Configure RecoveryManager Plus

Configuring RecoveryManager Plus with a service account

It is recommended to use an account with Domain Admin privileges to configure RecoveryManager Plus. In cases where your organization's policies restrict usage of domain admin accounts, you can assign a user or service account with the least privileges that are required for the functioning of RecoveryManager Plus. This account can then be used for configuring the domain settings in RecoveryManager Plus.

Permissions required to backup Active Directory with a service account

Provide the service account with the following permission for Domain, DomainDNSZones, ForestDNSZones, configuration, and schema partitions.

  1. Open ADSI Edit.
  2. Click Action > Connect to.

    configure-service-account-recovery-manager-plus

  3. In the Connection Settings dialog box that appears, provide the distinguished name of the Domain partition and click OK.

    configure-service-account-recovery-manager-plus

  4. Right-click the domain in the left-pane and click on Properties.

    configure-service-account-recovery-manager-plus

  5. In the dialog box that appears, select the service account from the Group or user names: field. In the Permissions section, select the check-box against Replicating Directory Changes and click Apply.

    configure-service-account-recovery-manager-plus

  6. Now that the user account has been provided with all permissions relating to domain partition, click Action > Settings in ADSI edit.
  7. Add DomainDNSZones, ForestDNSZones, configuration and schema partitions to ADSI edit and repeat the steps to provide the account with all the required permissions.

With these permissions in place, the user account can be used to configure the domain to RecoveryManager Plus and perform backup operations.

Performing restorations when you add your domain using a service account

The permissions you had given to the service account will only allow the product to take backups of your AD environment.

When you need to perform any restoration, the product will verify which account was used to configure the domain. If a domain administrator account was used, the restoration will be performed without further input from the admin. If a service account was used, the product will prompt the admin to enter the user name and password of a user who can write to AD. If the service account used to configure AD has the required privilege to write to AD, select the Use default system domain credentials option. If the account does not have the required privileges to write to AD, leave the box unchecked, and provide the credentials of a domain administrator or a user who can write to the AD in the Username and Password field. Once you provide the credentials, the product will use the credentials to perform the restoration. After the restoration is complete, the product will not store the credentials.

configure-service-account-recovery-manager-plus

Backing up GPOs

To back up GPOs,the product has run PowerShell commands to access the admin share folder and hence the service account has to be added to the Administrators group.

If you want the account to be able to restore deleted GPOs as well, the service account must also be added to Group Policy Creator Owners group.

Note: When you configure RecoveryManager Plus with a service account, you might encounter some issues when you back up GPOs. Follow the steps listed here for troubleshooting some frequently encountered issues.

You're one step away from insuring your AD environment against any disaster.

Download a free trial now! Request demo

Couldn't find the feature you wanted? Raise a feature request

A single pane of glass for Active Directory, Azure Active Directory,
Microsoft 365, Google Workspace, and Exchange Backup.