Show Transcript
Hide Transcript
Hi, I'm Brian Hymer, a senior solutions architect from Quest. And I'd like to show you how to use Recovery Manager DRE to recover your Active Directory Forest using Clean OS Recovery and install AD from Media Methods.
We're going to do a Clean OS Recovery today, along with an install Active Directory from Media. Let me just introduce you to my lab here real quick.
You'll notice I have six domain controllers. There are three domains, so two DCs per domain. So Acme DC1 and Acme DC2. You'll notice that those are in Acme site 1 and Acme site 2. And then I have my child domain controllers that are the same.
Now in my environment, all of my DCs have very strict names. The last octet of any existing domain controller ends in a 0. The target machines, the target computers, I'm going to use for both Clean OS recovery and IFM recovery, those all have a .1, or a 1, at the end of their last octet, instead of a 0.
Now the reason that I left Acme DC1 at .10, which is the same as the original DC, and Aussie DC1 the same way is because those two servers are actually my primary DNS servers, my preferred and my alternate DNS servers for my network adapter on this computer. You can see right now my internet access is down, but that's because those DCs are all gone, and I've replaced them with Windows servers, standalone Windows servers, the same operating system version as the original DCs, which, in my case, is Windows 2016.
And I'm going to recover to those. So as soon as those DCs get back up and everything settles in, I'll have name resolution, and this box will be able to get back to the internet.
My first three computers-- that's these three here-- they are all running restore Active Directory on Clean OS. And that is because I have backups for those DCs. But if you'll notice, if I go to a DC2, like Acme DC2, it's actually using the backup from Acme DC1.
And so I can't just restore from Clean OS to that box. I instead will use install Active Directory with the install for Media Option. We don't need to create IFM media because Recovery Manager contains all the components needed in its standard backup for a DC promo with install for Media.
The first thing I need to do, once I've got my new servers up and ready to go, is to get Forest Recovery agents installed on them. So I'm going to come here and see Manage Forest Recovery agents for DCs. And we'll see these come back. And all of these guys don't have a Forest Recovery agent. So they've come back very quickly.
That way, I'm going to select them all, and just say Install Agent. And then I'm going to wait for that to finish. So I'll pause my video and we'll be back in a moment.
And now I can see all of my agents have been installed. They are all the current build number. And so we are ready at this point.
All right, so we've got all those set. Let's run a Verify Settings. Now, this process does a number of things. If you'll notice as I move my mouse down here, if I go over the right-hand side, I get a little extra description as to what each step is doing.
And you'll notice that if I check one of these guys that's doing Clean OS, the steps that he goes through are a little bit different than the steps for the install from Active Directory for Media Machines. So we can walk through and just watch those run.
We do a lot of good stuff, like we check for free space, we check the operating system version. We make sure that we can get certain information out of the original DC. So there's a number of things that we do that are very good in making sure that these machines are ready to go, that they are qualified, they have enough space, they have the right operating system, they're ready to go for your recovery.
Now just to pretend, what if I didn't have all these DCs ready. Let's say Poodle DC2, he was in some very remote site and he was not ready to go. I could change his method to do not recover.
Now when you do that, any DCs that are not being restored from backup have the metadata for them cleared when the restore from backup process happens. Poodle DC2, as well as Aussie DC2 and Acme DC2 will not be part of the Forest once the restore from backup finishes.
However, as soon as restore from backup finishes, the install Active Directory methods will go. So Aussie DC2 and Acme DC2 will become domain controllers. That's not the same for Poodle DC2. If I do this, it'll be removed from the directory completely.
But I could check this box here that says, keep this domain controller in the project. And when I do that, what happens is you set yourself up for what we call phased recovery. In phase recovery, the first step restores DCs from backup and can also install Active Directory.
But then you would change your recovery mode to what we call re-promotion. And that would change all of these DCs to do nothing, and this final DC install Active Directory for Media, or maybe reinstall Active Directory.
So let's just take a look at what that looks like. I'm going to change my Forest recovery mode to re-promotion. Now watch what happens to the list here when I click OK.
See, every other DC that had been recovered in the first phase changes to do nothing. And this DC, he switches by default to reinstall Active Directory. I actually want to do an install Active Directory.
And you can see all the components are here. And they'd be ready. I'm not going to do that. So I'm going to go ahead and close my project. And we'll reopen it here in just a moment.
We're ready to do our Clean OS and IFM recovery. So we aren't going to do phase. We are going to do a full Forest recovery.
The first three DCs will restore from backup. The last three DCs will be set to Install Active Directory from Media. Let's go ahead and start recovery.
These warning messages appear on all of our recovery scenarios, except for re-promotion. So I'm just go ahead and blow through them. You can pause the video, if you'd like to see just what they say.
This is a new feature we added in 10.1. It allows you to reset the password for privileged accounts within your environment based off their group membership. Now if you're a member of more than one of these groups, your password will be the password that's issued in the highest group in the list.
So if I was a backup operator and also an administrator, I would get the administrator's password. That makes sense? Let's just go ahead and run.
The recovery process take some time. I'll go ahead and baby step it a little bit here. But we'll speed up this part of the video and let you see the whole thing.
Now, you'll notice the DCs that are set to install Active Directory for Media, they're going to wait before they begin, because you can't do a DC promo and install AD until you have a working domain. So the first three DCs need to be restored from backup first, and then these other machines can go.
But to save time, we have already copied the backup file over to the domain controller. And we've extracted the files components so that we're ready to go with our DC promo as soon as this is done. And you'll notice that there are several stages here-- Prepare to Start, Prepare for Restore from Backup, Perform Restore from Backup.
Once you get into the third stage, nobody can continue on to the fourth stage until the Perform Restore from Backup is completed. So I'm going to just resize this again, move this up a little bit. Can't quite get to the bottom.
But we want to make sure that we watch for the clocks. And you'll see, some of these DCs will go in the clock while they wait for the rest of the DCs to restore from backup.
I wanted to talk about this install Active Directory Domain Services step. We do a little bit more than just install ADDS at this point. We actually continue by promoting the domain controller. And we use the same domain Forest and DC name as the original server, the server that we're replacing.
So whereas this server had some funky name before, once this process finishes, the host name will be Acme DC1. They'll be a member of the Forest Acme.Lab and the domain Acme.Lab.
Global catalog option for this DC is set. We will restart that server once that's been promoted. So there are actually several reboots in this process.
And while we're waiting, I thought I'd just discuss a few of the other steps here. The restore from backup, of course, we want to make sure that the box is rebooted into DSRM. We can then disable any custom password filters, restore that data from backup, restart the DC into normal mode, reset that DSRM administrator password, reset the computer account passwords. Those are all normal restore from backup steps.
When we go into the configuration phase, there are several things here that we do that Microsoft recommends from their original document-- raising the RID pool, invalidating any published RIDs, and that way you don't get any RID reuse, cleaning up the metadata of removed domain controllers-- and in our case, that will be Acme DC2, Aussie DC2, and Poodle DC2-- seize FSMO roles, reset the KRBTGT password, enable any custom password filters. Then, you can see the other options that are here.
If you have any questions on these when you're running the process, you can mouse over that question mark. And it'll give you a little bit more detail as to what each step does.
Another way to see that information is to go look at your recovery plan. And the recovery plan will outline the steps for each recovery method that you've used within your project.
Now we're going to speed up the video here a few times, and slow it back down there's something to say. Bear with us as we go through the rest of the recovery.
And you can see here, I'm waiting for those other DCs to catch up. This scroll is a little down, a little bit more. There, now you can see the bottom.
Poodle DC1, he's still restarting in the normal mode. So he'll be there pretty soon. And we'll see this process continue.
And here, you can see the DCs that are being restored from backup are now cleaning up the metadata of any removed domain controllers. Now, it's going to make Acme DC2, Aussie DC2, and Poodle DC2 no longer exist in the Forest.
Now as the other servers wait for Acme DC1 to catch up, you can see they were waiting. Oops, now they're gone on to the make domain controller available stage.
Pretty soon Acme DC2, Aussie DC2, and Poodle DC2 will be able to begin. Rather than just focus there, I think I'll put my focus on one of those DCs. And we'll see it walk through the rest of its step as well.
And you can see, we've moved forward into creating the install for Media Machines. The other DCs are up and running. So now we're doing our DC promo and installing for Media.
OK. And there you can see, the Forest recovery has completed. All the servers came back green. So they all got restored.
You can see, there's a number of tools here you can run. But of course, we're not going to run any of those right now.
That is what we had to show for today. Thanks for watching.
