Chat now with support
Chat with Support

Recovery Manager for AD 10.0.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Icons in the user interface Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Creating backups Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up System State components Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Fault tolerance Consolidating backup registration data Monitoring Recovery Manager for Active Directory Using Management Shell Collecting diagnostic data for technical support Using Recovery Manager for Active Directory Web Interface Appendices
Frequently asked questions Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Stopping online restore

When you choose to stop the online restore operation, the wizard neither forces the replication nor restores linked attributes.

This choice implies that you wait until the undeleted objects are replicated to all domain controllers, and then restore those objects once more using the wizard. In that scenario, the second path of the wizard is used to restore the linked attributes on the undeleted objects. Stop the operation if the enforcement of replication in your domain is inadmissible for some reasons, but you want to be sure that linked attributes be represented correctly on all domain controllers.

Using agentless or agent-based method

When comparing or restoring Active Directory objects with the Online Restore Wizard, you can choose whether to use LDAP functions only (Agentless method) or Online Restore Agent (Agent-based method).

Note that some AD DS and AD LDS (ADAM) object attributes cannot be restored by using Recovery Manager for Active Directory. For more information on these attributes, see Quest Knowledge Base Article 59039 “AD DS and AD LDS Object Attributes That Recovery Manager for Active Directory Cannot Restore” at support.quest.com.

The following table contains performance test results of agentless and agent-based restore operations on the machine running Windows Exchange Server 2008 R2. The agent-based restore is performed by a single Restore Agent instance.

Configuration of the test lab:

Operating System CPU RAM,GB
Windows Server 2008 R2 2 x Intel Xeon E5-2651 v2 1,8 GHz 7,5

Performance test results:

Recovery method Number of objects Required time
Agent-based restore 1000 20 - 40 sec
10000 4 - 6 min
50000 23 - 34 min
Agentless restore 1000 40 - 70 sec
10000 6 - 10 min
50000 30 - 50 min

Agentless method

The method that uses LDAP functions is referred to as agentless method. The agentless method has both advantages and limitations. The use of LDAP functions makes the wizard operations less intrusive on the domain controller. Also, you can deliberately choose the target domain controller and you can perform restore and compare operations without having administrative access to the target domain controller.

However, some object attributes, such as User Password and SID History, cannot be compared or restored.

The ability to perform an online restore using the agentless method builds on the Restore Deleted Objects feature. This feature extends the LDAP API to enable the restoration of deleted objects. However, this feature restores only the essential attributes required for the object's existence. Other attributes, such as those relating to membership in security and distribution groups, must be restored from a backup.

With the agentless method, you can perform a restore without having administrative access to the target domain controller. For more information, see Performing a restore without having administrator privileges.

To use the agentless method

In the Online Restore Wizard, on the Domain Access Options page, make sure the Use agentless method to access domain controller check box is selected. This ensures that only LDAP functions are used to access the domain controller.

Agent-based method

To overcome the limitations of the agentless method, the Online Restore Wizard provides the alternative, agent-based method. With the agent-based method, you can compare and restore any objects (including deleted ones) and any attributes (including User Password and SID History). A restore can be performed on a domain controller running any operating system supported by Recovery Manager for Active Directory.

However, the agent-based method has the following drawbacks:

  • The target domain controller must be the same as that from which the backup was created. No ability to choose the target domain controller for the restore and compare operations.
  • The restore or compare operation is more intrusive: Online Restore Agent is installed on the domain controller when you start the compare or restore operation in the Online Restore Wizard and removed when you close the wizard.
  • Domain administrator rights on the target domain controller are required.

NOTE: If Microsoft Defender Advanced Treat Protection is enabled on the recovered domain controller, Recovery Manager for Active Directory cannot perform the agent-based restore operations. To overcome this problem, you need to disable the Local Security Authority Process (Lsass.exe) protection rule or add an exception for Recovery Manager for Active Directory. To add an exception, run the following cmdlet in an administrative PowerShell session: Add-MpPreference -AttackSurfaceReductionOnlyExclusions "$env:SystemRoot\RecoveryManagerAD\EriAgent.exe". To disable the protection rule, edit the group policy object "Customize attack surface reduction rules" - set 0 for the rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)". For details, see Customize attack surface reduction rules.

To use the agent-based method

In the Online Restore Wizard, on the Domain Access Options page, make sure the Use agentless method to access domain controller check box is cleared, so that Recovery Manager for Active Directory employs Online Restore Agent to perform the restore or compare operation.

To set a default method for compare and restore operations performed in the Online Restore Wizard

  1. Select the Recovery Manager for Active Directory console tree root.
  2. On the main menu, select Actions | Settings.

In the dialog box that opens, on the General tab, under Default method for compare and restore operations, select the preferable method, and click OK. You can change the set default method later when using the Online Restore Wizard.

Related Documents