Recovery Manager for Active Directory (8.6)
Slide Index Learning Objectives- Slide 4 Recovery Manager for Active Directory Functional Overview- Slide 5 Architecture - Slide 6 Console Overview Slide 7 Debug Logging Overview Slide 8 Backups Slides 9-11 AD LDS-Slides 12 and 13 Restores Slides 14 16 Repair Wizard Slides 17 and 18 2
Slide Index Continued Group Policy Wizard Slides 19 and 20 Recovery Manager Portal Slides 21 and 22 Common Solutions Slide 23 Prerequisites for contacting support Slide 24 3
Learning Objectives How To Diagnose & Troubleshoot Upon completion of this lesson, the student should be able to Troubleshoot common issues with Recovery Manager for Active Directory Diagnose common issues with components such as the Repair Wizard, Online Restore Wizard, GPO Restore Wizard, Web Portal and AD LDS (ADAM) 4
Recovery Manager for AD Functional Overview Recovery Manager for Active Directory improves the availability of network environments by providing remote, automated backup management and data restoration for the recovery of Active Directory, AD LDS (ADAM), and Group Policy Objects Recovery Manager for AD consists of two main components: Recovery Manager for AD console All backup and restore administration is managed within one console Database Used to store temporary information for comparison reports during restores 5
Architecture Domain Controller Recovery Manager Console and Web Portal Recovery Manager Databases on SQL Server AD LDS (ADAM) Host External Backup Storage (optional) 6
Overview of the Recovery Manager for AD Console 7
Debug Logging Overview Debug logging can be enabled within the Settings of the product Right click on the Recovery Manager for AD node and then select Settings. Go to the Logging tab and put a check mark in for Use diagnostic logging If possible, clear existing logs and recreate the issue with enhanced diagnostic logging enabled. For detailed instructions see SOL123269 Location of log files on the Recovery Manager server: Windows 2003: C:\Documents and Settings\All Users\Application Data\Dell\Recovery Manager for Active Directory\Logs Windows 2008 (hidden folder): C:\ProgramData\Dell\Recovery Manager for Active Directory\Logs Location of log files on the domain controller: C:\Windows\RecoveryManagerAD 8
Active Directory - Backups By default Recovery Manager will back up the entire system state of a domain controller. This can be configured within the Collection properties and under the System State tab All backups are compressed on average at a 7:1 ratio and are stored as.bkf files Recovery Manager supports registering third party backup files as long as they are a Microsoft Tape Format (MTF) compliant backup file (.bkf) If the backup format is not supported, extract the backup file and register the Active Directory database file (.dit) as an offline AD database Backups are extracted by default providing the administrator fast access to backups in the case of a restore. The default value for the amount of unpacked backups retained can be modified within the settings of the product Backups that are scheduled use the credentials of the scheduled account, unless an account is specified within the Agent Settings tab of the collection properties For more information on the results of backups, navigate to the session and then right click on the domain controller and go to Properties 9
Backup Agent Backups can be completed using an agent that is installed (automatically removed when the backup is completed) during the time of backup or using a preinstalled backup agent Using the preinstalled backup agent has two advantages: One port is needed for communication. By default the port is 3843. If the default port needs to be changed see SOL22319 Can maintain connection longer over a slow WAN link Preinstalled backup agent runs as a service named Dell Backup Agent and as a process named BackupAgent.exe or BackupAgent64.exe (depending on OS architecture) If deploying the backup agent automatically, the files will be sent to C:\Windows\RecoveryManagerAD and a process named ErdAgent.exe or ErdAgent64.exe (depending on OS architecture) will be running during the backup process. Once the backup has been completed, the files will be removed and the process will end. Backup agent log files on the domain controller: Preinstalled Backup Agent: C:\Windows\RecoveryManagerAD\BackupAgent.log (or BackupAgent64.log) Backup agent deployed during each backup: C:\Windows\RecoveryManagerAD\ErdAgent.log (or ErdAgent64.log) 10
Common Backup Issues Error Unable to execute request usually indicates an issue with the backup process on the DC. If a preinstalled backup is being used, restart the service. If a backup was recently run prior to this error, give the agent time to remove itself and try again - SOL78464 Any VSS (Volume Shadow Copy Service) error is generally a native issue with the domain controller. It is possible to prove this by taking a system state backup using native tools. The VSS error is likely documented by Microsoft and will include their own troubleshooting steps All Operations Failed is a generic failure message. Review the sessions details, and the properties of the failed DC within the session to find the root cause Failed to get members of local groups of domain mydomain.com is due to the fact that if there are multiple domains, the backup agent will need to contact the other domains to obtain cross domain group membership and that domain will need to be reachable - SOL22909 Error cannot establish the connection to the backup agent can occur for various reasons. See list located in SOL60209 11
AD LDS (ADAM) Overview 12
Common AD LDS (ADAM) Issues Error Unable to connect to LDAP server may occur if the AD LDS instance is not on the default port 389. This requires modifying the registry on the Recovery Manager sever - SOL60134 The entire instance needs to be restored but it is only possible to restore objects. Follow the procedure outlined in SOL56620 to restore the entire instance Error Invalid API parameter may occur when extracting the AD LDS backup. Resolve this by copying the correct esent.dll file to the Recovery Manager folder - SOL13444 13
Online Restore Wizard Overview 14
Online Restore Wizard: Agent vs Agentless Restores through the Online Restore Wizard can be completed using Agentless or Agent based There are several differences between agent and agentless restores. Mainly, the agent based restore requires more permissions than agentless, however it is able to restore password and SID history for Users and Computer objects. For more information regarding the differences between the two methods, please review the video located in SOL73236 Unlike the backup agent, the online restore agent cannot be preinstalled To configure the Windows Firewall on the domain controller to allow the restore agent to be transferred follow the steps outlined in SOL51897 Online Restore log files on the domain controller: C:\Windows\RecoveryManagerAD\OnlineRestoreAdapter.log C:\Windows\RecoveryManagerAD\EriAgent.log 15
Online Restore Wizard Common Issues Error failed to initialize reporter. Login Failed may occur if the account logged in does not have access to the SQL database used to generate a report. Grant the account access to the database or remove the option to generate a report if only the restore is required SOL87587 After restore operation is complete, the restored user cannot login or if a computer object was restore the computer has to be rejoined to the domain. The restore was likely done with the agentless method. Restore the object again with the Agent based restore method. Error Failed to create a remote object or RPC Server is unavailable may occur if the restore agent cannot be copied to the DC. Try opening up ports using SOL51897 or use the agentless method Error during backup extraction in Online Restore Wizard: Version of log files is not compatible with Jet Version. This can occur due to a version mismatch between the OS that RMAD is installed on and the OS of the DC SOL11601 Unable to find and select DNS zones to restore. When adding an object using the Browse menu, check the box Show Advanced Objects - SOL56999 Errors such as Directory object not found is due to the object no longer existing as a tombstone. Recovery Manager cannot restore objects past the tombstone lifetime. This is due to the design of Active Directory - SOL64028, SOL47772 16
Repair Wizard Overview 17
Repair Wizard Common Issues Mark the entire directory as authoritatively restore option appears grayed out. The product does not support marking the entire directory as authoritative for Windows 2008 domain controllers - SOL50348 Entering an incorrect DSRM password during the wizard will cause the process to fail. If in doubt, reset the password during the wizard 18
Group Policy Restore Wizard Overview 19
Group Policy Restore Wizard Common Issues Error The specified directory service attribute or value does not exist may occur if the account running the wizard does not have access to the GPO s folder on the Domain Controller (C:\Windows\SYSVOL\domain\policies\{GUID}) Comparison reports may not contain information on some GPO settings. Disregard this, Recovery Manager will be able to restore the settings without issue. For a full list of settings see SOL12024 Error Unable to extract the backup: Compression is disabled for this volume may be due to folders within the SYSVOL being compressed. Verify target folder is not compressed. 20
Recovery Manager Portal Overview 21
Recovery Manager Portal Common Issues Error when launching the Web Portal: "HTTP Error 500.19. Follow steps outlined in SOL120590 Error "Cannot create database RecoveryMgrPortal because it already exists on SQL Server instance. Delete existing database as outlined in SOL121341 An account that does not have domain admin access will not be able to restore objects unless they are configured to do so in the list of delegates IIS must be installed and running prior to the installation of the Portal The Recovery Manager Portal Access service must be installed and running prior to the installation of the Portal 22
Common Solutions SOL11601 - Error during backup extraction in Online Restore Wizard: Version of log files is not compatible with Jet Version. This can occur due to a version mismatch between the OS that RMAD is installed on and the OS of the DC SOL116317 Error during backup: "Failed to connect to backup agent SOL124386 - How to upgrade to version 8.6 SOL119172 How to enable extended logging SOL118738 - How to move RMAD to another server 23
Prerequisites for Contacting Support 24
When opening a support case submit the following: Problem Description Diagnostic logs, screenshots, etc. Environmental details (system versions, physical/virtual hardware, federation, High Availability, architecture, etc.) Issue severity and customer business impact, timeframes, etc. If a performance issue, provide specific details as specified in the Notes section of this slide. 25
Feedback on the Documentation We are interested in receiving feedback from you about our Support Technical Training. When submitting feedback please include: Product / Version Indicate if you are providing Feedback on: Support Training Documentation Support Training Exam Practical Exam Comments All comments are welcome. Please submit your feedback to the following email address: SPP.Feedback@software.dell.com Please do not submit Technical Support requests to this email address. 26
DELL CONFIDENTIAL AND PROPRIETARY This document (the Document ) contains confidential information of Dell and embodies trade secret and proprietary intellectual property of Dell. It is legally protected and shall not be copied, modified, reverse engineered, published, disclosed, disseminated outside of Dell or otherwise used, in whole or in part, without Dell s written consent, provided, however, that you have the right to use the Document solely for your internal use and solely as necessary for you to enjoy the benefit of Services under the applicable SOW (or other agreement) you have entered into with Dell. Copyright 2012 by Dell Inc. The copyright notice does not imply publication of this document or its contents. DELL, the E (Stylized in a sphere) logo, Dell Compellent, OpenManage, EqualLogic, PowerEdge, PowerVault and other Dell trademarks are the trademarks or registered trademarks of Dell Inc. in the U.S. and certain other countries. 27