Show Transcript
Hide Transcript
Hi. Brian Hymer here, a solutions consultant with Dell Software. I wanted to introduce the Recovery Manager for Active Directory Forest Edition console to you. This is a console that we use to do forest recovery. It allows you to manage a full forest recovery from one location. And you can see here I've got several domain controllers, and several of them are set up for different levels or different types of recovery. Some are set to restore from backup. Some are set to reinstall active directory, that would be a DC Promo.
There is a read only domain controller in here as well, and we're going to see how that acts a little differently. The console is showing me all of my DCs and it also shows me FSMO roles that those DCs are holding, and which site they're in. And if I have chosen restore from backup, it shows me just what back up it has. So down below, if I highlighted DC, I can see the settings I've placed for that DC, as well as access to the backups.
In our case, the backups are stored on the DCs themselves. Here's where I could choose what level of recovery I'd like. I also can, if I right click on a DC, I can see a number of other things that are possible, including connect to RDP. Or during the recovery process it may be that I need to retry, skip or abort operations during recovery. Now there's a lot to this console and I'm not going to cover everything, but I do want to show you we do have a feature for showing forest health, checking forest health.
And this environment that I'm working is actually just a mock up, there aren't actually DCs in the background. But I can run this check forest health and it will go out and see if the DCs are available, check replication between domains controllers and domain trusts. And in this mock up we actually get some sample errors that show. So I'll let those kind of populate out.
This is just a quick way to see the health of your Active Directory environment. You can click on the Details tab here, and then as you drill into these you can see just where it had failures. You can see here it says sample error. Again, this is just a mock up. Or I can see where everything was successful and see just what pieces of my testing were successful as well. So I'll go ahead and close that. And once I've got all my settings together, I can click this verify settings button, just to make sure that everything looks OK.
We'll look here on the progress bar. And here we can see it goes out and does some very basic checks against the domain controller. Sees if it is a domain controller, if it's in read only mode or not. Pre-recovery checks such as access to backup files, etcetera, are checked. Looks for BitLocker. Looks to make sure the forest recovery agent that we used is installed.
And once all those steps are done, we can see we've got a clear go. So we can go ahead and click on Start recovery. Now we do warn you, right, that forest recovery does cause irreversible changes. We also want to make sure you've talked to Microsoft CSS. You evaluated any alternatives and decided that forest recovery is the best way out. You've determined when the corruption was introduced and that you have backups available that were created before the problem began.
You have backups that were created from similar points in time. And lastly, you've talked to Dell support as well. So Microsoft CSS and Dell support should be in your communication before you start this project. So confirm that and say continue. And again, we give this one more warning that says what you're doing does have irreversible changes to your forest structure. So I'll just click I've read and understood. And we'll click on Run.
Now once again, doing this in a real world would take a great deal longer. But this mock will finish in about 5 and 1/2 minutes. So you can see every DC is acting a little bit differently. My first DC is a restore from backup, so he's copy the backup file onto the domain controller and now he's rebooting into DSRM. Some of these DCs, see in the reboot, has caused him to disconnect. The agent is disconnected.
Some of these DCs are set to reinstall active directory, so if I highlight one of those, I can see that he simply checked for the agent and now he's waiting for other domain controllers to restore from backup first. On my read only domain controller, because he didn't have a full copy of the DIT file to begin with, we simply uninstalled active directory completely and will be waiting for other domain controllers. And you can see now some of the DCs have come back and have finished a number of steps.
By the way, if you notice there's a little question mark here to the right, if you mouse over that question mark you'll actually get what those steps do. So one of the most important steps here is enabling domain controller isolation. And we actually use IPsec firewall settings on the DCs so that a DC that's being restored can't talk to a DC that may still be corrupt. We also do a number of other things when we get down below, resetting Kerberos computer account and trust relationship passwords get reset during the process.
We also do the steps that are in Microsoft's recommendation for forest recovery, things like seizing FSMO roles from DCs that may not have recovered, raising the RID pool, cleaning up metadata of removed domain controllers. All of those things are automated within the process. And again, we're getting pretty close to where the DCs