Cyber-First Disaster Recovery for Active Directory

Active Directory Forest Recovery

Reduce time to recover AD after a cyberattack by up to 90%

The pitfalls of manual AD recovery Get an AD recovery briefing with an expert

Fast, malware-free AD forest recovery

Widespread attacks that exploit Active Directory can cripple your organization: We’ve seen that story firsthand in hundreds of real-world incident response engagements. Semperis Active Directory Forest Recovery (ADFR) is purpose-built by our identity experts to be fault-tolerant, flexible, and built for the chaos of a live incident, so you can restore a clean, trusted forest in minutes or hours—not days or weeks.

Cut downtime

Restore AD in 5 clicks with automated, multi-forest recovery.

Eliminate malware

Avoid reintroducing malware by recovering AD to a known-secure state.

Automate resilient backups

Automate backups to immutable Azure cloud storage and restore to any virtual or physical hardware

Speed forensics

Accelerate post-breach forensics to prevent follow-on attacks.

Recover Active Directory to a trusted environment

Recovering AD after a cyberattack isn’t just about getting domain controllers back online—it’s about knowing you can trust the environment again. Semperis Active Directory Forest Recovery (ADFR) is engineered by battle‑tested IR experts to deliver fault‑tolerant, flexible recovery, staged “minimum viable company” restore, and post‑breach forensics that evict threat actors before you reconnect users.

Fault-tolerant, flexible recovery

Recover your forest even when chaos reigns. ADFR can restore non‑backed‑up domain controllers, recover to any virtual or physical hardware, handle alternate IP address spaces, and automatically switch recovery methods so a single DC failure doesn’t derail the entire recovery.

Staged recovery for Minimum Viable Company

Use staged recovery to bring back only the domain controllers and sites you need to run the business first, then add DCs in subsequent waves, so critical authentication and core apps are up in hours while broader restoration continues in the background.

Post-breach forensics to eradicate threat actors

Go beyond basic restore with identity‑centric post‑breach forensics to close backdoors and remove persistence so you can return to production with confidence.

“You must make sure your critical infrastructures like Active Directory are completely secure and resilient. That was the main reason we acquired Semperis ADFR: We can guarantee that we recover Active Directory far faster than before.”

ADFR delivers operational resilience for Altice

Altice Portugal is the top telecommunications operator in the country. With 20,000 Active Directory accounts, securing Active Directory and maintaining a robust identity threat detection and response (ITDR) strategy is a priority for the company. CSO José Alegria and Head of Cyber Security and Privacy Pedro Inácio discuss the difficulty of spotting identity-based security gaps in a large AD environment with years of M&A activities, the challenges of fending off ransomware and other cyberattacks, and the importance of investing in cyber resiliency.

Simplify disaster recovery planning
Easily set up a replica of the production AD environment to facilitate AD disaster recovery drills.
Automate AD forest recovery
Automate the entire AD forest recovery process to reduce downtime.
Prevent malware reintroduction
Recover AD to a known-secure state to avoid follow-on attacks.

How long could your organization withstand an AD outage?

For 90% of large businesses worldwide, AD is the primary identity service, providing user authentication and access to business-critical applications and services. If AD is wiped out by an attack, business operations cease. Because of legacy misconfigurations and unpatched vulnerabilities that have accumulated over time, AD is a frequent target for attackers. The consequences of an AD attack that takes out domain controllers is severe: Without a tested AD disaster recovery plan, your organization is vulnerable to business-crippling cyber incidents.

Semperis 2025 Ransomware Risk Report:

76%

of ransomware victims needed more than one day to return to normal operations

IBM

241 days

for security teams to identify and contain a breach

Microsoft Digital Defense Report 2024

40%

do not have dedicated, AD-specific backup systems

Microsoft Digital Defense Report 2024

99%

of identity compromises stem from tenants using password-only authentication

Purpose-built to combat cyber disasters

Active Directory outages are no longer limited to natural disasters or operational mistakes. AD is now the #1 target for cyberattacks, involved in 9 out of 10 attacks, according to Mandiant researchers. In the aftermath of cyber incidents such as the Change Healthcare, Snowflake, and Ascension, Gartner has called for AD-specific backup and recovery. Does your disaster recovery playbook address cyber disasters?

Unlike traditional system-state or bare-metal recovery approaches, patented, purpose-built ADFR fully automates the AD forest recovery process. ADFR reduces downtime by up to 90%, eliminates risk of malware reinfection, provides flexible backup and recovery options—including to immutable Azure storage, and enables post-breach forensics to prevent repeat attacks.

Malware-proof your backups

Confidently restore to your most recent backup, even if domain controllers were infected when backups were taken. Semperis’ patented technology decouples Active Directory from the underlying operating system to prevent malware re-infection. No need for trial-and-error restores in search of clean backups. No rebuilding AD from scratch. Minimize the impact of AD outages and quickly get back to business.

Request a Demo

Automate forest recovery

Recover an entire Active Directory forest with just a few clicks. Automate every aspect of the recovery process, including cleaning up metadata, rebuilding the Global Catalog, and restructuring site topology. Avoid human errors and reduce downtime to minutes instead of days or even weeks. Avert costly business interruptions.

Request a Demo

Recover to any hardware

Recover AD to any hardware—virtual or physical. Cut the cost of maintaining spare equipment, avoid the scramble to procure new hardware, quickly set up a recovery environment, and leverage the cloud as a readily available, cost-effective disaster-recovery site.

Accelerate AD incident response

Speed up AD attack forensic analysis. Mitigate the damage from an attack by quickly finding and eradicating malware. Translate unstructured AD and Azure AD change data into a human-readable format. Easily search, correlate, and undo AD changes at object and attribute levels. Drill down to any point in time to isolate compromised AD accounts and prevent future attacks.

Could you fully recover your Active Directory from a cyber disaster?

When a cyberattack annihilates your entire Active Directory forest, don’t get stuck choosing between the 28-step, error-prone Microsoft manual process and traditional approaches that can bring malware right back into production. Semperis Active Directory Forest Recovery (ADFR) reduces full-forest recovery time by up to 90% with a fully automated, cyber-first approach that uses Azure cloud backups, fault-tolerant distribution points, and object-level restore to bring AD back cleanly and quickly—even in complex, multi-forest environments.

Automated recovery

Automate the entire recovery process, including rebuilding the Global Catalog and cleaning up metadata.

Malware-free recovery

Recover AD without risking malware reinfection.

Azure cloud backup and recovery points

Configure ADFR to automatically store forest backups and configuration data in Azure Blob Storage, taking advantage of resilient, AES-256–encrypted cloud storage.

Anywhere recovery

Restore AD to any hardware—virtual or physical—on premises or in the cloud.

Object-level recovery

Go beyond full forest recovery with an object recovery wizard that lets you search for and restore specific AD objects and attributes to previous versions, helping you clean up residual issues and everyday mistakes without a forest-wide operation.

Support for Windows Server 2025

Back up and restore Windows Server 2025 domain controllers

Clean restore

Prevent re-introduction of rootkits and other malware by starting with a clean Windows OS and restoring only what’s needed for the server’s role.

Post-breach forensics

Prevent follow-on attacks by using built-in forensics capabilities to eradicate malware from the environment before restoring AD after a cyber incident.

Flexible OS provisioning

Quickly set up a recovery environment using a PowerShell-based tool that prepares virtual machines for a full ADFR recovery.

Zero maintenance

Eliminate the need to develop and maintain scripts or manually update configuration information —and the recovery failures that can result from human error.

Backup integrity

Gain confidence that each backup set contains all the data you need to successfully recover your forest, successfully written to one or more locations, with backup verification and notification of any gaps

Share-nothing architecture

Free AD backups from reliance on Windows authentication, DNS, or other AD services—so you can recover immediately, even if AD is completely down.

Easy disaster recovery testing

Spin up an exact replica of the production AD forest in an isolated lab to effortlessly test recovery procedures and document results for compliance with internal and external regulations.

Lightweight AD backups

Back up only AD components for smaller backups, which means less data to retrieve, process, and transfer—and faster restores.

Multi-forest support

Simplify setup and ongoing administration by using just one management server and web portal for backup and recovery of multiple AD forests.

PowerShell support

Use built-in PowerShell commands to easily manage backup groups, backup rules, agents, and distribution points.

View All

David Yancey of Prime Healthcare uses ADFR to overhaul AD disaster recovery strategy

Prime Healthcare cuts AD recovery time with ADFR

A planned internal change that fell short of expectations prompted David Yancey, Senior Systems Engineer, to completely overhaul Prime Healthcare’s entire Active Directory disaster recovery plan. During routine maintenance, storage that contained many of the organization’s domain controllers was accidentally deleted. Semperis ADFR offered a flexible, fast solution for AD backups, comprehensive documentation that empowered other team members to manage backups, and confirmation messages that gave Yancey and his team peace of mind. “Having ADFR at the center of our DR plan put my mind at ease because now I know that if an incident happens again that takes out the DCs, we have a direct course of action to take,” said Yancey.

Reduced downtime
In disaster planning drills, Prime Healthcare reduced AD recovery time from days to minutes
Flexible backups
ADFR simplified Prime Healthcare’s AD backup process, which in turn saves time and resources.
Document compliance
ADFR helps Prime Healthcare document compliance with regulatory requirements.

Frequently asked questions

What is Active Directory Forest Recovery?

ADFR is the only backup and recovery solution purpose-built for recovering Active Directory from cyber disasters. ADFR fully automates the AD forest recovery process, reduces downtime, eliminates risk of malware reinfection, and enables post-breach forensics.

We rely on a traditional DR tool for recovery. Why do we need Semperis ADFR? 

Most backup and recovery products target servers, and Active Directory is included in the backup process because it is a role on the server. But if a cyberattack hits your AD, you need a solution that removes AD from the operating system so you don’t reinfect AD with the malware as part of the recovery process. Semperis ADFR can get AD back online—on a new, trusted server—within minutes, not days, and without reintroducing malware as part of the process. 

We rely on a multi-data center warm failover solution. How would ADFR help in this scenario?

Typically, warm sites contain the necessary hardware, but do not contain the most recent version of the production site. Since data is not being consistently replicated between the production and warm site, there is greater latency for failover. ADFR is capable of restoring to alternate hardware and provides IP mapping to create an exact replica (or clone) of your production AD forest in an isolated lab. ADFR reduces the time and effort required to set up and maintain your warm failover site, making it feasible to replicate the production site more often and reduce data latency issues.

How does ADFR ensure the integrity of a backup?

ADFR validates each backup rule when it’s created to ensure it can be used to generate a valid forest backup set. By default, the ADFR backup validation process checks to ensure there is at least one DC hosting each partition in the backup set. The status of the backup rule validation process is displayed in the Backup Settings page of the ADFR Administration portal.

Why do I need ADFR when I already have a data protection solution?

Data protection solutions do not offer a cyber disaster recovery solution for Active Directory. They offer backup and recovery of individual domain controllers (DCs) and files. This is an important distinction, and one that applies to other backup vendors as well. Backup vendors can back up a DC, and they can restore a DC. But none can orchestrate the many steps required to correctly and successfully restore an AD forest.

In contrast, ADFR offers a fully automated forest recovery solution that enables you to recover AD even if DCs are infected or wiped out. ADFR automates every aspect of forest recovery, including cleaning up metadata, rebuilding the Global Catalog, and restructuring site topology. Manually rebuilding AD following a cyber incident is a time-consuming, error-prone process that can takes days or weeks.

Can ADFR back up Active Directory to Azure and recover if my data center is down?

Yes. ADFR can automatically store forest backups and ADFR configuration data in Azure Blob Storage, creating cloud recovery points that are encrypted with AES-256 and available even if on-premises storage is lost. During recovery, ADFR prefers local backups for speed but will automatically fall back to Azure backups if on-prem copies aren’t available.

Does ADFR support object-level recovery, or only full forest restores?

In addition to full forest and partition recovery, ADFR providess an object recovery wizard that lets you search for specific AD objects, compare their live attributes with multiple backups, and selectively restore those objects or attributes to a previous state. This gives you a fast way to fix targeted issues or post-recovery clean-up without running another forest-wide operation.

How does ADFR handle multi-forest and globally distributed AD environments?

ADFR lets you manage multiple forests from a single management server and portal, and uses both forest-specific and multi-forest distribution points to keep backups close to domain controllers and resilient across regions.

Combined with Azure cloud recovery points, this architecture supports large, complex, and high-latency environments while maintaining reliable, cyber-first forest recovery.

Why are BMR and snapshots not recommended for Active Directory recovery?

Bare metal recovery (BMR) can be a convenient way to restore a computer’s operating system and settings, for example, if an OS upgrade goes wrong, or if you want to move a user or an application to a new machine. However, if a DC has been infected or disabled by a cyberattack, the BMR backups will likely contain boot files, other executables, and OS files where malware can hide. If you restore a DC from a BMR backup, you might also restore any malware present in the backup.

Does ADFR automatically detect problems with a backup and self-correct or trigger an alert?

When a backup set completes with an error or warning, ADFR automatically sends an email notification to designated recipients. In addition, you can opt into receiving email notifications for successful backups. The ADFR Administration portal also displays backup status information: 1) Dashboard provides a list of recent forest backup sets, showing both available and failed backups. 2) Backups Status & History page displays status details for each backup, including backups that failed and transfers of the backup to the distribution point that failed.

Can ADFR support large, complex AD environments?

Yes. ADFR is purpose-built for large, multi-organization and multi-forest deployments and adds features like multi-forest distribution points, Azure cloud recovery points, and Windows Server 2025 support to keep backups resilient and recovery fast at enterprise scale. Organizations running some of the world’s largest AD environments rely on ADFR to orchestrate cyber-first forest recovery across complex topologies.

Latest news

View all

New Forrester TEI Report: Semperis Slashes Downtime by 90%, Saving Customers Millions

Sean Deuby | Principal Technologist, Americas

Meet Silver SAML: Golden SAML in the Cloud

Tomer Nahum and Eric Woodruff

Experience a Personalized Demo

Request a Demo and one of our product experts will give you a spin of our solutions.