Chat now with support
Chat with Support

Recovery Manager for AD 10.0.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Icons in the user interface Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Creating backups Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up System State components Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Fault tolerance Consolidating backup registration data Monitoring Recovery Manager for Active Directory Using Management Shell Collecting diagnostic data for technical support Using Recovery Manager for Active Directory Web Interface Appendices
Frequently asked questions Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Creating backups

Both types of backups can be created for any Active Directory domain controller available on the network. Backup creation is a task that can be performed on a regular basis without interrupting the operation of the domain controller.

Recovery Manager for Active Directory lets you organize domain controllers into collections, and establish a backup scheduling frequency and “allowed hours” during which the backup process may run. Based on the frequency of updates to the directory data store, you can configure a backup schedule for each collection.

Depending on the requirements of your enterprise, you can configure a retention policy to specify how many backups are retained: for example, all saved backups or a number of the most recent backups. Different policy settings can be specified for different domain controller collections.

For System State data backups, it is not necessary to maintain a single, centralized repository: several repositories, perhaps based on the site topology, can make your deployment more WAN-friendly. To minimize bandwidth consumption, Recovery Manager for Active Directory employs agents that compress the data to be backed up, before sending it across the network.

Recovery Manager for Active Directory uses the Microsoft Tape Format (MTF) for System State backup files. Therefore, MTF-compliant backup applications can catalog the backup files and restore data backed up with Recovery Manager for Active Directory. For example, backed up data can be restored with the Windows backup tools, if no compression and encryption is used during the backup creation.

Backup encryption

Recovery Manager for Active Directory allows backups to be encrypted and protected with a password, to prevent unauthorized access. This password is used to generate a passphrase with which the backup is encrypted. The password cannot be used directly to unlock the backup container *.vhd(x) file.

For System State backup encryption, the product uses Microsoft’s implementation of the AES-256 algorithm from RSA, Inc. (Microsoft Enhanced RSA and AES Cryptographic Provider), with the maximum cipher strength. The use of the Microsoft Enhanced RSA and AES Cryptographic Provider ensures that backups are encrypted with 256–bit cipher strength

Creating unpacked backups

You can have Recovery Manager for Active Directory keep unpacked Active Directory or AD LDS (ADAM) backups in any appropriate location on your network.

Unpacked backups can be reused for subsequent starts of the Online Restore Wizard or Group Policy Restore Wizard. The use of unpacked backups accelerates the backup data preparation step of those wizards, because the unpacking process may be a lengthy operation.

Using third-party backups

Recovery Manager for Active Directory makes it possible to use Active Directory or AD LDS (ADAM) backups created with third-party backup tools. Before using this feature, unpack the backup to an alternate location with the corresponding third-party backup tool, and then register the database file (ntds.dit or adamntds.dit) using the Online Restore Wizard or Online Restore Wizard for AD LDS (ADAM), respectively.

Cross-domain backup of group membership

When backing up Global Catalog servers, you have the option to force Recovery Manager for Active Directory to collect group membership information from all domains within the Active Directory forest. This option ensures that group membership spanning multiple domains is fully backed up.

It is recommended that you restore objects from Global Catalog backups that were created with this option. Otherwise, restored objects may not retrieve their membership in some local groups, because even Global Catalog servers do not store full information about group memberships. For example, information about membership in domain local groups is only stored in the home domains of those groups.

Considerations for backing up Active Directory

In an Active Directory environment, each domain controller maintains its own Active Directory database. Therefore, a backup of the Active Directory database is domain controller-specific. To completely back up Active Directory, you must back up the directory database on every domain controller.

To restore deleted or corrupted objects, it is recommended to back up at least two domain controllers for each domain for redundancy. If you intend to restore cross-domain group membership information, then it is also necessary to back up a global catalog server.

Another reason for backing up the directory database on every domain controller is loose consistency. Replication of changes made to Active Directory does not occur immediately. The replication process first accumulates all changes, and then provides them to the participating domain controllers. As a result, the directory database on any domain controller is normally in a state of loose consistency. The directory object data on individual domain controllers differs to some extent, given that replication updates are either in transit between domain controllers, or waiting to be initiated.

The age of the backup must also be considered. Active Directory prevents the restoration of data older than the “tombstone lifetime”—a setting specified in Active Directory. Because of this, an Active Directory backup should be created at least once within the tombstone lifetime. However, it is strongly recommended that backups of the directory database be created more often than this.

Backup Agent

Recovery Manager for Active Directory employs a Backup Agent to back up remote domain controllers and AD LDS (ADAM) hosts. This is because some backup APIs provided by the operating system cannot be used to access a target domain controller or AD LDS (ADAM) host from the Recovery Manager Console. Therefore, Backup Agent must be installed on a remote domain controller or AD LDS (ADAM) host in order to gain access to its specific objects. Recovery Manager for Active Directory can automatically install Backup Agent before starting a backup, and remove it upon the completion of backup operation. Alternatively, you can preinstall Backup Agent manually. For more information on the advantages of using preinstalled Backup Agent, see Using preinstalled Backup Agent below.

Figure 1: Backup Agents

The figure above illustrates how Recovery Manager for Active Directory employs Backup Agent when creating backups. Backup Agent is installed on domain controllers DC1 and DC2. Backup Agent compresses the local data and sends it to the computer running Recovery Manager for Active Directory, which in turn transfers the compressed data to the backup repository (Central Storage Location).

Since Backup Agent compresses the data before sending it over the network, the network load is decreased significantly. The average compression ratio is 7:1. The use of Backup Agent also provides increased scalability and performance by allowing the creation of backups on multiple domain controllers in parallel.

Separate credentials for Backup Agent

Recovery Manager for Active Directory allows to run Backup Agent in the security context of a specific user account. Since Recovery Manager for Active Directory needs administrative access to the domain controller in order to run Backup Agent, the account under which Recovery Manager for Active Directory is running must belong to the Administrators group on that domain controller or AD LDS (ADAM) host, providing administrative access to the entire domain. If Recovery Manager for Active Directory cannot be started under such an account, separate credentials (user logon name and password) should be specified, so that Backup Agent is run under an account that has sufficient privileges.

Using preinstalled Backup Agent

Recovery Manager for Active Directory allows you to back up Computer Collections using Backup Agent manually preinstalled on each target domain controller. This method enables you to

  • Perform a backup operation without having domain administrator privileges. It is sufficient if Recovery Manager for Active Directory runs under a backup operator's credentials.
  • Reduce network traffic when backing up the Computer Collection.
  • Back up domain controllers in domains that have no trust relationships established with the domain in which Recovery Manager for Active Directory is running, solving the so-called “no trust” problem.

Recovering Active Directory

Recovery Manager for Active Directory enables the recovery of a portion of the directory or the entire directory, in the event of corruption or inadvertent modification. The granular, object-level, online restore may also be used to undelete directory objects. These powerful, security-sensitive functions of Recovery Manager for Active Directory should only be performed by highly trusted directory administrators.

Figure 2: Recovering Active Directory

If certain objects are inadvertently deleted or modified in Active Directory, they can be restored from a backup of a domain controller’s System State, without restarting the domain controller or affecting other objects. If the Active Directory database on a particular domain controller has been corrupted, the entire database can be restored from a System State backup created for that domain controller. All the restore operations are administered remotely.

Recovery Manager for Active Directory offers the following restore methods:

  • Granular online restore. Allows you to select Active Directory objects from a backup, and then restore them to Active Directory. This method allows for the recovery of individual Active Directory objects, and selected attribute values in Active Directory objects, with the least amount of administrative effort.
  • Complete offline restore. Restarts the target domain controller in Directory Services Restore mode, restores the Active Directory database from the selected backup, and then restarts the domain controller in normal operational mode. This method enables the recovery of the entire Active Directory database on a domain controller, and is most useful when recovering from database corruption.

Active Directory recovery options

Recovery Manager for Active Directory enables the fast recovery of Active Directory from a disaster. The flowchart below indicates the most suitable recovery method depending on the type of disaster, which could be data corruption, database corruption or complete Active Directory corruption.

Data corruption occurs when directory objects have been inadvertently deleted or modified, and the deletion or modification has replicated to other domain controllers within the environment.

Database corruption refers to a situation in which an Active Directory failure prevents a domain controller from starting in normal mode, or a hardware problem such as hard disk corruption on a domain controller.

Also you may experience complete Active directory corruption due to the Active Directory environment has been attacked by ransomware, or all domain controllers in the forest have been physically destroyed, etc.

Recovery Manager for Active Directory offers the following methods for restoring Active Directory object data on a domain controller:

  • Granular online restore
  • Complete offline restore

Granular online restore is the most advanced method, allowing you to restore individual directory objects from a backup, without restarting the target domain controller or affecting other directory objects.

Complete offline restore only allows you to restore the entire Active Directory database on a domain controller while Active Directory is offline. To take Active Directory offline, Recovery Manager for Active Directory restarts the domain controller in Directory Services Restore Mode (DSRM), resulting in a period of downtime. In addition, complete offline restore affects all directory objects on the target domain controller, which may result in the loss of some of the most recent updates.

All restore operations are remotely administered, so there is no need for an administrator to be physically present at the domain controller. In most cases, it will not be necessary to shut down the domain controller in order to perform the restore: it remains online and functional throughout the recovery.

Granular online restore

To achieve near-zero downtime when recovering Active Directory, Recovery Manager for Active Directory provides the granular online restore method. Two options are available with this method:

  • Compare, restore, and report changes in Active Directory. With this option, you can restore particular objects from a backup, and select the necessary objects based on a per-attribute comparison of the objects in a backup with those in Active Directory. Comparison reports are also available.
  • Compare two backups and report differences. With this option, you can make a per-attribute comparison of the objects in two Active Directory backups. Comparison reports allow you to view the object modifications made in the period between the backups.

The granular online restore method allows you to retrieve individual directory objects from a backup, and then restore them to a domain controller. The operation can be performed on any domain controller that can be accessed remotely. In addition, granular online restore does not require you to restart the target domain controller, nor does it affect any directory objects that are not selected for recovery.

In addition to selectively restoring individual Active Directory objects, the granular online restore method allows you to selectively restore individual attributes of objects in Active Directory, such as the User Password, Group Membership, or User Certificate attributes of a User object. The ability to restore selected attributes ensures that valuable changes, made to Active Directory objects since the time the backup was created, are not overridden. This provides the flexibility to efficiently resolve potential problems that may result from the improper modification of individual attributes of Active Directory objects.

The granular online restore should be used in situations where important object data has been inadvertently deleted or changed in Active Directory, and the changes have been propagated to other domain controllers. To recover from such an event, you can carry out a granular online restore to Active Directory using a backup that was created before the objects in question were deleted or modified.

After Recovery Manager for Active Directory completes a granular online restore on the target domain controller, the restored objects are replicated to the other domain controllers via the normal replication process. Given that the objects recovered by a granular online restore have a higher version number, recently deleted or modified object data is ignored during replication.

Granular online restore allows you to roll back changes made to Active Directory, and return individual directory objects and attributes to the state they were in when the backup was created. It is important to note that a granular online restore only affects the objects and attributes selected for recovery. All other objects remain unchanged in Active Directory. Furthermore, if the value of an attribute in Active Directory is identical to the value it has in the backup, the granular online restore does not attempt to change the attribute.

A granular online restore is especially useful when you need to recover some directory objects in a short period. For example, suppose a user account is accidentally deleted from Active Directory, but exists in a backup. To recover that user account, you can perform a granular online restore, selecting the user account from the backup. The selected user account is restored to Active Directory with the same properties and permissions that it had when the backup was created. No other user accounts are affected.

Undeleting (reanimating) objects

With Recovery Manager for Active Directory, you can selectively recover deleted Active Directory objects by undeleting (reanimating) them. To undelete (reanimate) an object, Recovery Manager for Active Directory fully relies on the functionality provided by Active Directory, therefore to use this method you need no Active Directory backups. Note that you can only undelete objects in an Active Directory forest whose functional level is higher than Windows 2000.

The result of the undelete operation performed on an object depends on whether Microsoft’s Active Directory Recycle Bin feature is enabled or disabled in your environment. Microsoft’s Active Directory Recycle Bin is a new feature that first appeared in the Windows Server 2008 R2 operating system. For more information on Microsoft’s Active Directory Recycle Bin feature, see What's New in AD DS: Active Directory Recycle Bin (http://go.microsoft.com/fwlink/?LinkId=141392).

In an Active Directory environment where Microsoft’s Active Directory Recycle Bin feature is not supported or disabled, a deleted object is retained in Active Directory for a specified configurable period of time that is called tombstone lifetime. A deleted object becomes a tombstone that retains only a partial set of the object’s attributes that existed prior to deletion. During that period, you can use Recovery Manager for Active Directory to undelete (reanimate) the object. Performing the undelete operation on the object will only recover the object’s attributes retained in the tombstone.

When an object is deleted in a forest where Microsoft’s Active Directory Recycle Bin feature is enabled, the object goes through the following states:

  • Deleted state. The object retains all its attributes, links, and group memberships that existed immediately before the moment of deletion. The object remains in this state for a specified configurable period of time that is called deleted object lifetime. When the applicable deleted object lifetime period expires, the object is transferred to the next state—“recycled”.

While an object remains in the “deleted” state, you can use Recovery Manager for Active Directory to undelete (reanimate) the object with all its attributes, links, and group memberships that existed immediately before the moment of deletion.

Alternatively, you can authoritatively restore the object to its backed-up state from a backup created with Recovery Manager for Active Directory.

If necessary, you can use Recovery Manager for Active Directory to override the applicable deleted object lifetime setting and manually change a deleted object’s state from “deleted” to “recycled” by using a cmdlet provided by the Recovery Manager for Active Directory Management Shell.

  • Recycled state. After a deleted object is transferred to the “recycled” state, most of the object’s attributes are purged (stripped away), and the object retains only those few attributes that are essential to replicate the object’s new state to other domain controllers in the forest. The object remains in the recycled state for a specified configurable period of time that is called recycled object lifetime.

To manage recycled objects, you can use the Deleted Objects container provided by Recovery Manager for Active Directory. In this container, you can view a list of all recycled objects in the domain, selectively recycle deleted objects, and recover recycled objects from backups created with Recovery Manager for Active Directory.

Complete offline restore

You can use complete offline restore to restore the entire Active Directory database from backup media without reinstalling the operating system or reconfiguring the domain controller. The restore can be performed on any domain controller that can be accessed remotely. By default, this operation restores all directory objects on the target domain controller non-authoritatively. This means that the restored data is then updated via normal replication. A non-authoritative restore is typically used to restore a domain controller that has completely failed due to hardware or software problems.

A complete offline restore also allows you to mark individual objects for authoritative restore. However, given that the granular online restore process provides the same functionality with much less effort and overhead, it is the recommend method for restoring individual objects to Active Directory.

During the final stage of a complete offline restore, the recovered domain controller is restarted in normal operational mode. Normal replication then updates the domain controller with all changes not overridden by the authoritative restore. It is important to note that until the replication update has completed, some of the directory object data held on the recovered domain controller may be unreliable. Therefore, execution of a complete offline restore may result in additional downtime due to replication delays.

There is one other consideration to make when performing a non-authoritative restore. The restored domain controller may lose information about the directory updates that were made after it was backed up. For example, suppose that some directory objects were added or modified on the domain controller after the backup was created, but the new objects or modifications were not replicated to other domain controllers due to network problems. In this case, when the domain controller is restored, the new objects or modifications will be lost, because they were never replicated to other domain controllers, and therefore cannot be applied to the restored domain controller.

Related Documents