When you choose to stop the online restore operation, the wizard neither forces the replication nor restores linked attributes.
This choice implies that you wait until the undeleted objects are replicated to all domain controllers, and then restore those objects once more using the wizard. In that scenario, the second path of the wizard is used to restore the linked attributes on the undeleted objects. Stop the operation if the enforcement of replication in your domain is inadmissible for some reasons, but you want to be sure that linked attributes be represented correctly on all domain controllers.
When comparing or restoring Active Directory® objects with the Online Restore Wizard, you can choose whether to use LDAP functions only (Agentless method) or Online Restore Agent (Agent-based method).
Note that some AD DS and AD LDS (ADAM) object attributes cannot be restored by using Recovery Manager for Active Directory. For more information on these attributes, see Quest® Knowledge Base Article 59039 “List of AD DS and AD LDS object attributes that Recovery Manager for Active Directory cannot restore” at Quest Support.
The following table contains performance test results of agentless and agent-based restore operations on the machine running Windows Server® 2008 R2. The agent-based restore is performed by a single Restore Agent instance.
Operating System: Windows Server® 2008 R2
CPU: 2 x Intel® Xeon® E5-2651 v2 1.8 GHz
RAM: 7.5 GB
Number of objects - Required time
1000 - 20 - 40 sec
10000 - 04 - 06 min
50000 - 23 - 34 min
Number of objects - Required time
1000 - 40 - 70 sec
10000 - 06 - 10 min
50000 - 30 - 50 min
The method that uses LDAP functions is referred to as agentless method. The agentless method has both advantages and limitations. The use of LDAP functions makes the wizard operations less intrusive on the domain controller. Also, you can deliberately choose the target domain controller and you can perform restore and compare operations without having administrative access to the target domain controller.
However, some object attributes, such as User Password and SID History, cannot be compared or restored.
The ability to perform an online restore using the agentless method builds on the Restore Deleted Objects feature. This feature extends the LDAP API to enable the restoration of deleted objects. However, this feature restores only the essential attributes required for the object's existence. Other attributes, such as those relating to membership in security and distribution groups, must be restored from a backup.
With the agentless method, you can perform a restore without having administrative access to the target domain controller. For more information, see Performing a restore without having administrator privileges.
| NOTE |
By default, RMAD uses the agentless method to recover users. Agentless method does not allow for the recovery of passwords from backups, therefore, the password should be either explicitly set by the user during the recovery, or the password is left blank and the user is disabled after recovery. If you intend to use On Demand Recovery for Hybrid recovery, the user interface does not provide an option to set a password for the recovered user, so the user is restored without a password and is disabled. To recover the password, Agent-based recovery method should be used. |
In the Restore Wizard, on the Domain Access Options page, make sure the Use agentless method radio button is selected. This ensures that only LDAP functions are used to access the domain controller.
Select the RMAD console tree root.
On the main menu, select Actions | Settings.
In the dialog box that opens, on the General tab, under Default method for compare and restore operations, select the preferable method, and click OK. You can change the set default method later when using the Online Restore Wizard.
To overcome the limitations of the agentless method, the Online Restore Wizard provides the alternative, agent-based method. With the agent-based method, you can compare and restore any objects (including deleted ones) and any attributes (including User Password and SID History). A restore can be performed on a domain controller running any operating system supported by Recovery Manager for Active Directory (RMAD).
However, the agent-based method has the following drawbacks:
The target domain controller must be the same as that from which the backup was created. No ability to choose the target domain controller for the restore and compare operations.
The restore or compare operation is more intrusive: Online Restore Agent is installed on the domain controller when you start the compare or restore operation in the Online Restore Wizard and removed when you close the wizard.
Domain administrator rights on the target domain controller are required.
There may be situations where a user with Admin/Standard privileges may run into issues with DCOM configuration. An error will be generated prompting the user that it is a DCOM issue. The DCOM service needs to be updated in this case for which detailed steps are listed in the following Knowledge Base article Quest Knowledge Base Article 332970 “Cannot create a remote object" - Access is denied at Quest Support.
The error Cannot unprotect lsass.exe process is related to not being able to inject and use the lsass.exe process when using the agent-base method.
Recovery Manager provides an ability to perform item-level restore of Active Directory objects and attributes. Most attributes can be restored using LDAP by accessing domain controller remotely but to restore some specific attributes (User Password and SID History), Recovery Manager requires operations on Active Directory to be performed from the lsass.exe process on the domain controller (agent-based method).
There are three security layers that are protecting the LSASS process.
To resolve the error Cannot unprotect lsass.exe process the following needs to be configured.
On the Domain Controller generating the error run mmc.exe
Select File then Add/Remove Snap-in…, select Group Policy Management Editor and click Add.
In the Select Group Policy Object dialog, click on Browse and select the Domain Controllers.yourdomainname and select OK. Select OK again and then Finish. Select a final OK.
Enable the following policy on the domain controller. Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction > Exclude files and paths from Attack Surface Reduction Rules.
Once the policy is enabled, specify the following exclusion:
Value name: C:\WINDOWS\RecoveryManagerAD\OnlineRestoreAgent.exe
Value: 0
| NOTE |
User can select Automatically configure firewall before the restore operation check box, only if the Use agent based method radio button is selected. |
The Online Restore agent can be installed manually on a domain controller.
Locate OnlineRestoreAgent.msi, in the Recovery Manager for Active Directory installation folders and copy it to the domain controller.
Double click on the OnlineRestoreAgent.msi and follow the instructions to install.
A service called Quest Online Restore Agent will be installed.
The Online Restore Agent is installed as a Manual start service and in the Stopped state.
With the Online Restore Agent pre-installed, the RMAD Console will Start the service and then Stop it at the end of the operation. If the Online Restore Agent is not present, the agent will be installed and then uninstalled as normal.
Select the RMAD console tree root.
On the main menu, select Actions | Settings.
In the dialog box that opens, on the General tab, under Default method for compare and restore operations, select the preferable method, and click OK. You can change the set default method later when using the Online Restore Wizard.
© 2025 Quest Software Inc. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center
