This is part 1 of 2 , next post will try to cover the steps for recovery when there is only tapes left.
Data Protection Manager require a domain to be able to work , this means that in a disaster recovery scenario we need to be able to get active directory up and running without the help of Data Protection Manager , this is in my opinion a big issue that everyone needs to step up on the soap box and yell about , adding the option to logon with a local account would speed up things and help out a lot , this would require that the site is alive and only the Active Directory is dead or that there is a 2nd Data Protection Server creating protection of critical workloads Offsite
Disaster Recovery can be triggered by complete site failure or rouge admin disabling all high privileged account locking admins out of the domain
The “workaround” is to schedule local backups with Windows Server Backup and then let Data Protection Manager back that up to tape as we can restore that from a “clean” build , but preferable copy the backup offsite or to tape directly on a server , this will be a cost issues on a lot of smaller sites but it cant be stressed enough that we need be to able to recovery Active Directory without Data Protection Manager.
This is in addition to the normal backup of domain controllers though Data Protection Manager, and would apply to every single backup vendor , always keep a separate native backup of active directory, auditors will complain but setting up a safe procedure for storage the additional backup is worth the effort
Setup a schedule
When destination is remote , the backup will be overwritten each day so its needs to keep some rotation on the destination to ensure that there is more than one generation to recover from if disaster strikes , and again if there can be backup to tape it would be great
And we now have a WindowsImageBackup we can use if disaster strikes