立即与支持人员聊天
与支持团队交流

Disaster Recovery for Identity Current - for Active Directory User Guide

Editing Domain Controllers

After configuring the domains in your Recovery Plan, you need to configure the domain controllers within the forest. The table on the Domain Controllers tab allows you to view and edit the configurations for each domain controller, such as the recovery method, target server, backup selection, and credentials (if applicable).

IMPORTANT: If the Active Directory forest topology is changed on-premises (in other words, new domain controllers have been added or removed, domain controller roles are updated, etc.), the forest needs to be manually re-discovered in the product and a new Recovery Plan needs to be created based on the updated topology.

The following information is displayed for each domain controller:

  • Domain Controller – The FQDN of the domain controller.
  • Domain – The fully qualified domain name (FQDN) of the domain.
  • Type – The domain controller can be of the following type:
    • GC - Global Catalog
    • RODC - Read-only domain controller
    • DC - Domain controller
  • FSMO Role – The FSMO (Flexible Single Master Operation) roles assigned to the domain controller, displayed as a badge for each role. The FSMO roles are as follows:
    • PDC emulator
    • RID master
    • Infrastructure master
    • Schema master
    • Domain naming master
  • DC Recovery Method – The recovery method selected for the domain controller.
  • Target – The target server IP address.
  • Target Agent Status – The status of the target domain controller agent. By hovering over the status icon, you can see the version of the current agent and the version of the available agent (if applicable). The agent statuses are:
    • Online – The domain controller agent is online and the latest version is installed.
    • Outdated – The domain controller agent is online and an older supported version is installed. Backup and recovery tasks will run, but an agent update to the latest version is strongly recommended.
    • Not Supported – The domain controller agent is installed and online but the version is not supported and requires an update. Backup, verification and recovery operations cannot be performed.
    • Offline – The domain controller agent cannot be reached or is not installed.
    • Installing – The domain controller agent is being installed.
    • Refreshing – The status of the domain controller agent is being updated.
    • Unknown – The status of the domain controller agent has not yet been checked, or the target server IP has been changed. To get the latest domain controller agent status, select the checkboxes for one or more domain controllers, then select Refresh Agent Status.

      NOTE: After verification or recovery, you need to manually refresh the agent status.

    • (Empty) – Indicates that the recovery method selected for the domain controller does not require an agent to be installed on the target, or that the Target Server IP has not been provided for recovery methods that require it.
  • Selected Backup – The date and time that the selected backup was created.

    NOTE: If there is no backup for the domain controller that meets the backup criteria, No Backup Available is displayed in this column.

To edit domain controllers in the Recovery Plan

On the Domain Controllers tab, select the name of the domain controller you want to configure. The DC Configuration page is displayed.

NOTE: The list of domain controllers is taken from the topology discovered by Disaster Recovery for Identity for Active Directory at the time that the Recovery Plan was created. If you see missing or additional domain controllers, or an incorrect domain controller type, run a discovery on the Topology page and recreate the Recovery Plan.

NOTE: If you edit the domain controller configurations, this clears the Status column and removes access to the list of operations performed during the last run verification or recovery. For more information, see Recovery Plan Progress.

For each domain controller, you need to specify a recovery method. In some cases, the recovery method for the domain controller is set by default depending on the recovery method selected for the domain. You can change the recovery method of the domain controller to one of the following options. Click the link below to go to the recovery method you want to select or configure and follow the steps in that section.

NOTE: Before selecting a recovery method, it is highly recommended that you read Recovery Methods in the Recovery Considerations and Best Practices section.

Restore to Clean OS

This recovery method restores the domain controller from a backup onto a freshly installed Windows machine.

NOTE: If the recovery method for the domain is set to Recover Domain, the Restore to Clean OS recovery method is set by default for the domain controller.

If the Restore to Clean OS recovery method is selected, perform the following steps:

  1. The Target Server field is empty by default. You must specify a valid Target Server IP for a successful recovery with the Restore to Clean OS method.
  2. Under Backup Selection, specify whether you want backups to be automatically selected or manually selected.
    • Automatic – By default, a backup is selected automatically according to the backup selection criteria configured for the Recovery Plan.

NOTE: If a backup that meets the backup selection criteria does not exist, you can proceed to save the domain controller configuration. However, verification and recovery will not start if a backup is not available for the domain controller. Once a valid backup is available, it will be automatically selected.

    • Manual – To manually select a backup for the domain controller, click Select Backup. In the Select Backup flyout, select a backup to be used for recovery. You can use the Filters button to filter the list of domain controllers by Backup Plans, the schedule type, or the date created.

NOTE: If no backups are available for the domain controller, you cannot use the Manual option.

  1. Specify or change the server access credentials. By default, if server access credentials are specified in the domain configuration, domain-level credentials are used for all domain controllers within the domain and are marked with a badge labeled Inherited credentials. If the domain controller requires different credentials to those specified in the domain configuration, you can specify one or more credentials for that domain controller to replace the inherited credentials. For descriptions of each credential type, see Server Access Credentials in the Recovery Considerations and Best Practices section.

NOTE: For the Restore to Clean OS recovery method, you need to specify all credentials here or in the domain configuration.

  1. Select Save.

Install Active Directory

This recovery method installs Active Directory Domain Services on the computer and promotes it to a domain controller. After the recovery, the domain controller replicates Active Directory data from domain controllers restored from backups.

To reduce replication traffic, you can use the Enable Install from Media (IFM) option. The IFM option pre-populates Active Directory and Sysvol on the target domain controller with data from a backup for another domain controller in the same domain. This option is selected by default if there are backups available for the domain.

If the Install Active Directory recovery method is selected, perform the following steps:

  1. The Target Server field is empty by default. You must specify a valid Target Server IP for a successfully recovery with the Install Active Directory method.
  2. Under Backup Selection, use the Enable Install From Media checkbox to turn on or off the option.
  3. If the Enable Install From Media option is selected, specify whether you want backups to be automatically selected or manually selected.
  • Automatic – Selected by default if IFM is enabled. This option automatically selects the most recent backup for a domain controller in the same domain that meets the backup selection criteria configured for the Recovery Plan.

NOTE: If a backup that meets the backup selection criteria does not exist, you can proceed to save the domain controller configuration. However, verification and recovery will not start if a backup is not available for the domain controller. Once a valid backup is available, it will be automatically selected.

  • Manual – To manually select a backup, click Select Backup. In the Select Backup flyout, select a backup for the domain to use for recovery. You can use the Filters button to filter the list of domain controllers by Backup Plans, domain controllers, the schedule type, or the date created.

NOTE: If no backups are available for the domain controller, you cannot use the Manual option.

  1. Under Domain Controller Options, select one or more server roles for the domain controller:
  • Configure as a global catalog server – Use this option if you need to configure the global catalog on the domain controller during Active Directory Domain Services® installation. This option will be selected by default if the original domain controller was a global catalog. Microsoft recommends that all domain controllers provide DNS and global catalog services for high availability in distributed environments. For more information, click here.
  • Install DNS server on the domain controller – Use this option to install the DNS server during the Install Windows features step. This option is enabled by default.
  1. Specify or change the server access credentials. By default, if server access credentials are specified in the domain configuration, domain-level credentials are used for all domain controllers within the domain and are marked with a badge labeled Inherited credentials. If the domain controller requires different credentials to those specified in the domain configuration, you can specify one or more credentials for that domain controller to replace the inherited credentials. For descriptions of each credential type, see Server Access Credentials in the Recovery Considerations and Best Practices section.

NOTE: For the Install from Active Directory recovery method, you need to specify all credentials here or in the domain configuration.

  1. Select Save.

Remove DC

This recovery method isolates the domain controller from other domain controllers and removes it from the domain. Use this method if the domain controller is inaccessible or you do not want to recover the domain controller due to failures.

NOTE: If the recovery method for the domain is set to Delete Domain, the Remove DC recovery method is set for the domain controller and cannot be modified.

After selecting the Remove DC recovery method, select Save.

Adjust to Active Directory Changes

This recovery method adjusts the DNS and IP configuration of the existing domain controller to ensure connectivity to the recovered domains.

NOTE: If the recovery method for the domain is set to Ignore Healthy Domain, the Adjust to Active Directory Changes recovery method is set for the domain controller and cannot be modified.

If the Adjust to Active Directory recovery method is set, perform the following steps:

  1. Specify valid domain credentials. By default, if domain credentials are specified in the domain configuration, domain-level credentials are used for all domain controllers within the domain and are marked with a badge labeled Inherited credentials. If the domain controller requires different credentials to those specified in the domain configuration, you can specify one or more credentials for that domain controller to replace the inherited credentials.
  2. Select Save.

Handling Errors and Warnings

When you open a Recovery Plan and a single error or warning exists, a notification banner is displayed at the top of the page. If multiple errors or warnings exist, the banner indicates the number of issues that need to be resolved.

To handle multiple Recovery Plan errors

  1. On the notification banner, select the View Details link.
  2. In the Recovery Plan Validation flyout, check the errors and warnings related to domain or domain controller configurations. Use the navigation link under each warning or error to open the relevant tab.

    NOTE: If the error or warning is on the Domain Controllers tab, you can hover over the warning icon next to the domain controller name in the Domain Controller column to view details of the warnings or errors.

  3. Select the link for the relevant domain or domain controller and resolve the configuration issues.

Working with Recovery Plans

When working with Recovery Plans, the panel at the top of the configuration page allows you to perform specific actions related to recovery and provides you with relevant information at a glance.

You can perform the following actions using the toolbar in the top panel:

  • Verify Plan – Checks that the configurations for the domain controllers within the Recovery are valid and can be used for forest or domain recovery. Verification details will be displayed in the Verification Progress view of the Recovery Plan configuration, while the progress of individual domain controllers will be displayed on the Operations page. For more information, see Verifying Recovery Plans and Domain Controller Operations.
  • Start Recovery – Begin running the recovery. Recovery details will be displayed in the Recovery Progress view of the Recovery Plan configuration, while the progress of individual domain controllers will be displayed on the Operations page. For more information, see Performing Recovery and Domain Controller Operations.
  • Cancel – Stops the verification or recovery task.

    NOTE: Individual domain controllers cannot be canceled from this page.

    Caution: Canceling a recovery operation may result in a corrupt forest.

  • View Progress – Opens the progress view, where you can monitor the progress of verification and recovery tasks running for the Recovery Plan. For more information, see Recovery Plan Progress.

NOTE: While verification or recovery tasks are running, you can view the Recovery Plan configuration, but you cannot make changes.

Below the toolbar, you can see a summary of the current or latest completed verification or recovery task performed on the forest, including:

  • The overall latest status of the Recovery Plan, displayed underneath the forest FQDN. This indicates the status of an ongoing or completed task, including any warnings, errors, or user actions. If configuration errors exist in the Recovery Plan, the status will show Not Ready.
  • The elapsed time for the running or completed task.
  • The number of domain controllers that have the following statuses:
    • Failed
    • Completed with Warnings
    • Completed
    • Canceled
    • In Progress

Verifying Recovery Plans

To minimize downtime during Active Directory forest recovery, it is recommended to regularly verify your Recovery Plan configurations. The following is performed during Recovery Plan verification:

NOTE: If the target machine is not provided, the following steps will be completed against the source domain controller.

  • Check connectivity to the hybrid agent and domain controller agents.
  • Install or upgrade the domain controller agent on a target machine when the Target Server IP has been provided.
  • Check that a backup is available that meets the backup selection criteria for each domain controller with a specified recovery method.
  • Ensure that the target server has correct OS, drive letters and enough disk space.
  • Verify access to the backup from the domain controller agents.

If you do not verify a Recovery Plan, the above steps will take place during recovery (with the exception that the Target Server IP is required for a successful recovery).

To verify a Recovery Plan

  1. From the Recovery page, open the Recovery Plan you want to verify.
  2. Select Verify Plan.

All domain controllers that are set to be recovered in the Recovery Plan will be verified. To view the current status of the verification of each domain controller, select View Progress. For more information, see Recovery Plan Progress.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级