> Software > Protect > Identity > Active Directory > Forest recovery for Active Directory > System requirements

Commvault permissions required for Active Directory forest recovery

Active Directory forest recovery requires elevated permissions across multiple Commvault entities, including clients, server groups, credentials, and recovery infrastructure. To follow least-privilege access practices, create custom roles that grant only the permissions required to run forest recovery operations.

Configure these roles and associations before you run recovery workflows or runbooks. Missing permissions can cause recovery failures or prevent access to required resources.

Create a forest recovery role

  1. From the Command Center navigation pane, go to Manage > Account > Security.

  2. Click Roles, and then click Add role.

  3. In Name, enter a role name.

  4. Under Permissions, select the following:

    • Client
      • Agent Management
      • Browse
      • Data Protection/Management Operations
      • In Place Full Machine Recovery
      • In Place Recover
      • Install Package/Update
      • Out of Place Full Machine Recovery
      • Out-of-Place Recover
      • Overwrite on Restore
      • Recover and Download
      • Run Command with System Account
      • Run Command with User Account
    • Commcell
      • Install Client
    • Credential Management
      • Modify Credential Account
      • Use Credential
    • Global
      • Job Management
      • View
    • Plan
      • Use Plan

  5. Click Add.

Create a credential permission role

  1. From the Command Center navigation pane, go to Manage > Account > Security.

  2. Click Roles, and then click Add role.

  3. In Name, enter a role name.

  4. Under Permissions, select the following:

    • Credential Management
      • Use Credential

  5. Click Add.

Create a server group for domain controllers

  1. From the Command Center navigation pane, go to Manage > Infrastructure > Server groups.

  2. In the upper-right corner of the page, click Add server group.

  3. In the Name box, enter a name for the server group.

  4. Select Manual Association.

  5. Click Add servers.

  6. Select all the servers in the forest that you back up.

  7. Click Save.

Create a user group and associate entities

  1. From the Command Center navigation pane, go to Manage > Account > Security.

  2. Click User groups, and then click Add user group.

  3. Select the Local group type, enter a Group name, and then click Save.

  4. Once the user group is created, go to Associated entities tab.

  5. Click Add association, and then configure the following entities:

    Entity type Name Roles
    Company Company name Select the credential permission role
    Server (hypervisor client) Hypervisor client for forest recovery target Select the forest recovery role
    Server (Active Directory pseudo client) Pseudo client name (forest name) Select the forest recovery role
    Server group (recovery domain controllers) Server group for recovered domain controllers Select the forest recovery role
    Server (recovery node) recovery node used for forest recovery Select the forest recovery role
    Server group (protected domain controllers) server group for backed up domain controllers Select the forest recovery role

  6. Click Save.

×

Loading...