For the best web experience, please use IE11+, Chrome, Firefox, or Safari
Free Trials Request Pricing
Home / Products / Recovery Manager for Active Directory Disaster Recovery Edition

Recovery Manager for Active Directory Disaster Recovery Edition

Automate and accelerate Active Directory recovery. Ransomware is today's most disruptive cyber threat, and Active Directory is increasingly in its crosshairs. Quest® Recovery Manager for Active Directory Disaster Recovery Edition slashes AD forest recovery time from days or weeks to just hours, giving you peace of mind that an AD disaster will not become a business disaster. 

White Paper

$19.7M saved in ransomware recovery losses

Forrester Consulting TEI study reveals avoided costs, losses, and excess labor by recovering faster using Quest
White Paper

Lessons Learned from a Recent Ransomware Recovery

Learn how to bring your AD back following a ransomware attack.
White Paper

Be Prepared for Ransomware Attacks with AD Disaster Recovery Planning

Reduce your organization's risk with an effective Active Directory recovery strategy.
Request Quote Download Free Trial

Nav Menu

Recovery Manager for Active Directory Disaster Recovery Edition

Active Directory is a prime attack target

69%

of organizations impacted by ransomware

21days

Average downtime due to ransomware

25B

attempted attacks on Azure AD accounts

Recover Active Directory 5x Faster with Quest Recovery Manager 02:43

Fast and secure Active Directory forest recovery is vital following a cyberattack. The longer AD is down, the longer your business is down. “The restore process from many well-documented ransomware attacks has been hindered by not having an intact AD restore process," according to Gartner, which also states that you can “accelerate recovery from attacks by adding a dedicated tool for backup and recovery of Microsoft Active Directory.” 

With Recovery Manager for Active Directory Disaster Recovery Edition, you can restore AD at least five times faster than the manual Active Directory forest recovery process, according to ESG Research. One reason for that is due to extensive automation, which reduces the risk of human error and having to start over as the result of those errors. Recovery Manager also protects your AD backups from compromise and eliminates the risk of malware reinfection. It’s like an insurance policy for AD that you can’t afford not to have.

Read White Paper: Microsoft Active Directory Disaster? Recover at Least Five Times Faster with Quest Recovery Manager

Accelerates Recovery from Cyberattacks

This comprehensive backup software solution is ideal for helping you rapidly recover from cyberattacks that impact AD. It offers a range of recovery options, including system state restore and full server backup capabilities, providing flexibility in addressing various disaster scenarios. Recovery Manager goes beyond traditional system state backup by offering granular recovery of identity directory services, allowing you to restore specific AD components without resorting to a full domain or forest recovery.

In the case of a cyberattack, Recovery Manager proves invaluable for recovering compromised user accounts and service accounts. The solution can recover impacted accounts from pre-attack backups, even allowing for the reset of privileged account passwords to mitigate potential security breaches. This granular approach to recovery extends to deleted objects as well, enabling the restoration of specific AD objects without necessitating a complete forest or domain restore.

Recovery Manager’s versatility is evident in its multiple recovery methods, including phased recovery and the ability to restore AD to a clean operating system. This flexibility is crucial when dealing with complex ransomware scenarios that may have affected multiple domain controllers across different geographical locations. The solution's Secure Storage server feature provides air-gapped storage for AD backups, ensuring that backups remain uncorrupted and inaccessible to ransomware. Additionally, Recovery Manager can scan servers for malware before they are used in recovery and offers the option to restore AD to a Microsoft Azure virtual machine, further enhancing security during the recovery process. These advanced features, combined with its ability to perform various types of restores — from bare metal recovery to reinstalling AD on existing hardware — make Recovery Manager a powerful tool in your organization’s ransomware defense strategy.

"Accelerate recovery from attacks by adding a dedicated tool for backup and recovery of Microsoft Active Directory." - Gartner

See how to automate AD disaster recovery

Key Benefits

Adaptable to any disaster

Handle any Active Directory disaster recovery scenario, from attribute changes to SYSVOL corruption to full AD forest disasters.

Automated AD forest recovery

Automate the Active Directory forest recovery process, including the 40+ steps outlined in Microsoft's AD forest recovery best practices.

Flexibility and choice

Choose the best method for your situation, whether that’s phased recovery, restoring AD to a clean OS or bare metal recovery.

Clean, malware-free recovery

Eliminate the risk of malware re-infection throughout your AD forest recovery, scanning for malware and minimizing its hiding places.

Secure AD backups

Ensure backups are always available with multiple options for secure physical and cloud storage.

Battle-tested

Quest has specialized in AD disaster recovery as long as AD has been around, helping thousands of customers, including 50% of the Fortune 100.

Streamlined Active Directory Disaster Recovery

Recovery Manager simplifies, automates and accelerates Active Directory forest recovery with unmatched security, flexibility and options to meet the needs of your business continuity and disaster recovery plans.

Efficient and reliable AD backups

Back up exactly what you need to recover AD. By omitting extraneous and risky components like boot files and the IIS Metabase, Recovery Manager reduces backup bloat, makes the backup process more efficient and minimizes the places where malware can hide.

Secure storage

Protect AD backups from malware infection with Secure Storage, a hardened server that is isolated according to IPSec rules with regular checks to confirm backup integrity. Even if you lose your DCs, Tier 1 storage and even your Recovery Manager server, you still have the Secure Storage backup that is hardened and secure to withstand the ransomware attack.

AD backups in the cloud

Recovery Manager ensures that your AD backups are always available in case of disaster with the flexibility to store backups in secure cloud locations such as immutable Azure Blob Storage and Amazon Web Services (AWS) S3 storage. 

Phased recovery to shorten RTO

After you back up Active Directory, you can shorten recovery time objectives with a phased Active Directory recovery approach. Quickly restore key DCs, enabling sign-in and business-critical functions as soon as possible. Then dramatically accelerate recovery of remaining DCs with automated repromotion methods.

Flexible AD recovery options

Choose the AD disaster recovery method that works best in a given situation, whether that’s phased recovery, restoring to a clean OS to minimize the risk of malware reinfection or bare metal recovery. You can restore AD to a clean OS on any machine, whether it’s a physical machine, on-prem virtual machine or a cloud-hosted VM.

Clean OS recovery to the cloud

During an attack, you need to restore to a new machine you can trust. Quickly and easily create Microsoft Azure resources including virtual machines during an AD forest recovery. This enables you to recover AD to a readily available, secure and cost-effective machine that you can trust is clean from malware.

Malware detection and removal

Eliminate the risk of malware re-infection throughout your AD disaster recovery process with regular checks for viruses after the backup file is created, during storage when updates are added and before a restore is started with integrated Microsoft’s Defender capabilities. If needed, you can safely pause your recovery to quarantine or remove corrupted files. 

Operating system recovery

Quickly restore your domain controller’s operating system without depending on others. Recovery Manager gives AD admins more control of the recovery process, saving time and resources by eliminating dependencies on cross-departmental teams.

Insurance group slashes Active Directory recovery time

With native tools, a restore would take days or weeks; with Quest, we can be fully operational again in hours.

Krist Cappelle Information Security Program Manager, P&V Group Read Case Study

Telefónica España slashes AD recovery time with Recovery Manager

Being able to restore an AD forest in hours instead days is priceless. Now I can sleep peacefully.

IT Manager Read Case Study

Top 5 Global Petroleum Producer ensures seamless business continuity

With Recovery Manager, we have always passed the annual AD recovery audits, maintaining the strong reputation and market valuation of both the energy company and TCS.

Suhas Pawar Associate Consultant, Tata Consultancy Services Read Case Study

Additional Features

Online granular restore

Restore individual attributes, such as account settings, group memberships and binary attributes, even when the object itself has not been deleted. This enables you to restore only the required attributes without restarting domain controllers.

Comparison reporting

Highlight changes made since the last backup by comparing the online state of AD with its backup or by comparing multiple backups. Accelerate recovery by quickly pinpointing deleted or changed objects or attributes. And with Change Auditor you can easily identify who made the changes.

AD management and health validation

Inspect AD for warning signs of possible issues before they become disasters by checking DC accessibility, replication, trusts and user authentication.

Recovery console fault tolerance

With Recovery Manager, you can share persistent configuration data between several instances of your recovery consoles so that you can quickly resume the last restore operation in case it was unexpectedly interrupted.

Recovery roadmap

After you back up Active Directory, you can generate a detailed recovery process report, including an overview of every stage of the recovery, to gain a better understanding and more control over the project.

Hybrid AD and Azure Active Directory recovery

A solid on-premises Active Directory recovery plan alone isn’t sufficient since so many organizations are making greater use of cloud-only objects such as Azure AD groups, Azure B2B/B2C accounts, conditional access policies and more. With On Demand Recovery, you can quickly and securely back up and recover Azure AD.

AD Disaster and Forest Recovery Services

How Often Should You Test Your Active Directory Disaster Recovery Plan? 06:29

Quest Professional Services ensure your Active Directory recovery plan is in place quickly and validates your forest recovery model. Whether your team lacks the technical expertise, does not have the manpower or just does not have time to configure, test and deploy your solution, our subject matter experts help you through this process using our tested implementation methodology.

  • Verify backup and recovery plans aligned with industry best practices
  • Test and document recovery plans for domain controllers, full forest and crisis scenarios
  • Participate in a scheduled recovery exercise, ensuring full integration with other disaster recovery and business continuity plans
Read Datasheet: AD Disaster Recovery Implementation Services
Read Datasheet: AD Disaster Recovery Plan Assessment Services

FAQs – Active Directory Disaster Recovery

What is Active Directory Recovery?

Active Directory Recovery is the process of restoring Active Directory (AD) services and data after a catastrophic failure or cyberattack, such as ransomware. It involves rebuilding domain controllers, restoring AD databases, and reestablishing forest-wide services to bring the AD environment back to a functioning state. Active Directory recovery is critical because AD is the backbone of most organizations' IT infrastructure and identity services, controlling user authentication, access to resources, and application functionality.

Effective AD recovery requires careful planning, secure backups, and a rapid recovery solution like Recovery Manager to automate and accelerate the process. Manual recovery can be extremely time-consuming and error-prone, often taking days or weeks to complete. Purpose-built solutions like Recovery Manager for Active Directory Disaster Recovery Edition can significantly reduce recovery time to hours, minimize the risk of malware reinfection, and provide flexible recovery options such as phased recovery or restoring to a clean operating system. Given the increasing threat of ransomware and other cyberattacks targeting AD, having a robust and tested AD recovery plan is essential for maintaining business continuity.

Active Directory recovery encompasses several types of operations, ranging from granular object restoration to full forest recovery. For minor issues, online granular restore allows you to recover individual attributes or objects without restarting domain controllers. This is useful for correcting accidental changes or deletions. For more severe scenarios, there are multiple options for full recovery: Bare metal recovery (BMR) allows you to recover all volumes of a domain controller to new or different hardware; restore to clean OS enables you to restore AD onto a new Windows Server while reducing the risk of reinfection; and phased recovery lets you prioritize the restoration of critical domain controllers to get essential services running quickly.

Other recovery types include installing Active Directory on new servers to replace compromised DCs, uninstalling and reinstalling AD on existing servers, and repromotion of remaining DCs in a partially recovered forest. The choice of recovery method depends on the extent of the damage, the risk of malware persistence, and the organization's specific needs. Solutions like Recovery Manager for Active Directory Disaster Recovery Edition provide flexibility in choosing the most appropriate recovery method for a given situation, whether it's restoring to on-premises hardware, virtual machines, or even cloud-hosted VMs in Microsoft Azure.

With Microsoft-provided tools and manual processes, Active Directory forest recovery is a difficult, time-consuming and error-prone process. In fact, Microsoft’s “Active Directory Forest Recovery Guide” outlines 40 high-level steps that must be performed correctly and in the proper sequence — on each DC. In addition, many of the steps aren’t operations that AD administrators are familiar with; they are tedious, often command-line based steps, so it’s very easy to make mistakes that can re-corrupt your directory and require you to start over. Quest reduces risk by automating every one of these manual steps. In fact, ESG Research validated that Recovery Manager can restore AD at least five times faster than the manual AD forest recovery process.

 

Bare metal recovery (BMR) is a crucial capability  of your Active Directory recovery arsenal because it allows you to recover not just the Active Directory data, but also the entire domain controller's operating system in the event of a catastrophic failure. This is especially important in rare scenarios where more than just Active Directory needs to be recovered. With BMR, you can restore a domain controller to its previous state on entirely new hardware, ensuring that all configurations, settings, and data are preserved.

Furthermore, BMR provides a more comprehensive and efficient recovery solution compared to traditional enterprise and Windows methods. It eliminates the need to manually reinstall the operating system and reconfigure the domain controller, which can be time-consuming and error-prone. By restoring both the operating system and Active Directory simultaneously, BMR significantly reduces downtime and ensures that your Active Directory infrastructure can be brought back online quickly and accurately, even in the most severe disaster scenarios. Quest allows you to restore AD to a clean OS on any machine, including physical machines, on-premises virtual machines or cloud-hosted virtual machines.

VM snapshots are no substitute for an enterprise AD disaster recovery solution. Using snapshots for forest recovery will almost always result in data consistency problems that are difficult to resolve. Since the data on DCs is constantly being updated and the replication process takes time, snapshots of different DCs almost always contain inconsistent information. Snapshots can also include malware, which gets restored with everything else on the DC. Plus, if you store your VM snapshots in the default location, they’re an obvious target for ransomware encryption, which can render them useless. There’s also a logistical issue. Usually, control over VM snapshots resides with the virtualization operations team, which complicates the AD team’s job during the recovery operation. Finally, the virtualization team might not even know that the AD snapshots are an essential part of the organization’s disaster recovery strategy, so they might not protect them appropriately.

An immutable backup is a duplicate copy of data that cannot be altered or removed for a specified timeframe. It’s another method your organization can use to protect valuable data from threats ranging from cyberattacks to accidental removal. When it comes to Active Directory security, Quest solutions provide multiple storage locations for AD backups, with many organizations choosing to have a dedicated backup location for their identity team that does not rely on traditional backup teams (since traditional backup teams often rely upon Active Directory for authentication). While some organizations can choose to store backups inside enterprise backup storage, you should validate that there are authentication capabilities to retrieve those backups that do not require Active Directory. Because we’ve seen physical destruction, as well as loss of connectivity to the internet, we recommend that your backups are air-gapped or on immutable storage.

Most data protection tools simply do not suffice for AD disaster recovery. As noted above, in an AD forest recovery, you must coordinate the configuration effort across multiple DCs. Failure to do so can run the risk of USN rollback, RID bubbles, RID re-use, lingering objects in the Global Catalog and other issues that can cause serious issues with Active Directory functionality. But most traditional data protection solutions simply focus on getting individual DCs to a “healthy” state — and leave all the coordination work to you.

Tour

Flexible recovery methods
Bare metal backup
Malware detection
Progress monitor
Recovery project plan
Pick Restore Active Directory on Clean OS - Active directory disaster recovery 07:36

Flexible recovery methods

Flexible recovery methods include restoring AD to a clean OS and a Microsoft-compliant bare metal recovery.

Specifications

Hardware and Software Requirements

Before installing Recovery Manager for Active Directory, ensure that your system meets the following minimum hardware and software requirements.

NOTE

  • Recovery Manager for Active Directory supports only IPv4 or mixed IPv4/IPv6 networks.
  • Recovery Manager for Active Directory Forest Edition can backup and restore domain controllers that are running on virtual machines in Amazon Web Services (AWS) or Microsoft Azure. Note that such domain controllers cannot be restored with the Bare Metal Active Directory Recovery method because there is no way to boot them from an ISO image.
Processor

Minimum: 2.0 GHz

Recommended: 2.0 GHz or faster

CPU Cores

Minimum: 2 CPU cores

Recommended: 4 CPU cores

Memory

Minimum: 4 GB

Recommended: 8 GB

These figures apply only if the Active Directory domains managed by Recovery Manager for Active Directory include 1 million objects or less. Increase RAM size by 512 MB for every additional 1 million objects.

Hard Disk Space

Full installation including the prerequisite software: 2.7 GB of free disk space

In case all the prerequisite software is already installed: 260 MB of free disk space

NOTE Additional storage space is required for a backup repository, at least the size of the backed-up Active Directory database file (Ntds.dit) and the SYSVOL folder plus 40MB for the transaction log files.

Operating System
  • Machine that hosts the Recovery Manager for Active Directory console must have same or higher version of Windows operating system than the processed domain controllers. Otherwise, the online compare and object search in a backup during the online restore operation may fail.
  • 32-bit operating systems are not supported.

Installation

  • Microsoft Windows Server® 2022, 2019, and 2016
  • Microsoft Windows 11, 10 x64, 8.1 x64

Targets for backup, restore, or compare operations

  • Microsoft Windows Server® 2022, 2019, and 2016 (including Server Core installation
Microsoft .NET Framework

Microsoft .NET Framework version 4.8 or higher is needed on the console system.

NOTE: Microsoft .NET 4.8 is not required to be installed on the systems where the Forest Recovery and Backup agents are to be installed. The Secure Storage Agent does use .NET and it is recommended to install 4.8 on the Secure Storage system, but the agent will work with older versions.

Microsoft SQL Server and its components

Microsoft SQL Server versions

Microsoft SQL Server® is required for the following Recovery Manager for Active Directory features: Comparison Reporting and Forest Recovery Persistence.

Supported SQL Server versions:

  • Microsoft SQL Server® 2022, 2019, 2017, 2016, and 2014 (Enterprise, Business Intelligence, Standard, Express, Web, or Developer Edition)

Microsoft SQL Server components

Microsoft System CLR Types for SQL Server® 2014

If this component is not installed, it will be installed automatically by the RMAD setup.

Microsoft SQL Server Reporting Services

To display reports, Recovery Manager for Active Directory can integrate with Microsoft SQL Server® Reporting Services (SRSS) 2016, 2017, 2019, and 2022.

Microsoft Windows PowerShell

Microsoft Windows PowerShell version 5.0 or later

Integration with Change Auditor for Active Directory

Supported versions of Change Auditor for Active Directory: from 6.x to 7.x.

If any prerequisite software is not installed, the Setup program automatically installs it for you before installing Recovery Manager for Active Directory. If the prerequisite software to be installed is not included in this release package, it is automatically downloaded.

Continuous recovery: From version 10.0.1, Recovery Manager for Active Directory together with Change Auditor can restore the deleted object(s) and continuously restores the last change (if any) that was made to the object attributes after creating the backup, using the data from the Сhange Auditor database.

Antivirus software that is supported for backup antimalware checks

The anti-virus checks are performed on the Forest Recovery Console machine running Windows Server 2016 or higher by means of antivirus software installed on the machine.

  • Microsoft Defender
  • Symantec Endpoint Protection 14.x
  • Broadcom Endpoint Security (former name: Symantec Endpoint Protection 15)
Supported server management systems
  • Integrated Dell Remote Access Controller (iDRAC) 8 and 9
  • HP ProLiant iLO Management Engine (iLO) 3, 4 and 5
  • VMware vCenter/ESX Server 6.0, 6.5, 6.7 and 7.0
  • Microsoft Hyper-V Server 2012 or higher

Memory

1 GB (2 GB recommended)

Hard disk space

2 GB or more

Operating System

One of the following operating systems:

  • Microsoft Windows Server® 2022, 2019, and 2016 (including Server Core installation)

 

Secure Storage Server

Processor

Minimum: 2.0 GHz

Recommended: 2.0 GHz or faster

CPU Cores

Minimum: 2 CPU cores

Recommended: 4 CPU cores

Memory

Minimum: 4 GB

Recommended: 8 GB

  • Operating system: Microsoft Windows 2016 or higher
  • A stand-alone server to be used as your Secure Storage server. This server should be a workgroup server and not joined to an Active Directory domain.
  • An account that will be used to deploy the Storage Agent on the Secure Storage server. This account must also be a local Administrator on the Secure Storage server.
  • Physical access to the Secure Storage server. Once the server is hardened access with regular methods will be disabled.
  • Sufficient storage space on the Secure Storage server for all backup files. For one backup file, the space required is at least the size of the backed-up Active Directory database file (Ntds.dit) and the SYSVOL folder plus 40MB for the transaction log files.
Cloud Storage
  • Internet access available on the Recovery Manager for Active Directory console. A standard outbound HTTPS port 443 is used to upload data to Azure Blob and Amazon Web Services S3 Storage.
  • Azure and Amazon Web Services subscription(s) to create and manage Azure and Amazon Web Services S3 Storage accounts and containers.
  • A method of creating and managing Azure and Amazon S3 Storage accounts, containers, and policies for the storage account (lifecycle, immutability and replication policies).

You can only use the Password and SIDHistory Recoverability Tool if Microsoft's Active Directory Recycle Bin is not enabled in your environment.

Recovery Manager for Active Directory Disaster Recovery Edition is upgradeable from version 10.0 or later.

Resources

View All
Datasheet

Recovery Manager for Active Directory Disaster Recovery Edition

Complete AD disaster recovery at the object, directory and OS level across the entire forest
On Demand Webcast

Microsoft Active Directory Disaster? Recover at Least Five Times Faster

Here at Quest Software, we’ve always prided ourselves on our ability to help organizations like yours quickly recover from an A...
White Paper

Be Prepared for Ransomware Attacks with Active Directory Disaster Recovery Planning

Reduce your organization’s risk with an effective Active Directory recovery strategy.
E-book

Ultimate Cyber Resiliency: a guide to combatting AD security villains

This eBook highlights ways to achieve a full lifecycle of hybrid Active Directory cyber resiliency to mitigate risks before, du...
On Demand Webcast

Lessons Learned from a Recent Ransomware Recovery

Learn how to bring your AD back to a healthy state by watching this webcast.
On Demand Webcast

Colonial Pipeline Ransomware and MITRE ATT&CK Tactic TA0040

Ransomware attacks are exploiting Active Directory. This security-expert-led webcast explores a 3-prong defense against them.
On Demand Webcast

Protect Your Active Directory from Ransomware using the NIST Cybersecurity Framework

Learn guidance on how to identify, protect, detect, respond to, and recover from ransomware cyberattacks.
Technical Brief

The Varied History of System State Backups and Why You Don’t Need Them for AD Recovery

Learn how Recovery Manager for Active Directory protects your DCs with backups that take less time, occupy less space and incur...

Get Started Now

Be prepared to quickly recover from any AD disaster.
Request Quote Download Free Trial

Support & Services

Product Support
Self-service tools will help you to install, configure and troubleshoot your product.

Support Offerings
Find the right level of support to accommodate the unique needs of your organization.

Professional Services
Search from a wide range of available service offerings delivered onsite or remote to best suit your needs.