Chat now with support
Chat with Support

Recovery Manager for AD 10.0.1 - Deployment Guide

Agentless method

Table 4: Table 1:Advantages and limitations of the agentless method

Advantages Limitations
  • The use of LDAP functions makes the wizard operations less intrusive on the domain controller.
  • You do not need to have administrator rights to perform the restore and compare operations.
To restore some object attributes, such as User Password and SID History, you need to modify the Active Directory schema. For more information, see “Restoring Passwords and SID History” in the User Cuide.

Permissions required for agentless method

The account with which Recovery Manager for Active Directory accesses the target domain controller must have specific permissions to perform data restore task

Table 5: Table 2: Required permissions

Task Required permissions
Restore object attributes Write access to the attributes to be restored
Restore a deleted object
  • Reanimate Tombstone control access right.
  • Write access to each attribute to be updated during the restore.
  • Child-creation rights on the destination container for the class of the object to be restored.
Restore cross-domain group memberships Write access to universal and domain local groups in other domains.

Agent-based method

Table 6: Advantages and limitations of the agent-based method

Advantages Limitations
  • Allows you to compare and restore any objects (including deleted ones) and any attributes (including User Password and SID History).
  • A restore operation can be performed on a domain controller running any version of the Windows operating system supported by Recovery Manager for Active Directory.
  • The agent-based method of restoration is generally faster than the agentless method.
  • The target domain controller must be the same as the backup source.
  • The user account used to access the target domain controller must have domain administrator rights and be a member of the Backup Operators group in case the target domain controller is running Windows Server 2003.
  • Recovery Manager for Active Directory automatically installs Restore Agent (the file RstAgent.exe) before starting a restore and automatically removes it on completion. The size of the file RstAgent.exe is about 380,000 bytes

Permissions required for agent-based method

The account with which Recovery Manager for Active Directory accesses the target domain controller must:

  • Have sufficient permissions to copy files to the target domain controller.
  • Be Access Service Control Manager on the target domain controller.
  • Have the Write access to universal and domain local groups in other domains (only for restoring crossdomain group memberships).

To meet the above requirements, the account must be a member of

  • Administrators local group on each target domain controller
  • Backup Operators or Domain Admins group on each target domain controller that runs Windows Server 2003 or a later version of Windows.

Restoring passwords and SID history

When undeleting an object by using the agentless method, the Online Restore Wizard employs LDAP functions along with the Restore Deleted Objects feature provided by the Windows operating system. This feature restores only the attributes preserved in the object’s tombstone. The other attributes are restored from a backup. However, some attributes, such as Password and SID History cannot be written using LDAP functions, and thus cannot be restored from a backup via the agentless method.

In many situations, the inability to restore the Password attribute from a backup is not a big problem as an object’s password can be reset after restoring the object. As for the SID History attribute, its restoration may be business-critical. An example is a situation where the domain from which the object was migrated is unavailable or decommissioned, and therefore SID History cannot be re-added.

To enable the restoration of these two attributes using the agentless method, the Active Directory schema may be modified so that these attributes are preserved in object tombstones. As a result, an undeleted object has the same Password and SID History as the object had when it was deleted.

As this solution requires schema modifications, it should be carefully considered. Microsoft recommends modifying or extending the schema only in extreme situations. Proceed with extreme caution, because making a mistake may render the directory service unstable, resulting in a reinstallation.

Often, organizations are reluctant to make changes to the schema because schema modifications may result in heavy replication traffic. It is not the case for the schema modifications described in this article as they do not affect the partial attribute set (PAS).

Note: Recovery Manager for Active Directory also provides an agent-based method for restoring or undeleting objects. With the agent-based method any attributes can be restored. The agent-based method does not require any schema modifications.

Preserving passwords and SID history in object tombstones

To preserve passwords and SID history in object tombstones, complete the following steps:

Related Documents