Manage forest recovery plan settings
This article outlines the essential settings for successfully verifying and executing forest recovery plans. A forest recovery plan includes a list of domain controllers, domain controller recovery settings, action settings, and general plan settings. Some of these settings are automatically populated from the backup.
- Open the Cayosoft Guardian web portal.
- Expand the Forest Recovery node.
- Select the Recovery Plans node.
- Select your recovery plan and click Properties.
Go to the Settings tab to edit the recovery plan settings.
- Specify credentials to access target hosts.
- Modify New DSRM password if needed.
- Specify the Backup location on target machines field.
- Enable Validate backup file integrity to ensure that the backup is intact, unaltered and free from corruption.
- To modify DNS records for recovery sites, select:
- Update existing DNS records for domain controllers to be recovered - This option updates existing DNS records for the domain controllers designated for recovery. It retains all existing DNS records, including outdated or irrelevant ones. While this ensures no records are lost, it may slow down the recovery process, especially if there is a large volume of records. Processing unused or irrelevant records will extend the duration of forest recovery.
- Clean up DNS and create records only for domain controllers to be recovered - This option removes outdated or unused DNS records from the forest and generates new records exclusively for the domain controllers requiring recovery. By recreating DNS zones—including primary, stub, and conditional forwarding zones—this approach improves performance. Following Microsoft's recommendations, only DNS records essential for recovery are created. This method not only accelerates forest recovery but also enhances security by maintaining a clean DNS environment.
Edit settings of domain controllers to be recovered
- Open the Cayosoft Guardian web portal.
- Expand the Forest Recovery node.
- Select the Recovery Plans node.
- Select your recovery plan and click Properties.
- Go to the Domain Controllers tab and observe a list of domain controllers included in the recovery plan.
- To modify domain controller recovery settings, select a domain controller from the list and click Properties or use Update recovery settings to change the settings of multiple domain controllers simultaneously.
Recovery settings
Setting |
Description |
Scope |
Recovery method |
|---|---|---|---|
Recovery Method |
For each domain controller, the Recovery method must be selected. Cayosoft Guardian automatically selects a recovery method during automated plan creation.
Remove AD DC metadata method removes metadata related to this DC from the recovered Active Directory database. |
Domain Controller |
Not applicable |
Backup |
A backup must be configured for the following entities: Recover AD DC from backup and Promote AD DC from backup recovery methods. The Backup setting allows selecting a backup of a domain controller manually. These settings also include:
Backup OS version: Version of the Backup OS. |
Domain Controller |
Recover AD DC from backup, Promote AD DC from backup |
Agent deployment settings |
Defines how agents will be deployed or updated within a recovery plan execution. Learn more about agent management in the following article: Manage agents. |
Domain Controller |
Recover AD DC from backup, Promote AD DC from backup |
Target host name or IP address |
Target host name or IP address setting allows specifying an IP address or name of the target machine for a domain controller recovery. By default, Cayosoft Guardian populates the value of this field with the IP address of the domain controller in the source environment. |
Domain Controller |
Recover AD DC from backup, Promote AD DC from backup |
Job to perform domain controller recovery |
Clicking the link opens the settings of the job responsible for domain controller recovery. |
Domain Controller |
Recover AD DC from backup, Promote AD DC from backup |
Local user name |
Local user name is required to access the target machine that is prepared for a domain controller recovery. |
Domain Controller, Recovery plan, |
Recover AD DC from backup, Promote AD DC from backup |
Local user password |
Local user password is required to access the target machine that is prepared for a domain controller recovery. |
Domain Controller, Recovery plan |
Recover AD DC from backup, Promote AD DC from backup |
New DSRM Password |
New DSRM Password is required to complete the Active Directory database recovery. All domain controllers have a hard-coded local Administrator account stored in their SAM database. This account and local database are not used or generally available when the DC is running normally. During the forest recovery, the same DSRM password can be used for all domain controllers. However, having the same DSRM password on every DC and RODC can be a lateral movement attack vector. Consider using a per-DC/RODC password. If using a single account for multiple DCs, ensure that at least RODCs get their separate password from writable DCs. |
Domain Controller, Recovery plan |
Recover AD DC from backup, Promote AD DC from backup |
Database path |
Path to the location where the Active Directory database file (NTDS.DIT) is stored on the domain controller. The default path for this database is C:\Windows\NTDS. This setting is crucial for the recovery process as it ensures that the restored domain controller correctly locates and utilizes its Active Directory database. |
Domain Controller, Recovery plan |
Recover AD DC from backup, Promote AD DC from backup |
Log path |
Path to the location where the Active Directory transaction logs are stored. These logs are essential for maintaining the integrity of the database by recording all changes made to the Active Directory database. The default path for these logs is C:\Windows\NTDS. |
Domain Controller, Recovery plan |
Recover AD DC from backup, Promote AD DC from backup |
SysVol path |
Path to the location where the SYSVOL directory is stored. The SYSVOL directory is crucial as it contains important domain-wide files such as Group Policy objects and scripts that are necessary for the proper functioning of Active Directory. |
Domain Controller |
Recover AD DC from backup, Promote AD DC from backup |
Additional DNS delegation zone |
An optional DNS configuration setting that specifies additional DNS zones to be delegated during the recovery of a domain controller. Delegating a DNS zone involves configuring a DNS server to refer queries for a subdomain to another DNS server, which can improve DNS query performance and ensure proper name resolution within a network. Click Add to add a new delegation zone and provide the following details:
|
Domain Controller |
Recover AD DC from backup, Promote AD DC from backup |
* Cayosoft Guardian uses best practices to populate DNS and network settings automatically. Do not change those settings manually unless you have specific requirements.
Default DNS Configuration
Cayosoft Guardian provides a predefined DNS configuration for an automatically created recovery plan.
The first domain controller (DC) in the forest root domain is configured to be restored with its own IP address as its preferred DNS server. This DC becomes the first DNS server in the recovered forest. Other DC(s) are configured with the IP address of the first DNS server in the forest root domain as its preferred DNS server. This configuration follows Microsoft best practices: AD Forest Recovery - Perform initial recovery | Microsoft Docs
Cayosoft Guardiann might configure additional custom forwarders to allow guest services on cloud virtual machines to function properly by resolving cloud services' names to IP addresses.
NOTE: Recover the forest with the DNS auto-configured as above, then log in and change the DNS configuration as needed.
Comments
0 comments
Please sign in to leave a comment.