RMADFE and Multi Forests deployment

I am planning to expand our current RMADFE solution to other AD forests. We manage multi AD forests. I am trying to find any information around multi forests and RMADFE, no success so far. My understanding from current documentations are that  at least one RMAD/RMADFE console per forest. If that is true I would need each RMAD/RMADFE console servers and SQL server set per forest. Is there anyway to consolidate them. For example each set of RMAD/RMADFE console per forest but sharing same database server.?  And one web portal server accessing all console servers from different forests? Is it possible? If yes where can I find more information on the requirements such as database sizing, connections ports, and account permissions etc?

Thank you.

Parents
  • Hi   - sorry for the late reply on this, I don't usually peruse this forum.  I hope you received an answer from some other channel but thought I would place one here for others who may have the same question. 

    For Forest Recovery, RMADFE and DRE can only recover one forest at a time.  But for backups: one RMAD console can back up DCs in multiple forests, as long as there is network connectivity, and you have proper space to store those backups. The easiest way to start this is to right-click on the 'Active Directory' node in the RMAD console and select "Connect to Forest..."  

    The user name you enter in the following dialog only needs to be a Domain User...  It will be able to browse the OU structure and see all the Domain Controllers (unless you've done some serious security hardening on the domain node!! ).  

    When you set up computer collections for these other forests, I would pre-install backup agents. Then be sure to specify a privileged account from the foreign domain on the Agent Settings tab.  You can use a member of the Backup Operators group, or a "RMAD Backup Operator" if you've configured that group in the other forest before you deployed agents. Be sure to check the "Use pre-installed Backup Agents" checkbox too. 

    Read about the RMAD Backup Operators group in documentation, here: Using a least-privileged user account to back up data

    If you own DRE and experience a ransomware attack; hopefully your backups survived by being air-gapped (i.e. in Secure Storage and/or Immutable Cloud storage).  On Recovery you can set up a separate RMAD server for each forest, then register backups appropriately and recover your forests in parallel (one per RMAD server).  

    As for the web-portal:  I'm sorry but I believe it cannot span multiple forests.  

    One last note - SQL.  I hope you are not using a separate commercial SQL server for RMAD. RMAD runs just fine with SQL Express, which the RMAD installation wizard will install on the RMAD server for you.  The databases on it are non-critical and do not need to be maintained. 

    Hope this helps!  

Reply
  • Hi   - sorry for the late reply on this, I don't usually peruse this forum.  I hope you received an answer from some other channel but thought I would place one here for others who may have the same question. 

    For Forest Recovery, RMADFE and DRE can only recover one forest at a time.  But for backups: one RMAD console can back up DCs in multiple forests, as long as there is network connectivity, and you have proper space to store those backups. The easiest way to start this is to right-click on the 'Active Directory' node in the RMAD console and select "Connect to Forest..."  

    The user name you enter in the following dialog only needs to be a Domain User...  It will be able to browse the OU structure and see all the Domain Controllers (unless you've done some serious security hardening on the domain node!! ).  

    When you set up computer collections for these other forests, I would pre-install backup agents. Then be sure to specify a privileged account from the foreign domain on the Agent Settings tab.  You can use a member of the Backup Operators group, or a "RMAD Backup Operator" if you've configured that group in the other forest before you deployed agents. Be sure to check the "Use pre-installed Backup Agents" checkbox too. 

    Read about the RMAD Backup Operators group in documentation, here: Using a least-privileged user account to back up data

    If you own DRE and experience a ransomware attack; hopefully your backups survived by being air-gapped (i.e. in Secure Storage and/or Immutable Cloud storage).  On Recovery you can set up a separate RMAD server for each forest, then register backups appropriately and recover your forests in parallel (one per RMAD server).  

    As for the web-portal:  I'm sorry but I believe it cannot span multiple forests.  

    One last note - SQL.  I hope you are not using a separate commercial SQL server for RMAD. RMAD runs just fine with SQL Express, which the RMAD installation wizard will install on the RMAD server for you.  The databases on it are non-critical and do not need to be maintained. 

    Hope this helps!  

Children
No Data