When you create or modify a recovery plan, test it before you use it for planned migration or for disaster recovery.

Testing a Recovery Plan

By testing a recovery plan, you ensure that the virtual machines that the plan protects recover correctly to the recovery site. If you do not test recovery plans, a disaster recovery situation might not recover all virtual machines, resulting in data loss.

If you use vSphere Replication, when you test a recovery plan, the virtual machine on the protected site can still synchronize with the replica virtual machine disk files at the recovery site. The vSphere Replication server creates redo logs on the virtual machine disk files at the recovery site, so that synchronization can continue normally. When you perform cleanup after running a test, the vSphere Replication server removes the redo logs from the disks at the recovery site and persists the changes accumulated in the logs to VM disks.

If you use array-based replication, when you test a recovery plan, the virtual machines on the protected site are still replicated to the replica virtual machines' disk files at the recovery site. During test recovery, the array creates a snapshot of the volumes hosting the virtual machines' disk files at the recovery site. Array replication continues normally while the test is in progress. When you perform cleanup after running a test, the array removes the snapshots that were created earlier as part of the test recovery workflow.

You can run a recovery plan test as often as necessary. You can cancel a recovery plan test at any time. Before running a failover or another test, you must successfully run a cleanup operation.

Performing a Planned Migration

You can run a recovery plan under planned circumstances to migrate virtual machines from the protected site to the recovery site. You can also run a recovery plan under unplanned circumstances if the protected site suffers an unforeseen event that might result in data loss.

During a planned migration, Site Recovery Manager synchronizes the virtual machine data at the recovery site with the virtual machines on the protected site. Site Recovery Manager attempts to gracefully shut down the protected machines and performs a final synchronization to prevent data loss, and powers on the virtual machines at the recovery site. If errors occur during a planned migration, the plan stops so that you can resolve the errors and rerun the plan. You can reprotect the virtual machines after the recovery.

After Site Recovery Manager completes the final replication, Site Recovery Manager makes changes at both sites that require significant time and effort to reverse. Because of this time and effort, you must assign the privilege to test a recovery plan and the privilege to run a recovery plan separately.

Performing a Disaster Recovery

During disaster recoveries, Site Recovery Manager first attempts a storage synchronization. If it succeeds, Site Recovery Manager uses the synchronized storage state to recover virtual machines at the recovery site to their most recent available state, according to the recovery point objective (RPO) that you set when you configure your replication technology.

When you run a recovery plan to perform a disaster recovery, Site Recovery Manager attempts to shut down the virtual machines on the protected site. If Site Recovery Manager cannot shut down the virtual machines, Site Recovery Manager still starts the copies at the recovery site. In case the protected site comes back online after disaster recovery, the recovery plan goes into an inconsistent state where production virtual machines are running on both sites, known as a split-brain scenario. Site Recovery Manager detects this state and allows you to run the plan once more to power off the virtual machines on the protected site. Then the recovery plan goes back to a consistent state and you can run reprotect.