The architecture of the Commvault Cloud forest recovery solution includes the CommServe server (SaaS); a backup gateway, network, and storage; a target gateway and network; and recovery nodes and access nodes.
CommServe Server (SaaS)
The CommServe Server (SaaS) are the software and services that comprise the Commvault Cloud control plane.
Commvault Cloud Console
The Commvault Cloud console is where most of the forest recovery setup and configuration is done.
Backup Gateway
The backup gateway is a server that has access to the domain controllers in your Active Directory. Because domain controllers typically can't communicate directly to the internet, the backup gateway coordinates backup jobs on the domain controllers and forwards the completed backups to the backup storage.
The backup gateway performs these functions by hosting the following network interfaces:
-
An interface that is connected to the public internet
-
An interface that is connected to the network that the Active Directory domain controllers belong to
If domain controllers are located across different sites or geographies, you can use multiple backup gateways.
Backup Network
The backup network is the network that domain controllers belong to. Because domain controllers typically can't communicate directly to the internet, the backup network is often isolated from the public, and the backup gateway provides access between the backup network of domain controllers and the CommServe infrastructure in the cloud.
Backup Storage
Backup storage contains system state backups of domain controllers. Various types of backup storage are supported. For Active Directory forest recovery, for quick access when AD needs to be restored to a previous state because of schema corruption, store the primary copy of domain controller backups on-premises. To ensure redundancy and resiliency against potential ransomware attacks that might limit the availability of on-premises infrastructure, store a secondary copy in the cloud.
Target Gateway
The target gateway is a server that provides access between the public internet, where the CommServe components are hosted, and the isolated recovery network that domain controllers are recovered to. The target gateway fulfills this role by hosting the following network interfaces:
-
An interface that is connected to the public internet
-
An interface that is connected to the isolated recovery network
You can specify only one target gateway in a runbook. Thus, all domain controllers are recovered to the same isolated recovery network.
Isolated Recovery Network
The isolated recovery network is a network that can't communicate with the production Active Directory or the public internet.
Important
To prevent the possibility of re-introducing corruption, the recovered AD environment must not be able to communicate with the original Active Directory domain controllers.
Recovery Node
The recovery node manages tasks in the forest recovery runbook, coordinating domain controller recovery jobs and executing pre- and post-configuration steps.
You can specify only one recovery node in a runbook.
Access Node
The access node is a server that has access to the hypervisor the domain controller virtual machines are recovered to. The access node processes domain controller recovery jobs from the runbook and prompts the hypervisor to create the virtual machines to restore the domain controllers to.
The access node can be a separate server or it can be combined on the same server with other roles. For example, if the target is Microsoft Hyper-V, the access node can be the Hyper-V host.
The access node is configured on the recovery target. Thus, you can specify one access node for each recovery target. For example, if an organization is geographically distributed across the United States and Germany and a production forest recovery will recover some domain controllers to a Hyper-V host in the US and some domain controllers to a Hyper-V host in Germany, you can specify two access nodes, one for each Hyper-V host.
Multiple access nodes
In some cases, you can consolidate roles on a single server. For example, if you are testing a forest recovery to a non-production lab where all domain controllers are restored to a single Hyper-V server, then you can consolidate the recovery node and the access node on a single server, the Hyper-V host.
Single access node