Cyber-First Disaster Recovery for Active Directory

Active Directory Forest Recovery

Reduce time to recover AD after a cyberattack by up to 90%

Learn Why DC Snapshots Are No Substitute for AD Backups

Fast, malware-free AD forest recovery

Widespread attacks that exploit Active Directory can cripple your organization. When a ransomware or wiper attack takes out domain controllers, recovering your AD forest can drag on for days or even weeks, risking malware re-infection in the process. But with Semperis Active Directory Forest Recovery (ADFR), you’ll be back in business in minutes or hours rather than days or weeks.

Cut downtime

Restore AD in 5 clicks with automated, multi-forest recovery.

Eliminate malware

Avoid reintroducing malware by recovering AD to a known-secure state.

Recover anywhere

Restore AD to any virtual or physical hardware. Simplify OS provisioning.

Speed forensics

Accelerate post-breach forensics to prevent follow-on attacks.

“If you’ve lost AD, you’ve lost your business. It’s that extreme.” Simon Hodgkinson, former CISO of bp, offers guidance for CISOs looking to beef up operational resiliency.

ADFR delivers operational resilience

Active Directory has a central place in the quest for operational resilience. Disaster recovery plans that focus on natural disasters are insufficient for dealing with modern threats to operational resilience. The enterprise identity system (AD for 90% of organizations worldwide) is critical to keeping operations running. Because AD is now the #1 target for cyberattackers, protecting it is the top security priority. By prioritizing cyber-first AD recovery, organizations can address one of the most serious threats to operational resilience. Semperis ADFR helps organizations prepare for the worst by ensuring a fast, malware-free AD forest recovery in the event of a cyber disaster.

Simplify disaster recovery planning
Easily set up a replica of the production AD environment to facilitate AD disaster recovery drills.
Automate AD forest recovery
Automate the entire AD forest recovery process to reduce downtime.
Prevent malware reintroduction
Recover AD to a known-secure state to avoid follow-on attacks.

How long could your organization withstand an AD outage?

For 90% of large businesses worldwide, AD is the primary identity service, providing user authentication and access to business-critical applications and services. If AD is wiped out by an attack (as in the NotPetya cyberattack on shipping giant Maersk in 2017), business operations cease. Because of legacy misconfigurations and unpatched vulnerabilities that have accumulated over time, AD is a frequent target for attackers. The consequences of an AD attack that takes out domain controllers is severe: The Maersk attack caused two weeks of business disruption and cost the company at least $300 million. Without a tested AD disaster recovery plan, your organization is vulnerable to business-crippling cyber incidents.

Maersk estimated

$300 million

in costs associated with the NotPetya attack

IBM reports it takes on average

277 days

for security teams to identify and contain a breach

Gartner reports

33%

of organizations have no AD defense in place

Enterprise Management Associates reports

50%

of organizations reported AD attacks in the last 1-2 years

Purpose-built to combat cyber disasters

Active Directory outages are no longer limited to natural disasters or operational mistakes. AD is now the #1 target for cyberattacks, involved in 9 out of 10 attacks, according to Mandiant researchers. In the aftermath of cyber incidents such as the SolarWinds and Colonial Pipeline attacks, Gartner has called for AD-specific backup and recovery. Does your disaster recovery playbook address cyber disasters?

Unlike traditional system-state or bare-metal recovery approaches, patented, purpose-built ADFR fully automates the AD forest recovery process. ADFR reduces downtime by up to 90%, eliminates risk of malware reinfection, and enables post-breach forensics to prevent repeat attacks.

Malware-proof your backups

Confidently restore to your most recent backup, even if domain controllers were infected when backups were taken. Semperis’ patented technology decouples Active Directory from the underlying operating system to prevent malware re-infection. No need for trial-and-error restores in search of clean backups. No rebuilding AD from scratch. Minimize the impact of AD outages and quickly get back to business.

Request a Demo

Automate forest recovery

Recover an entire Active Directory forest with just a few clicks. Automate every aspect of the recovery process, including cleaning up metadata, rebuilding the Global Catalog, and restructuring site topology. Avoid human errors and reduce downtime to minutes instead of days or even weeks. Avert costly business interruptions.

Request a Demo

Recover to any hardware

Recover AD to any hardware—virtual or physical. Cut the cost of maintaining spare equipment, avoid the scramble to procure new hardware, quickly set up a recovery environment, and leverage the cloud as a readily available, cost-effective disaster-recovery site.

Accelerate AD incident response

Speed up AD attack forensic analysis. Mitigate the damage from an attack by quickly finding and eradicating malware. Translate unstructured AD and Azure AD change data into a human-readable format. Easily search, correlate, and undo AD changes at object and attribute levels. Drill down to any point in time to isolate compromised AD accounts and prevent future attacks.

Could you fully recover your Active Directory from a cyber disaster?

What do you do when a cyberattack annihilates your entire Active Directory infrastructure? Microsoft provides a lengthy technical guide that details the 28-step, multi-threaded, manual process required to recover an AD forest. But that error-prone process can take days or weeks. Meanwhile, your organization’s operations come to a halt without access to business-critical applications and services. Or you could use a third-party AD backup tool that relies on bare-metal recovery (BMR). But be warned: Recovery from system-state or bare-metal backups can reintroduce the malware. The risk model for AD recovery has changed. So should your AD recovery plan.

Automated recovery

Automate the entire recovery process, including rebuilding the Global Catalog and cleaning up metadata.

Malware-free recovery

Recover AD without risking malware reinfection.

Anywhere recovery

Restore AD to any hardware—virtual or physical—on premises or in the cloud.

Clean restore

Prevent re-introduction of rootkits and other malware by starting with a clean Windows OS and restoring only what’s needed for the server’s role.

Post-breach forensics

Prevent follow-on attacks by using built-in forensics capabilities to eradicate malware from the environment before restoring AD after a cyber incident.

OS provisioning

Quickly set up a recovery environment using a PowerShell-based tool that prepares virtual machines for a full ADFR recovery.

Zero maintenance

Eliminate the need to develop and maintain scripts or manually update configuration information —and the recovery failures that can result from human error.

Backup integrity

Gain confidence that each backup set contains all the data you need to successfully recover your forest, successfully written to one or more locations, with backup verification and notification of any gaps

View All

Semperis protects some of the largest AD environments

Explore our case studies

Everything starts with an ID and password. First thing you need to recover is credentials to do any other type of recovery.
Kerry Kilker Former CISO
Walmart

David Yancey of Prime Healthcare uses ADFR to overhaul AD disaster recovery strategy

Prime Healthcare cuts AD recovery time with ADFR

A planned internal change that fell short of expectations prompted David Yancey, Senior Systems Engineer, to completely overhaul Prime Healthcare’s entire Active Directory disaster recovery plan. During routine maintenance, storage that contained many of the organization’s domain controllers was accidentally deleted. Semperis ADFR offered a flexible, fast solution for AD backups, comprehensive documentation that empowered other team members to manage backups, and confirmation messages that gave Yancey and his team peace of mind. “Having ADFR at the center of our DR plan put my mind at ease because now I know that if an incident happens again that takes out the DCs, we have a direct course of action to take,” said Yancey.

Reduced downtime
In disaster planning drills, Prime Healthcare reduced AD recovery time from days to minutes
Flexible backups
ADFR simplified Prime Healthcare’s AD backup process, which in turn saves time and resources.
Document compliance
ADFR helps Prime Healthcare document compliance with regulatory requirements.

Frequently asked questions

What is Active Directory Forest Recovery?

ADFR is the only backup and recovery solution purpose-built for recovering Active Directory from cyber disasters. ADFR fully automates the AD forest recovery process, reduces downtime, eliminates risk of malware reinfection, and enables post-breach forensics.

We rely on a traditional DR tool for recovery. Why do we need Semperis ADFR? 

Most backup and recovery products target servers, and Active Directory is included in the backup process because it is a role on the server. But if a cyberattack hits your AD, you need a solution that removes AD from the operating system so you don’t reinfect AD with the malware as part of the recovery process. Semperis ADFR can get AD back online—on a new, trusted server—within minutes, not days, and without reintroducing malware as part of the process. 

We rely on a multi-data center warm failover solution. How would ADFR help in this scenario?

Typically, warm sites contain the necessary hardware, but do not contain the most recent version of the production site. Since data is not being consistently replicated between the production and warm site, there is greater latency for failover. ADFR is capable of restoring to alternate hardware and provides IP mapping to create an exact replica (or clone) of your production AD forest in an isolated lab. ADFR reduces the time and effort required to set up and maintain your warm failover site, making it feasible to replicate the production site more often and reduce data latency issues.

How does ADFR ensure the integrity of a backup?

ADFR validates each backup rule when it’s created to ensure it can be used to generate a valid forest backup set. By default, the ADFR backup validation process checks to ensure there is at least one DC hosting each partition in the backup set. The status of the backup rule validation process is displayed in the Backup Settings page of the ADFR Administration portal.

Why do I need ADFR when I already have a data protection solution?

Data protection solutions do not offer a cyber disaster recovery solution for Active Directory. They offer backup and recovery of individual domain controllers (DCs) and files. This is an important distinction, and one that applies to other backup vendors as well. Backup vendors can back up a DC, and they can restore a DC. But none can orchestrate the many steps required to correctly and successfully restore an AD forest.

In contrast, ADFR offers a fully automated forest recovery solution that enables you to recover AD even if DCs are infected or wiped out. ADFR automates every aspect of forest recovery, including cleaning up metadata, rebuilding the Global Catalog, and restructuring site topology. Manually rebuilding AD following a cyber incident is a time-consuming, error-prone process that can takes days or weeks.

Why are BMR and snapshots not recommended for Active Directory recovery?

Bare metal recovery (BMR) can be a convenient way to restore a computer’s operating system and settings, for example, if an OS upgrade goes wrong, or if you want to move a user or an application to a new machine. However, if a DC has been infected or disabled by a cyberattack, the BMR backups will likely contain boot files, other executables, and OS files where malware can hide. If you restore a DC from a BMR backup, you might also restore any malware present in the backup.

Does ADFR automatically detect problems with a backup and self-correct or trigger an alert?

When a backup set completes with an error or warning, ADFR automatically sends an email notification to designated recipients. In addition, you can opt into receiving email notifications for successful backups. The ADFR Administration portal also displays backup status information: 1) Dashboard provides a list of recent forest backup sets, showing both available and failed backups. 2) Backups Status & History page displays status details for each backup, including backups that failed and transfers of the backup to the distribution point that failed.

Can ADFR support large, complex AD environments?

ADFR is purpose-built for AD and can support the recovery needs of even the most complex AD environments, including multi-organization and multi-forest deployments. Organizations with some of the largest and most complex ADs in existence rely on Semperis to implement a cyber-first approach to disaster preparedness and recovery.