For the best web experience, please use IE11+, Chrome, Firefox, or Safari

Recovery Manager for Active Directory Disaster Recovery Edition

Automate and accelerate Active Directory disaster recovery. Ransomware is today's most disruptive cyber threat, and Active Directory is increasingly in its crosshairs. Quest® Recovery Manager for Active Directory Disaster Recovery Edition slashes AD forest recovery time from days or weeks to just hours, giving you peace of mind that an AD disaster will not become a business disaster. 

Active Directory is a prime attack target

69%

of organizations impacted by ransomware

21days

Average downtime due to ransomware

25B

attempted attacks on Azure AD accounts

Recover Active Directory 5x Faster with Quest Recovery Manager 02:43

Fast and secure Active Directory forest recovery is vital following a cyberattack. The longer AD is down, the longer your business is down. “The restore process from many well-documented ransomware attacks has been hindered by not having an intact AD restore process," according to Gartner, which also states that you can “accelerate recovery from attacks by adding a dedicated tool for backup and recovery of Microsoft Active Directory.” 

With Recovery Manager for Active Directory Disaster Recovery Edition, you can restore AD at least five times faster than the manual Active Directory forest recovery process, according to ESG Research. One reason for that is due to extensive automation, which reduces the risk of human error and having to start over as the result of those errors. Recovery Manager also protects your AD backups from compromise and eliminates the risk of malware reinfection. It’s like an insurance policy for AD that you can’t afford not to have.

"Accelerate recovery from attacks by adding a dedicated tool for backup and recovery of Microsoft Active Directory." - Gartner

Key Benefits

Adaptable to any disaster

Handle any Active Directory disaster recovery scenario, from attribute changes to SYSVOL corruption to full AD forest disasters.

Automated AD forest recovery

Automate the Active Directory forest recovery process, including the 40+ steps outlined in Microsoft's AD forest recovery best practices.

Flexibility and choice

Choose the best method for your situation, whether that’s phased recovery, restoring AD to a clean OS or bare metal recovery.

Clean, malware-free recovery

Eliminate the risk of malware re-infection throughout your AD forest recovery, scanning for malware and minimizing its hiding places.

Secure AD backups

Ensure backups are always available with multiple options for secure physical and cloud storage.

Battle-tested

Quest has specialized in AD disaster recovery as long as AD has been around, helping thousands of customers, including 50% of the Fortune 100.

Streamlined Active Directory Disaster Recovery

Recovery Manager simplifies, automates and accelerates Active Directory forest recovery with unmatched security, flexibility and options to meet the needs of your business continuity and disaster recovery plans.

Efficient and reliable AD backups

Back up exactly what you need to recover AD. By omitting extraneous and risky components like boot files and the IIS Metabase, Recovery Manager reduces backup bloat, makes the backup process more efficient and minimizes the places where malware can hide.

Secure storage

Protect AD backups from malware infection with Secure Storage, a hardened server that is isolated according to IPSec rules with regular checks to confirm backup integrity. Even if you lose your DCs, Tier 1 storage and even your Recovery Manager server, you still have the Secure Storage backup that is hardened and secure to withstand the ransomware attack.

AD backups in the cloud

Recovery Manager ensures that your AD backups are always available in case of disaster with the flexibility to store backups in secure cloud locations such as immutable Azure Blob Storage and Amazon Web Services (AWS) S3 storage. 

Phased recovery to shorten RTO

After you back up Active Directory, you can shorten recovery time objectives with a phased AD recovery approach. Quickly restore key DCs, enabling sign-in and business-critical functions as soon as possible. Then dramatically accelerate recovery of remaining DCs with automated repromotion methods.

Flexible AD recovery options

Choose the AD disaster recovery method that works best in a given situation, whether that’s phased recovery, restoring to a clean OS to minimize the risk of malware reinfection or bare metal recovery. You can restore AD to a clean OS on any machine, whether it’s a physical machine, on-prem virtual machine or a cloud-hosted VM.

Clean OS recovery to the cloud

During an attack, you need to restore to a new machine you can trust. Quickly and easily create Microsoft Azure resources including virtual machines during an AD forest recovery. This enables you to recover AD to a readily available, secure and cost-effective machine that you can trust is clean from malware.

Malware detection and removal

Eliminate the risk of malware re-infection throughout your AD disaster recovery process with regular checks for viruses after the backup file is created, during storage when updates are added and before a restore is started with integrated Microsoft’s Defender capabilities. If needed, you can safely pause your recovery to quarantine or remove corrupted files. 

Operating system recovery

Quickly restore your domain controller’s operating system without depending on others. Recovery Manager gives AD admins more control of the recovery process, saving time and resources by eliminating dependencies on cross-departmental teams.

Insurance group slashes Active Directory recovery time

With native tools, a restore would take days or weeks; with Quest, we can be fully operational again in hours.

Krist Cappelle Information Security Program Manager, P&V Group Read Case Study

Telefónica España slashes AD recovery time with Recovery Manager

Being able to restore an AD forest in hours instead days is priceless. Now I can sleep peacefully.

IT Manager Read Case Study

Top 5 Global Petroleum Producer ensures seamless business continuity

With Recovery Manager, we have always passed the annual AD recovery audits, maintaining the strong reputation and market valuation of both the energy company and TCS.

Suhas Pawar Associate Consultant, Tata Consultancy Services Read Case Study

Additional Features

Online granular restore

Restore individual attributes, such as account settings, group memberships and binary attributes, even when the object itself has not been deleted. This enables you to restore only the required attributes without restarting domain controllers.

Comparison reporting

Highlight changes made since the last backup by comparing the online state of AD with its backup or by comparing multiple backups. Accelerate recovery by quickly pinpointing deleted or changed objects or attributes. And with Change Auditor you can easily identify who made the changes.

AD management and health validation

Inspect AD for warning signs of possible issues before they become disasters by checking DC accessibility, replication, trusts and user authentication.

Recovery console fault tolerance

With Recovery Manager, you can share persistent configuration data between several instances of your recovery consoles so that you can quickly resume the last restore operation in case it was unexpectedly interrupted.

Recovery roadmap

After you back up Active Directory, you can generate a detailed recovery process report, including an overview of every stage of the recovery, to gain a better understanding and more control over the project.

Virtual test lab

After you back up Active Directory, you can demonstrate and validate your AD disaster recovery plan by building a separate virtual Active Directory forest test lab with production data to test disaster scenarios and safely test prior to making changes in the production. Automatically generate detailed, time-stamped reports of the recovery process including before/after state of the organization and actions applied to domain controllers.

Hybrid AD and Azure AD recovery

A solid on-premises AD recovery plan alone isn’t sufficient since so many organizations are making greater use of cloud-only objects such as Azure AD groups, Azure B2B/B2C accounts, conditional access policies and more. With On Demand Recovery, you can quickly and securely back up and recover Azure AD.

AD Disaster and Forest Recovery Services

How Often Should You Test Your Active Directory Disaster Recovery Plan? 06:29

Quest Professional Services ensure your AD recovery plan is in place quickly and validates your forest recovery model. Whether your team lacks the technical expertise, does not have the manpower or just does not have time to configure, test and deploy your solution, our subject matter experts help you through this process using our tested implementation methodology.

  • Verify backup and recovery plans aligned with industry best practices
  • Test and document recovery plans for domain controllers, full forest and crisis scenarios
  • Participate in a scheduled recovery exercise, ensuring full integration with other disaster recovery and business continuity plans

FAQs – Active Directory Disaster Recovery

With Microsoft-provided tools and manual processes, Active Directory forest recovery is a difficult, time-consuming and error-prone process. In fact, Microsoft’s “Active Directory Forest Recovery Guide” outlines 40 high-level steps that must be performed correctly and in the proper sequence — on each DC. In addition, many of the steps aren’t operations that AD administrators are familiar with; they are tedious, often command-line based steps, so it’s very easy to make mistakes that can re-corrupt your directory and require you to start over. Quest reduces risk by automating every one of these manual steps. In fact, ESG Research validated that Recovery Manager can restore AD at least five times faster than the manual AD forest recovery process.

 

VM snapshots are no substitute for an enterprise AD disaster recovery solution. Using snapshots for forest recovery will almost always result in data consistency problems that are difficult to resolve. Since the data on DCs is constantly being updated and the replication process takes time, snapshots of different DCs almost always contain inconsistent information. Snapshots can also include malware, which gets restored with everything else on the DC. Plus, if you store your VM snapshots in the default location, they’re an obvious target for ransomware encryption, which can render them useless. There’s also a logistical issue. Usually, control over VM snapshots resides with the virtualization operations team, which complicates the AD team’s job during the recovery operation. Finally, the virtualization team might not even know that the AD snapshots are an essential part of the organization’s disaster recovery strategy, so they might not protect them appropriately.
Most data protection tools simply do not suffice for AD disaster recovery. As noted above, in an AD forest recovery, you must coordinate the configuration effort across multiple DCs. Failure to do so can run the risk of USN rollback, RID bubbles, RID re-use, lingering objects in the Global Catalog and other issues that can cause serious issues with Active Directory functionality. But most traditional data protection solutions simply focus on getting individual DCs to a “healthy” state — and leave all the coordination work to you.

Tour

Flexible recovery methods
Bare metal backup
Malware detection
Progress monitor
Recovery project plan
Pick Restore Active Directory on Clean OS - Active directory disaster recovery 07:36

Flexible recovery methods

Flexible recovery methods include restoring AD to a clean OS and a Microsoft-compliant bare metal recovery.

Specifications

Before installing Recovery Manager for Active Directory, ensure that your system meets the following minimum hardware and software requirements.

NOTE

  • Recovery Manager for Active Directory supports only IPv4 or mixed IPv4/IPv6 networks.
  • Recovery Manager for Active Directory Forest Edition can backup and restore domain controllers that are running on virtual machines in Amazon Web Services (AWS) or Microsoft Azure. Note that such domain controllers cannot be restored with the Bare Metal Active Directory Recovery method because there is no way to boot them from an ISO image.
Processor

Minimum: 1.4 GHz

Recommended: 2.0 GHz or faster

CPU Cores

Minimum: 2 CPU cores

Recommended: 4 CPU cores

Memory

Minimum: 2 GB

Recommended: 4 GB

These figures apply only if the Active Directory domains managed by Recovery Manager for Active Directory include 1 million objects or less. Increase RAM size by 512 MB for every additional 1 million objects.

Hard Disk Space

Full installation including the prerequisite software: 2.7 GB of free disk space

In case all the prerequisite software is already installed: 260 MB of free disk space

NOTE Additional storage space is required for a backup repository, at least the size of the backed-up Active Directory database file (Ntds.dit) and the SYSVOL folder plus 40MB for the transaction log files.

Operating System
  • Machine that hosts the Recovery Manager for Active Directory console must have same or higher version of Windows operating system than the processed domain controllers. Otherwise, the online compare and object search in a backup during the online restore operation may fail.
  • 32-bit operating systems are not supported.

Installation

  • Microsoft Windows Server 2022, 2019, 2016, 2012 R2, 2012
  • Microsoft Windows 11, 10 x64, 8.1 x64

Targets for backup, restore, or compare operations

  • Microsoft Windows Server 2022, 2019, 2016, 2012 R2, 2012 (including Server Core installation)

The Windows Server Backup feature is supported for Windows Server 2012 R2 or higher. Make sure that the feature is installed on all domain controllers in your environment.

NOTE: Windows Server® 2012 requires Microsoft .NET Framework version 4.8 or higher installed. See the following Microsoft article for instructions on installation: Microsoft .NET Framework 4.8 for Windows Server 2012

Microsoft .NET Framework

Microsoft .NET Framework version 4.8 or higher

Microsoft SQL Server and its components

Microsoft SQL Server versions

Microsoft SQL Server is required for the following Recovery Manager for Active Directory features: Comparison Reporting and Forest Recovery Persistence.

Supported SQL Server versions:

  • Microsoft SQL Server 2019, 2017, 2016, 2014 and 2012 (Enterprise, Business Intelligence, Standard, Express, Web, or Developer Edition)

Microsoft SQL Server components

Microsoft System CLR Types for SQL Server 2012

If this component is not installed, it will be installed automatically by the RMAD setup.

Microsoft SQL Server Reporting Services

To display reports, Recovery Manager for Active Directory can integrate with Microsoft SQL Server® Reporting Services (SRSS) 2016, 2017 and 2019.

Microsoft Operations Manager

Supported Microsoft Operations Managers for the RMAD Management Pack for Microsoft Center Operations Manager (SCOM):

  • Microsoft System Center Operations Manager 2022, 2019, 2016, 2012 R2 and 2012
Microsoft Windows PowerShell

Microsoft Windows PowerShell version 5.0 or later

Integration with Change Auditor for Active Directory

Supported versions of Change Auditor for Active Directory: from 6.x to 7.x.

If any prerequisite software is not installed, the Setup program automatically installs it for you before installing Recovery Manager for Active Directory. If the prerequisite software to be installed is not included in this release package, it is automatically downloaded.

Continuous recovery: From version 10.0.1, Recovery Manager for Active Directory together with Change Auditor can restore the deleted object(s) and continuously restores the last change (if any) that was made to the object attributes after creating the backup, using the data from the Сhange Auditor database.

Antivirus software that is supported for backup antimalware checks

The anti-virus checks are performed on the Forest Recovery Console machine running Windows Server 2016 or higher by means of antivirus software installed on the machine.

  • Microsoft Defender
  • Symantec Endpoint Protection 14.x
  • Broadcom Endpoint Security (former name: Symantec Endpoint Protection 15)
Supported server management systems
  • Integrated Dell Remote Access Controller (iDRAC) 8 and 9
  • HP ProLiant iLO Management Engine (iLO) 3, 4 and 5
  • VMware vCenter/ESX Server 6.0, 6.5, 6.7 and 7.0
  • Microsoft Hyper-V Server 2012 or higher
Memory

1 GB (2 GB recommended)

Hard disk space

2 GB or more

Operating System

One of the following operating systems:

  • Microsoft Windows Server 2022, 2019, 2016, 2012 R2, 2012 (including Server Core installation)

 

Secure Storage Server

Processor

Minimum: 1.4 GHz

Recommended: 2.0 GHz or faster

CPU Cores

Minimum: 2 CPU cores

Recommended: 4 CPU cores

Memory

Minimum: 2 GB

Recommended: 4 GB

  • Operating system: Microsoft Windows 2016 or higher
  • A stand-alone server to be used as your Secure Storage server. This server should be a workgroup server and not joined to an Active Directory domain.
  • An account that will be used to deploy the Storage Agent on the Secure Storage server. This account must also be a local Administrator on the Secure Storage server.
  • Physical access to the Secure Storage server. Once the server is hardened access with regular methods will be disabled.
  • Sufficient storage space on the Secure Storage server for all backup files. For one backup file, the space required is at least the size of the backed-up Active Directory database file (Ntds.dit) and the SYSVOL folder plus 40MB for the transaction log files.
Cloud Storage
  • Internet access available on the Recovery Manager for Active Directory console. A standard outbound HTTPS port 443 is used to upload data to Azure Blob and Amazon Web Services S3 Storage.
  • Azure and Amazon Web Services subscription(s) to create and manage Azure and Amazon Web Services S3 Storage accounts and containers.
  • A method of creating and managing Azure and Amazon S3 Storage accounts, containers, and policies for the storage account (lifecycle, immutability and replication policies).
Microsoft System Center Virtual Machine Manager (SCVMM) 2012 R2, 2016, 2019 or 2022

Software that must be installed on the Active Directory Virtual Lab computer:

  • Microsoft SCVMM Console (supplied with the SCVMM version you plan to use)

Software that is installed on the source computer by Active Directory Virtual Lab console:

  • Disk2vhd v2.01 utility

For more details, see the Working with SCVMM 2012 R2 or higher section in User Guide.

Supported operating systems for the Hyper-V host:

  • Microsoft Windows Server 2012 R2 or higher.
VMware vCenter/ESX Server 6.0, 6.5, 6.7 and 7.0
  • Active Directory Virtual Lab does not support conversion of Windows Server 2019 Domain Controllers using VMWare ESXi/vCenter server.
  • Active Directory Virtual Lab does not support VMware ESXi 6.0.
  • vCenter Converter 6.2 must be installed in your environment using the Client-Server installation setup option.
  • vCenter Converter must be accessible to the Active Directory Virtual Lab.
  • If the TLS 1.0 protocol is disabled on vCenter Converter and vCenter servers, then switch to TLS 1.2 on the ADVL server. For more details, see the following KB articles

You can only use the Password and SIDHistory Recoverability Tool if Microsoft's Active Directory Recycle Bin is not enabled in your environment.

Recovery Manager for Active Directory Disaster Recovery Edition is upgradeable from version 10.0 or later.

Resources

Datasheet

Recovery Manager for Active Directory Disaster Recovery Edition

Complete AD disaster recovery at the object, directory and OS level across the entire forest
On Demand Webcast

Microsoft Active Directory Disaster? Recover at Least Five Times Faster

Here at Quest Software, we’ve always prided ourselves on our ability to help organizations like yours quickly recover from an A...
White Paper

Be Prepared for Ransomware Attacks with Active Directory Disaster Recovery Planning

Reduce your organization’s risk with an effective Active Directory recovery strategy.
E-book

Ultimate Cyber-Resiliency: a guide to combatting AD security villains

This eBook highlights ways to achieve a full lifecycle of hybrid Active Directory cyber-resiliency to mitigate risks before, du...
On Demand Webcast

Lessons Learned from a Recent Ransomware Recovery

Learn how to bring your AD back to a healthy state by watching this webcast.
On Demand Webcast

Colonial Pipeline Ransomware and MITRE ATT&CK Tactic TA0040

Ransomware attacks are exploiting Active Directory. This security-expert-led webcast explores a 3-prong defense against them.
On Demand Webcast

Protect Your Active Directory from Ransomware using the NIST Cybersecurity Framework

Learn guidance on how to identify, protect, detect, respond to, and recover from ransomware cyberattacks.
Technical Brief

The Varied History of System State Backups and Why You Don’t Need Them for AD Recovery

Learn how Recovery Manager for Active Directory protects your DCs with backups that take less time, occupy less space and incur...

Get Started Now

Be prepared to quickly recover from any AD disaster.

Support & Services

Product Support

Self-service tools will help you to install, configure and troubleshoot your product.

Support Offerings

Find the right level of support to accommodate the unique needs of your organization.

Professional Services

Search from a wide range of available service offerings delivered onsite or remote to best suit your needs.