Wednesday, March 21, 2018

Active Directory recovery - 3rd party tools - Recovery Manager Plus - 1

Perhaps the most significant shortcoming of traditional Active Directory backups was the inability to restore individual objects without resorting to an authoritative restore. The Active Directory Recycle Bin (ADRB), first available with Server 2008 R2, changed this but was limited to the command line. This article explains the concepts well (isDeleted, isRecyled, tombstone, etc.) and demonstrates many of the command line options:

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting

Those that would have nothing to do with the command line had to wait for Windows 2012 which provided a graphic interface for recyle bin operations. I experimented with that in a previous blog post here:

Windows Server 2012 - Active Directory - Backup and Restore, Part 2: Recycle Bin

In this present blog post (and perhaps others to follow), I want to take a look at a third party Active Directory recovery product. Several vendors offer such products: Dell/Quest, ManageEngine, Netwrix and BeyondTrust to name some of the best known. Some of these auditing products were reviewed by Eric B. Rux is this article from 2011:

Comparative Review: Active Directory Auditing Tools

Another blogger took a closer look at Manage Engine's AD Audit Plus tool here (2015):

Active Directory auditing - 3rd party tools - the example of AD Audit Plus

Of course, technology changes quickly and some comments may no longer be exact. However, it is true that the ManageEngine products have the advantage of a rather simple installation, using their own integrated database (although in some cases, an external database can apparently be used as well). That advantage may not be a decisive factor in the choice of a product but is rather compelling when the objective is to install the product in a small test environment for evaluation - or simply satisfy personal curiosity.

In my case, I'm going to evaluate the ManageEngine product "Recovery Manager Plus". I will first install and configure the product, then delete and attempt to recovery various objects. Indeed, Recovery Manager Plus (that I'll abbreviate as  'RMP" here) is supposed to be able to recover not only users and groups but also Group Policy objects and DNS zones.



First of all, I downloaded the trial version of RMP here:

After 30 days, it converts to the  "free version" with all the limitations presented in the "Compare Editions" chart (all this can be found on their website).

I'm going to install the product on a Windows 2016 server (also a trial version). Let's see what happens...

We start by running the downloaded installer:

We simply click "Next" on the welcome page...

 Accept the (evaluation) license agreement:

And select the location where RMP will be installed:

One word of caution! In my experience, the database can become quite large so it is preferable to place it on another volume. Since this is simply a first look at the product, I'll just install it in the default location.

We manage RMP via a web interface and at this point must either accept the default port (8090) or enter another: 

We can register for technical support (optional). I'll skip for now:

If we're ready, we click on "Next" for the installation to begin...

And if all goes well, we should see this:

This is where the first problems start. When RMP opens, I first see the page about content being blocked by Internet Explorer Enhanced Security Configuration. I add the page to the exceptions (and even disable ESC later - not shown in screenshots):

At that point, I'm able to logon, apparently with success, but I then encounter another error and can go no further:

Note: once again, I'm using Windows Server 2016 and IE 11. 

After different attempts to resolve this (even disabling the host firewall), I opt to try another browser: Firefox:

That allows me to access the web interface without a problem (so I know the firewall was not the obstacle - an unlikely scenario anyway on the "localhost").



We can open RMP as a simple application using an account with sufficient rights to Active Directory but for optimal use (as with other ManageEngine products) we configure it to run as a service. That is not the case as this point: 

In the RMP folder (Start Menu), we can configure the application to run as a service by clicking on "Install RecoveryManager Plus Service":

That configures RMP to run as a service (compare to the previous screenshot of services.msc):

However, the local system account will not have sufficient access to Active Directory so we will normally create a domain service account that does and configure RMP to run in that context:

We'll see the following messages, the second indicating that we need to restart the service for changes to take effect:


Basic test restore

Although RMP seems to discover the domain automatically, we have to add the domain user accounts that will manage the application under the Admin tab ("Technicians" section):

We can then logon with our domain credentials rather than as the local RMP default administrator:

Note: at first, I was not able to accomplish that. Apparently (?), you have to run a backup first.

As far as backups go, we can run a "Quick Backup" after initial configuration. Afterwards, we need to configure a schedule, although we can still perform on-demand backups as needed. Under the Dashboard tab, we select "Quick Backup" and can configure some options (you may have to scroll down or over to see all of them):

So besides selecting OUs, we can decide to include all objects or only certain objects in the backup:

There are numerous other elements displayed on the dashboard but my objective is to test the backup and restore capacities of the product rather than present every single feature. I may test other scenarios later, in additional blog posts, but for now I will delete a simple user object and attempt to restore it.

First, I delete the user object "Anne.Schubert":

The object is gone:

With native Active Directory backup, I would have to perform an authoritative restore of the user object. I will not describe the process in detail here but it is a rather complex operation. With RMP, I can go to the "Restore" section under the Active Directory tab and search for the deleted user object:

I select the object (note that there is room for multiple objects - below) and click on the Restore button:

I confirm...

And if all goes well, Anne Schubert should be restored:

As we can verify in Active Directory (Anne Schubert is back where she belongs):


So, to conclude this blog post, I was able to install the Recovery Manager Plus application with ease and after a rather simple configuration process, perform a successful (albeit simple) restore operation. I had some problems accessing the web interface with IE 11 but was able to use Firefox without a problem. 

No comments:

Post a Comment