立即与支持人员聊天
与支持团队交流

Recovery Manager for AD Disaster Recovery Edition 10.3 - User Guide

Overview Getting started
Permissions required to use Recovery Manager for Active Directory Recovery Manager Console Getting and using help Configuring Windows Firewall Using Computer Collections Cloud Storage Secure Storage Server Hybrid Recovery with On Demand Recovery Managing Recovery Manager for Active Directory configuration Licensing
Backing up data
Permissions required for the Backup operation Managing Backup Agent Using a least-privileged user account to back up data Using Managed Service Accounts Active Directory backups vs Windows System State backups Creating BMR and Active Directory backups Using the Backup Wizard Retrying backup creation Enabling backup encryption Backing up AD LDS (ADAM) Backing up cross-domain group membership Backing up distributed file system (DFS) data Backup scheduling Setting performance options Setting advanced backup options Using Forest Recovery Agent Unpacking backups Using e-mail notification Viewing backup creation results
Restoring data
Getting started with Active Directory recovery Managing deleted or recycled objects Restoring backed up Active Directory components Integration with Change Auditor for Active Directory Using granular online restore Restoring AD LDS (ADAM) Selectively restoring Active Directory object attributes Restoring objects in an application directory partition Restoring object quotas Restoring cross-domain group membership Performing a restore without having administrator privileges Reports about objects and operations Using complete offline restore Offline restore implications Restoring SYSVOL authoritatively Performing a granular restore of SYSVOL Recovering Group Policy Restoring data from third-party backups Using the Extract Wizard Restoring passwords and SID history
Full Replication Consolidating backup registration data Monitoring Recovery Manager for Active Directory Recovering an Active Directory forest
Forest recovery overview Deploying Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Permissions required to use Forest Recovery Console Forest Recovery Console Managing a recovery project Recovery methods Phased recovery Managing Forest Recovery Agent Rebooting domain controllers manually Resetting DSRM Administrator Password Purging Kerberos Tickets Managing the Global Catalog servers Managing FSMO roles Manage DNS Client Settings Configuring Windows Firewall Developing a custom forest recovery plan Backing up domain controllers Assigning a preferred DNS server during recovery Handling DNS servers during recovery Forest recovery approaches Deciding which backups to use Running custom scripts while recovering a forest Overview of steps to recover a forest Viewing forest recovery progress Viewing recovery plan Viewing a report about forest recovery or verify settings operation Handling failed domain controllers Adding a domain controller to a running recovery operation Selectively recovering domains in a forest Recovering SYSVOL Deleting domains during recovery Resuming an interrupted forest recovery Recovering read-only domain controllers (RODCs) Checking forest health Collecting diagnostic data for technical support
Restore Active Directory on Clean OS method Bare metal forest recovery Using Management Shell Creating virtual test environments Appendices
Frequently asked questions Best practices for using Computer Collections Technical characteristics Best practices for creating backups Best practices for creating backups for forest recovery Best practices for recovering a forest Descriptions of recovery or verification steps Ports Used by Recovery Manager for Active Directory Forest Edition (Disaster Recovery Edition) Backup Wizard Online Restore Wizard Online Restore Wizard for AD LDS (ADAM) Group Policy Restore Wizard Repair Wizard Extract Wizard Events generated by Recovery Manager for Active Directory

Secure Storage Server

Recovery Manager for Active Directory (RMAD) provides the ability to set up a dedicated secure backup storage server. If you use a Secure Storage server in your environment it helps prevent unauthorized modification or malware attacks on backup data, supporting your key data security and compliance initiatives. For more information on how a Secure Storage server is secured, see Hardening Secure Storage servers below.

IMPORTANT

Use of Secure Storage Server requires a Recovery Manager for Active Directory Disaster Recovery Edition license.

Requirements

  • Operating system: Microsoft Windows® 2016 or higher

  • A stand-alone server to be used as your Secure Storage server. This server should be a workgroup server and NOT joined to an Active Directory domain.

  • An account that will be used to deploy the Storage Agent on the Secure Storage server. This account must also be a local Administrator on the Secure Storage server.

  • Physical access (keyboard) to the Secure Storage server. Once the server is hardened access with regular methods will be disabled (RDP).

  • Sufficient storage space on the Secure Storage server for all backup files. For one backup file, the space required is at least the size of the backed-up Active Directory database file (Ntds.dit) and the SYSVOL folder plus 40 MB for the transaction log files. The space check performed also includes an extra 1 GB to ensure enough space is available.

Best Practices

  • We highly recommend using a new, dedicated, clean physical server as your Secure Storage server to help ensure access methods are kept to a minimum.

  • Secure additional methods of accessing the Secure Storage server such as console or serial access.

  • Recommend the Secure Storage have additional volumes available in addition to the system drive. It is not advised to store backups on the system drive.

note

Virtual machines are more susceptible to ransomware attacks. It is highly recommended that a virtual machine not be used for your Secure Storage server, as a bad actor could gain access to backups on the server or delete the entire Secure Storage server.

User Scenario

Backup data for all domain controllers can be accumulated on primary storage, and at the same time, you can make a copy of your backup data on a Secure Storage server. The Secure Storage agent will pull the backup securely to the Secure Storage server while the firewall on the Secure Storage server remains in place. If disaster strikes, you could lose your backups on primary storage and even your installation of RMAD but your Secure Storage server will remain in place.

Resources/Images/secure_storage_protocols.png

 

Hardening a Secure Storage server

After the Secure Storage server has been added and the Storage Agent has been installed on it, the server is hardened automatically. The following list outlines what happens to a Secure Storage server when it is hardened:

  • All SMB server roles are disabled (SMBv1 - SMBv3).

  • All incoming TCP, ICMP and UDP protocols are blocked by IPSec policies, except for the high-level Secure Storage Agent ports (see below).

  • ICMP traffic is blocked (i.e. the server cannot be pinged).

  • Remote desktop (RDP) traffic is blocked.

  • Only one TCP agent port is left open on the server for communication with Recovery Manager for Active Directory, the Storage Agent port (by default, this is 48001) but also to allow pulling the backups there are opened ports for SMB, DNS, NetBIOS and LLMNR (incoming TCP 445 for SMB, incoming UDP 53 port for DNS, incoming UDP 5355 port for LLMNR and incoming UDP 137 port for NetBIOS).

  • Agent traffic is encrypted by the public/private key pair.

  • Logons to the server are only allowed via console (physical) access.

When a Secure Storage server is hardened, the lock icon next to the name of the Secure Storage server in the Secure Storage Servers window will be closed and it will have a Security Status of Secured.

IMPORTANT

You cannot install the Secure Storage server agent on a domain joined server, a domain controller or a member server. A server that is hardened will not be able to perform authentication or allow replication to occur. A Secure Storage server should be a stand-alone server in a workgroup.

Secure Storage server reporting secured


Secure Storage server reporting unsecured


To get the hardening status of a Secure Storage server

  1. During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.

  2. On the Secure Storage server, run the PowerShell® console. The module will be automatically imported.

  3. To get the hardening status, run the cmdlet Get-RMADStorageServerHardeningStatus. For further details see the Management Shell Guide supplied with this release of the product.

To unharden a Secure Storage server

  1. During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.

  2. On the Secure Storage server, run the PowerShell® console. The module will be automatically installed.

  3. To unharden a Secure Storage server, run the cmdlet Unprotect-RMADStorageServer. For further details see the Management Shell Guide supplied with this release of the product.

To harden a Secure Storage server manually

  1. During the installation of the Secure Storage agent on the Secure Storage server, a PowerShell® module was installed and is located in the agent installation folder.

  2. On the Secure Storage server, run the PowerShell® console. The module will be automatically installed.

  3. To harden a Secure Storage server manually, run the cmdlet Protect-RMADStorageServer. For further details see the Management Shell Guide supplied with this release of the product.

 

Accessing a Secure Storage server

It is recommended to use a dedicated, clean physical server that is not joined to a domain. However, virtualized servers can be used including a the virtual machine in the cloud. Virtualized servers on you on-premise are not recommended for use as they are vulnerable to attack.

Physical Server

To access the Secure Storage server that is hosted on-premise you must have physical access to the server and use interactive logon with a local administrator account.

Each Secure Storage server is installed with dedicated PowerShell® module to setup and maintain the storage server. For further details see the Management Shell Guide supplied with this release of the product.

WARNING

While Secure Storage server remains hardened, no RDP, PowerShell® Remote and other remote control services and protocols are available.

Virtualized Server

Virtualized on-premise server

If you have configured the dedicated virtual machine on your physical server you may use hypervisor capabilities to control the virtual Secure Storage server including virtual machine connections and execution of commands through the hypervisor services (such as PowerShell® Direct on Hyper-V® machines).

Virtualized server in the cloud

Amazon EC2

To access a Secure Storage server that is deployed in the Amazon EC2 you can use EC2 Serial Console.
To get more information on how to connect to the virtual machine refer to Connect to the EC2 Serial Console

Microsoft Azure®

To access a Secure Storage server that is hosted in Microsoft Azure® virtual machine you can use Serial Console access. Refer to Azure Serial Console

 

Adding a Secure Storage server

To add a Secure Storage server it is recommended to install the agent manually. This method saves the agent installation package to the local machine. You must transfer the package manually to the Secure Storage server. This reduces the likelihood of any malware infecting your Secure Storage server by being exposed to your network before the server is secured. Your Secure Storage server is only secured after the Storage Agent has been installed and the Secure Storage server is hardened.

To add a Secure Storage server using manual method (Recommended)

  1. In the Recovery Manager for Active Directory (RMAD) console, click the Secure Storage node.

  2. In the Secure Storage Servers pane, click Add Server.

  3. Type the DNS name or IP address of the server you want to use as your secure storage server.

  4. In the Agent port field, type port number or use default port of 48001.

    NOTE: Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, it must be removed and added again.

  5. From the Agent installation method drop-down list, select Manual (recommended).

  6. Type the path or browse to path to Save agent setup package to.

  7. Click OK. The agent setup package is saved to your local machine.

  8. Copy the package, SecureStorageAgent.zip, to the server being configured as your Secure Storage server. This requires console (physical) access to the Secure Storage server.

  9. Extract the installation package on the Secure Storage server and double-click the SecureStorageAgent.msi file to install the agent.

  10. A warning will be displayed and requires confirmation to proceed. IMPORTANT PLEASE READ: This server is about to be hardened and all network connections to this server will be lost including Remote Desktop. Ensure you have physical access to this server and have an available method to access such as console access or serial access. Select YES to acknowledge you understand and are prepared for the Secure Storage server to be installed and hardened. Recovery Manager for Active Directory cannot undo this operation without physical access to the server.

    NOTE: For quiet installation both the /qn switch and FORCE=true can be specified when launching the msi file from the command line.

  11. The Storage Agent is installed and the server is hardened automatically. For more information on hardening, see Hardening a Secure Storage server above.

To add a Secure Storage server using automatic method

  1. In the RMAD console, click the Secure Storage node.

  2. In the Secure Storage Servers pane, click Add Server.

  3. Type the DNS name or IP address of the server you want to use as your secure storage server.

  4. In the Agent port field, type port number or use default port of 48001.

    NOTE: Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, it must be removed and added again.

  5. From the Agent installation method drop-down list, select Automatic.

  6. Specify a user account that will be used to automatically deploy the agent on the target storage server. Select Use current account to use the currently logged in user account or select Use this account. Type the user name and password for the user account to be used to deploy the agent.

  7. Click OK.

To manually export the setup package

If you have misplaced the agent setup package or need to update the configuration for a Secure Storage server, you can manually export the package again.

  1. In the RMAD console, click the Secure Storage node.

  2. In the Secure Storage Servers pane, right-click the Secure Storage server that you want to manually export the setup package for.

  3. Click Export setup.

NOTE

The setup package is exported to your local machine. You must then copy the setup package to the server that you want to use as your Secure Storage server and run the installation.

To delete a Secure Storage server from RMAD console

  1. In the RMAD console, expand the Secure Storage node.

  2. Right-click the Secure Storage server and select Delete.

NOTE

The Secure Storage server is not automatically unhardened when deleted from the RMAD console. To unharden use available PowerShell cmdlets on the Secure Storage server. For further details see the Management Shell Guide supplied with this release of the product.

To export a list of all registered Secure Storage servers to a text file

  1. In the Recovery Manager for Active Directory console, select the Storage node, then Secure Storage and right click.

  2. In menu shown click on Export Servers…

  3. In the Export storage servers dialog, select a location to save the file, enter a file name, and click Save .

Add an existing Secure Storage server on a clean RMAD installation after full disaster

If the RMAD server is lost, after installing the RMAD console on a new server, you can register the backups that are stored on the secure storage server on your new RMAD server.

NOTE

Due to server hardening, the Automatic agent installation method is not supported when adding an existing Secure Storage server to a clean RMAD installation.

To add a Secure Storage server on a clean installation of RMAD console

  1. In the new RMAD console, click the Secure Storage node.

  2. In the Secure Storage Servers pane, click Add server.

  3. Type the DNS name or IP address of the server you want to use as your secure storage server.

  4. In the Agent port field, type port number or use default port of 48001.

    NOTE: Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, it must be removed and added again.

  5. From the Agent installation method drop-down list, select Manual (recommended).

  6. Type the path or browse to path to Save agent setup package to.

  7. Click OK. The agent setup package for the new RMAD console is saved to your local machine.

  8. Copy the package, SecureStorageAgent.zip, to the existing Secure Storage server. This requires console (physical) access to the Secure Storage server.

  9. Extract the package on the Secure Storage server and double-click the SecureStorageAgent.msi file to reinstall the agent and register the Secure Storage server with new Recovery Manager for Active Directory console.

  10. In the RMAD console, you will now see the Secure Storage server and can now retrieve your backups from the existing Secure Storage server for recovery purposes.

NOTE

The existing Secure Storage server has continued to be hardened throughout this process.

Default Storage Agent ports

By default, the Storage Agent port is 48001. If you want to use a different default port, you can configure it in the Secure Storage server Properties window or overwrite when adding each Secure Storage server.

To change the default Storage Agent port

  1. In the RMAD console, right-click the Secure Storage node and select Properties.

  2. In the Storage Agent port field, type a port number.
    The Storage Agent is used to pull the backup onto the Secure Storage server.

  3. Click OK.

NOTE

Ports cannot be changed after the Secure Storage server is added. To change the port after the Secure Storage server is added, it must be removed and added again.

Storage Server Properties

To view Secure Storage server properties

  1. In the RMAD console, click the Secure Storage node, in the Secure Storage Servers pane, select a Secure Storage Server, right-click and select Properties.

  2. Properties of the Secure Storage server will be displayed. Properties include the Host name, Agent version, Agent port, and Server Status. All properties are read only and cannot be edited.

  3. Additionally all configured volumes are displayed in priority order. Each volume is shown with the amount of space taken by Existing Backups and the amount of Free Space available on the volume.

NOTE

A warning icon will be displayed if a volume is running out of available free space.

 

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级