> Commvault Cloud > Active Directory > Forest Recovery for Active Directory > Configure Forest Recovery

Step 3: Configure the Network for Active Directory Forest Recovery

The network configuration is an important factor in the Active Directory forest recovery setup.

First, to prevent the possibility of re-introducing corruption, the recovered AD environment must not be able to communicate with the original Active Directory domain controllers.

Second, Active Directory and related services are offline for periods during a forest recovery. Typically, DNS services are unavailable at the beginning of the recovery. Without DNS and name resolution functioning, the Commvault Cloud software must have another way to communicate between servers during the recovery.

Network diagram of AD forest - installed packages

Required installation packages

Configure the Target Gateway

The target gateway is a server that provides access between the public internet, where the CommServe components are hosted, and the isolated recovery network that domain controllers are recovered to. Because Active Directory forest recovery can cause Active Directory domain-joined systems to be inaccessible, use a server that is not a domain-joined server.

  1. Copy the backup gateway package you downloaded in Step 1: Discover the Active Directory Forest to the machine you want to use as the target gateway.

  2. Install the package, entering the authcode that appears in the Add a new backup gateway dialog box when prompted.

  3. From the Command Center navigation pane, go to Manage > Servers.

    The servers page appears.

  4. Click the target gateway.

    The target gateway page appears.

  5. On the Configuration tab, in the Network settings section, click the edit button edit button.

    The Edit network settings dialog box appears.

  6. Select the Enable network gateway check box.

  7. Click Save.

  8. In the upper-right area of the page, click the action button action button, and then select Push network configuration.

    The Confirm push network configuration dialog box appears.

  9. Click Submit.

Create an Empty Server Group for Recovered Domain Controllers

Create an empty server group. Later, all recovered domain controllers are associated with this server group, and the server group is used to configure network communication between the recovered DCs and the rest of the Commvault Cloud infrastructure.

In the following steps, you create the server group, but you don't add servers to it.

  1. From the Command Center navigation pane, go to Manage > Server groups.

    The Server groups page appears.

  2. In the upper-right area of the page, click Add a server group.

    The Add server group dialog box appears.

  3. Enter a descriptive name for the server group.

  4. Select Manual association.

  5. Click Save.

Configure the Backup Network

The backup network allows the recovered domain controllers to communicate with the rest of the Commvault Cloud infrastructure during the recovery process, when DNS and name resolution services are unavailable.

You need to create the following network pairs:

  • A network pair to facilitate communication between the recovered DCs and the target gateway server

  • A network pair to facilitate communication between the recovered DCs and the recovery node

The network pairs force the servers that are included in the recovery to use IP addresses to communicate with one another, rather than relying on server names that might not resolve during the forest recovery.

Note

Incorrect configurations of the backup network, network pairs, or interfaces cause restore jobs to fail.

Create a Network Pair Between the Recovered DCs and the Target Gateway

  1. From the Command Center navigation pane, go to Manage > Backup networks.

    The Backup networks page appears.

  2. Click Add network pairs.

    The Configure network pairs wizard appears.

  3. For Select 1st computer, start typing to select the recovered domain controllers server group.

  4. For Select 2nd computer, start typing to select the target gateway.

  5. Click Next.

  6. For Interfaces for the target gateway machine, enter the IP address that is used to privately communicate with the recovered DCs.

    Note

    The target gateway machine will have two network interfaces: one network interface to communicate with the Commvault Cloud infrastructure and a second network interface configured as the private network for the recovered DCs to communicate. When selecting this IP address, enter the IP address from the network interface that is used to privately communicate with the recovered DCs.

  7. Verify that Interfaces for the recovered domain controllers server group shows No Default Interface.

  8. To add a new configuration, click the add button add/plus button - gray - no border.

  9. Click Next.

  10. Click Submit.

Create a Network Pair Between the Recovered DCs and the Recovery Node

  1. From the Command Center navigation pane, go to Manage > Backup networks.

    The Backup networks page appears.

  2. Click Add network pairs.

    The Configure network pairs wizard appears.

  3. From the Select Computers list for the 1st computer, select the recovered domain controllers server group.

  4. From the Select Computers list for the 2nd computer, enter the name of the recovery node server.

  5. Click Next.

  6. Verify that the first interface is No Default Interface.

  7. On the second interface, select the IP address of the recovery node server.

    Note

    The recovery node server will have multiple network interfaces. When selecting this IP address, enter the IP address from the network interface that is used to privately communicate with the recovered DCs.

  8. To add a new configuration, click the add button add/plus button - gray - no border.

  9. Click Next.

  10. Click Submit.

Network Example: Microsoft Azure Recovery Target

The following is an example of a network that can do the following:

  • Back up AD domain controllers that are not connected directly to the internet.

  • Restore an AD forest to a network that is isolated from both the production AD domain controllers and the internet.

  • Consolidate the access node and target gateway on a single cloud host.

  • Support a recovery node on-premises or in the cloud.

Network diagram of AD forest - example configuration

Example network configuration for an Azure recovery target

The example network requires the following network pair:

Network pair Interface on server group Interface on target server
[Server group] and [Recovery node] No Default Interface 182.168.66.25

Where:

  • [Server group]: The server group that the recovered VMs will be associated with

  • [Recovery node]: The recovery node server, which orchestrates the runbook steps

  • [Target gateway]: The server that bridges communication with the recovered VMs

The example network requires the following values on the Configure Virtualize Me options page when you use a runbook that has an Azure recovery target:

CommCell Configuration Page

  • Associate with server group(s): The server group that is used in the network pairs. This setting associates each recovered DC with the server group, so the DCs are accessible during the recovery.

  • Network gateway: 150.160.170.50:8403. This is the IP address of the NIC on the target gateway machine that is associated with the isolated recovery network.

  • Copy precedence: If the backups are stored in multiple locations, select the cloud storage. For best performance, use cloud storage in the Azure region that the domain controllers will be restored to.

Network Example: Microsoft Hyper-V Recovery Target

The following is an example of a network that can do the following:

  • Back up AD domain controllers that are not connected directly to the internet.

  • Restore an AD forest to a network that is isolated from both the production AD domain controllers and the internet.

  • Consolidate the recovery node and the access nodes on the Hyper-V recovery target.

Network diagram of AD forest - example configuration

Example network configuration for a Hyper-V recovery target

The example network requires the following network pairs:

Network pair Interface on server group Interface on target server
[Server group] and [Recovery node] No Default Interface 192.168.166.1
[Server group] and [Target gateway] No Default Interface 192.168.166.10

Where:

  • [Server group]: The server group that the recovered VMs will be associated with

  • [Recovery node]: The recovery node server, which orchestrates the runbook steps

  • [Target gateway]: The server that bridges communication with the recovered VMs

    Note

    The IP address you use for the target gateway is always the IP address for the network switch of the isolated recovery environment.

The example network requires the following values on the Configure Virtualize Me options page when you use a runbook that has a Hyper-V recovery target:

CommCell Configuration Page

  • Associate with server group(s): The server group that is used in the network pairs. This setting associates each recovered DC with the server group, so the DCs are accessible during the recovery.

  • Network gateway: 192.168.166.10:8403. This is the IP address of the NIC on the target gateway machine that is associated with the isolated recovery network.

  • Copy precedence: If the backups are stored in multiple locations, this specifies which location to access the backup from.

Machine Configuration Page

  • Network: The name of the Hyper-V switch that is associated with the isolated recovery network.

  • Subnet mask: The subnet mask associated with the isolated recovery network’s IP space.

  • Default gateway: The default gateway associated with the isolated recovery network’s IP space.

  • IP address: The IP address or IP address range from the isolated recovery network’s IP space.

Network Example: VMware vCenter Recovery Target

The following is an example of a network that can do the following:

  • Back up AD domain controllers that are not connected directly to the internet.

  • Restore an AD forest to a network that is isolated from both the production AD domain controllers and the internet.

  • Consolidate the recovery node, access node, and target gateway on a single host.

Network diagram of AD forest - example configuration

Example network configuration for a vCenter recovery target

The example network requires the following network pair:

Network pair Interface on server group Interface on target server
[Server group] and [Recovery node/Target gateway] No Default Interface 192.168.166.10

Where:

  • [Server group]: The server group that the recovered VMs will be associated with

  • [Recovery node]: The recovery node server, which orchestrates the runbook steps

  • [Target gateway]: The server that bridges communication with the recovered VMs

    Note

    The IP address you use for the target gateway is always the IP address for the network switch of the isolated recovery environment.

The example network requires the following values on the Configure Virtualize Me options page when you use a runbook that has a vCenter recovery target:

CommCell Configuration Page

  • Associate with server group(s): The server group that is used in the network pairs. This setting associates each recovered DC with the server group, so the DCs are accessible during the recovery.

  • Network gateway: 192.168.166.10:8403. This is the IP address of the NIC on the target gateway machine that is associated with the isolated recovery network.

  • Copy precedence: If the backups are stored in multiple locations, this specifies which location to access the backup from.

Machine Configuration Page

  • Network: The name of the vCenter network that is associated with the isolated recovery network.

  • Subnet mask: The subnet mask associated with the isolated recovery network’s IP space.

  • Default gateway: The default gateway associated with the isolated recovery network’s IP space.

  • IP address: The IP address or IP address range from the isolated recovery network’s IP space.

Loading...