Big savings, Better ROI! Exclusive discounts on ManageEngine Products!* Boost your business *T&C apply
    Click here to shrink
    Click here to expand Click here to expand

    Prerequisites

    System requirements

    Total object count Disk space for one year* RAM (for AD Backup and Recovery add-on alone) System RAM recommended
    0 to 100,000 100 GB 3 GB 8 GB
    200,000 200 GB 4 GB 8 GB
    500,000 350 GB 6 GB 16 GB
    1,000,000 500 GB 8 GB 16 GB

    *This is calculated for one full backup every month and one incremental back up everyday.

    Ports

    Port Number Protocol Purpose
    9270 HTTP To connect to the Elasticsearch database
    9370 TCP Used for communication between nodes in a cluster

    Privileges required

    Permissions required for the AD Backup and Recovery add-on in ADAudit Plus

    ADAudit Plus' AD Backup and Recovery module can instantly start backing up AD objects upon providing domain admin credentials. However, if your organization’s policy restricts the use of the Domain Admin account, you can assign the service account with the least privileges required for utilizing the add-on.

    The table below lists the permissions that should be assigned to the service account configured in ADAudit Plus:

    Action Permissions
    To back up AD objects Read permission, replicating directory changes, and replicating directory changes all permission for Domain, DomainDNSZones, ForestDNSZones, configuration, and schema partitions.
    To back up GPOs Add the service account to the Administrators group.
    To restore deleted GPOs Add the service account to the Group Policy Creator Owners group.
    To restore all AD objects Write permission.

    Steps to configure the permissions required to enable the AD Backup and Recovery add-on in ADAudit Plus

    To provide the service account with Read permission for Domain, DomainDNSZones, ForestDNSZones, configuration, and schema partitions in AD:

    1. Open ADSI Edit.
    2. Click Action > Connect to.
    3. Prerequisites

    4. In the Connection Settings dialog box that appears, provide the distinguished name of the Domain partition and click OK.
    5. Prerequisites

    6. Right-click the domain in the left-pane and click on Properties.
    7. Prerequisites

    8. In the dialog box that appears, click the Security tab and select the service account from the Group or user names section. In the Permissions section, select the check-box against Replicating Directory Changes, Replicating Directory Changes All, and Read, and click Apply.
    9. Prerequisites

      Prerequisites

    10. Now that the user account has been provided with all permissions relating to domain partition, click Action > Settings in ADSI edit.
    11. Add DomainDNSZones, ForestDNSZones, configuration and schema partitions to ADSI edit and repeat the steps to provide the account with all the required permissions.

    With these permissions in place, the user account can be used to configure the domain in ADAudit Plus and perform backup operations.

    Performing restorations when you add your domain using a service account

    The permissions that you have just assigned to the service account will only allow the product to take backups of your AD environment. When you need to perform any restoration, the product will verify which account was used to configure the domain.

    • If a domain administrator account was used, the restoration will be performed without further input from the admin.
    • If a service account was used, the product will prompt the admin to enter the user name and password of a user who can write to AD.
      • If the service account used to configure the AD domain in ADAudit Plus has the required privilege to write to AD, select the Use default system domain credentials option.
      • If the account does not have the required privileges to write to AD, leave the box unchecked, and provide the credentials of a domain administrator or a user who can write to AD in the Username and Password field.
    • Once you provide the credentials, the product will use the credentials to perform the restoration. After the restoration is complete, the product will not store the credentials.

    Backing up GPOs

    To back up GPOs, the product has to run PowerShell commands to access the admin share folder and the service account has to be added to the Administrators group.

    If you want the account to be able to restore deleted GPOs as well, the service account must also be added to Group Policy Creator Owners group.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       

    On this page

    Get download link