links, without restoring the policy settings or security settings.
To eliminate downtime when recovering Group Policy, RMAD provides the Group Policy Restore method. This method allows individual Group Policy objects to be restored to a selected domain controller. The operation can be performed on any domain controller that can be accessed remotely. Using this method, domain controllers do not need to be restarted, and only those objects selected for recovery are affected.
For this type of restore, it is not necessary to create any special backups; you may use any regular backup of domain controller’s Active Directory® components.
A Group Policy Restore is particularly helpful when critical Group Policy objects or links have been inadvertently deleted or changed. To recover from such situations, you may carry out a Group Policy Restore to a domain controller using a Active Directory® backup that was created before the objects in question were deleted or modified.
Group Policy Restore allows you to roll back changes made to Group Policy information, and return individual Group Policy objects to the state they were in when the backup was created. It is important to note that a Group Policy Restore only affects the object selected for recovery, and optionally, the links to that object. Any objects that are not involved in the operation remain unchanged in the domain.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center