Chat now with support
Chat with Support

Recovery Manager for AD 10.0.1 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Icons in the user interface Getting and using help Configuring Windows Firewall Using Computer Collections Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Creating backups Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up System State components Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Fault tolerance Consolidating backup registration data Monitoring Recovery Manager for Active Directory Using Management Shell Collecting diagnostic data for technical support Using Recovery Manager for Active Directory Web Interface Appendices
Frequently asked questions Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Delegating restore or undelete permissions

You can delegate permissions to restore or undelete objects in specific Active Directory containers to the users or groups of your choice. These users or groups must reside in the Active Directory forest where the Recovery Manager Portal is installed and be assigned an appropriate portal role. For more information about portal roles, see Assigning roles to portal users.

To delegate restore permissions, you also must have a specific role in the Recovery Manager Portal. For details, see Assigning roles to portal users.

To delegate permissions

  1. Connect to the Recovery Manager Portal with your Web browser.
  2. In the Recovery Manager Portal, open the Configuration tab.
  3. Expand Active Directory Domains.
  4. Click the name of the domain that includes the containers on which you want to delegate permissions.
  5. Click Configure a list of delegates, and then expand the domain entry.
  6. Click the container on which you want to delegate permissions.
  7. Click Add, to specify delegates to the Users or groups list.
  8. In the dialog that opens, you can find and add users and groups from any trusted domain in the Active Directory forest.
    • If the account that you are adding is from the same domain:
      1. Enter the name and click the magnifying glass to search.
      2. Click Add next to the account you want to add.
    • If the account that you are adding is from a different domain:

      1. Click the domain name link next to 'Search in'.
      2. Select the domain where the account resides.
      3. Enter the name and click the magnifying glass to search.
      4. Click Add next to the account you want to add.

  9. Below the Users and groups list, select the operations you want to grant or deny to the added users or groups.
  10. When you are finished, click OK. If necessary, repeat steps 6-9 for other containers in the domain.

Configuring e-mail notification

You can configure the Recovery Manager Portal to send notification e-mails to specific recipients when the health state of any Recovery Manager for Active Directory instance with which the Recovery Manager Portal is configured to work changes from healthy to unhealthy or vice versa.

To configure e-mail notification

  1. Connect to the Recovery Manager Portal with your Web browser.
  2. In the Recovery Manager Portal, open the Configuration tab.
  3. Expand Portal Settings, and then click E-mail notification.
  4. Use the following options in the dialog box that opens:
    • Outgoing SMTP server. Type the fully qualified domain name (FQDN) or IP address of the SMTP server you want to use for sending notification e-mails.
    • SMTP port. Type the number of the port on which you want to connect to the server.
    • Sender e-mail address. Type the e-mail address you want to display in the From field of all notification e-mail messages.
    • Notification recipients. Here you can specify a list of notification recipients. To specify multiple values, use semicolon as the separator.
  5. User name and password. Type the user name and password of the user account you want to use to send notification e-mails from the SMTP server. The account must have the appropriate permissions.
  1. When you are finished, click OK to apply your settings.

How Recovery Manager Portal recovers data

Please consider the following behavior of the Recovery Manager Portal:

  • By default, the permissions to restore or undelete objects in an Active Directory domain are only granted to the members of the Domain Admins group in that domain. However, you can delegate the restore or undelete permissions to the portal users you want. For more information, see Delegating restore or undelete permissions.
  • By default, the Recovery Manager Portal uses the agent-based method for all search and restore operations, regardless of the settings configured on the Recovery Manager for Active Directory instance used to perform these operations. For more information about the agent-based method, see Agent-based method in Using agentless or agent-based method. You can change the portal settings to use the agentless method.

To use the agentless method

  1. Connect to the Recovery Manager Portal with your Web browser.
  2. In the Recovery Manager Portal, open the Configuration tab.
  3. Expand Portal Settings, and then select the Use agentless method for all search and restore operations check box.

To undelete an Active Directory object, the Recovery Manager Portal uses Microsoft’s Active Directory Recycle Bin feature if it is enabled in the target forest. If this feature is unavailable, the Recovery Manager Portal restores the object from the latest available unpacked backup that includes the object before its deletion.

Integration with On Demand Recovery

Integrating with On Demand Recovery

You can use On Demand Recovery to restore on-premises objects that are synchronized with cloud.

What can be restored using the hybrid configuration

  • On-premises groups
  • Office 365 licenses (assignedLicenses property for cloud users) and cloud group membership
  • Deleted on-premises users and groups
  • Service principals' appRoleAssignments to on-premises users
  • appRoleAssignments to non-Office groups (used for SSO and App Roles)
  • Directory roles: Global administrator, Exchange administrator, Compliance administrator
  • Other cloud-only properties: such as Block sign in, Authentication contact information, Minors and Consent
  • Multi-factor authentication (MFA) settings if a customer uses cloud MFA
  • Azure application custom attributes (schema extension attributes)

IMPORTANT: To configure the hybrid connection, outbound HTTPS (port 443) should be opened in the firewall on the machine where Recovery Manager Portal is installed.

To enable integration with the cloud

  1. Connect to the Recovery Manager Portal with your Web browser.
  2. In the Recovery Manager Portal, open the Configuration tab.
  3. Expand Portal Settings and click On Demand integration...
  4. In the On Demand Recovery integration dialog, select Enable integration check box and specify Relay URL and credentials. To get these parameters, please go to On Demand Recovery and perform the following steps:
    1. On the Dashboard screen, click Create hybrid connection.

    2. In the Create hybrid connection dialog, click Download hybrid credentials to download a configuration file with Relay credentials.

    3. Save the file to the folder of your choice.

    4. Go back to the On Demand integration dialog, click Choose file and select the configuration file. For security reasons, you should remove this file from your computer after the credentials will be specified in Recovery Manager Portal.

    Note: Azure AD Connect synchronization occurs automatically after the restore operation. But On Demand Recovery has the ability to force synchronization cycle and requires credentials for the machine where Azure AD Connect is installed.

  5. Specify Azure AD Connect host name and credentials. If Azure AD Connect and Recovery Manager Portal are installed on the same machine, leave the fields blank.

Note: You may get an error related to the proxy settings while configuring integration with On Demand Recovery. To resolve this issue, perform the following actions:

  1. Open the Recovery Manager Portal configuration file %Program Files%\Quest\Recovery Manager Portal\EnterprisePortalSettings.xml.
  2. Check that "ProxyAddress" has the correct value.
  3. Make sure that URI contains the protocol prefix and the port number, e.g. http:/localhost:8080/.
  4. Restart the Recovery Manager Portal service.

For more information about integration with On Demand Recovery, please see the Integration with Recovery Manager for Active Directory section in the On Demand product documentation.

Related Documents