Cyber-First Disaster Recovery for Active Directory

Active Directory Forest Recovery

Reduce time to recover AD after a cyberattack by up to 90%

The pitfalls of manual AD recovery Get an AD recovery briefing with an expert

Fast, malware-free AD forest recovery

Widespread attacks that exploit Active Directory can cripple your organization. When a ransomware or wiper attack takes out domain controllers, recovering your AD forest can drag on for days or even weeks, risking malware re-infection in the process. But with Semperis Active Directory Forest Recovery (ADFR), you’ll be back in business in minutes or hours rather than days or weeks.

Cut downtime

Restore AD in 5 clicks with automated, multi-forest recovery.

Eliminate malware

Avoid reintroducing malware by recovering AD to a known-secure state.

Automate resilient backups

Automate backups to immutable Azure storage and restore to any virtual or physical hardware

Speed forensics

Accelerate post-breach forensics to prevent follow-on attacks.

Recover Active Directory to a trusted environment

Restoring Active Directory after an attack isn’t the finish line. It’s the beginning of the most critical phase: deciding whether you can trust the recovered environment. If an attacker leaves behind backdoors, compromised accounts, or other forms of persistence, a simple restore just reintroduces the problem. Semperis ADFR goes beyond recovery with post-attack Identity Forensics and Incident Response (IFIR) to cleanse the environment of attacker artifacts.

Post-recovery identity scans to validate trust

Use ADFR’s built-in forensics capabilities to eradicate malware before restoring AD after a cyber incident.

Prescriptive guidance to close security gaps

Remove backdoors with directives from AD disaster recovery experts.

Expert support to reduce dwell time

Rely on identity experts to navigate recovery snags.

“You must make sure your critical infrastructures like Active Directory are completely secure and resilient. That was the main reason we acquired Semperis ADFR: We can guarantee that we recover Active Directory far faster than before.”

ADFR delivers operational resilience for Altice

Altice Portugal is the top telecommunications operator in the country. With 20,000 Active Directory accounts, securing Active Directory and maintaining a robust identity threat detection and response (ITDR) strategy is a priority for the company. CSO José Alegria and Head of Cyber Security and Privacy Pedro Inácio discuss the difficulty of spotting identity-based security gaps in a large AD environment with years of M&A activities, the challenges of fending off ransomware and other cyberattacks, and the importance of investing in cyber resiliency.

Simplify disaster recovery planning
Easily set up a replica of the production AD environment to facilitate AD disaster recovery drills.
Automate AD forest recovery
Automate the entire AD forest recovery process to reduce downtime.
Prevent malware reintroduction
Recover AD to a known-secure state to avoid follow-on attacks.

How long could your organization withstand an AD outage?

For 90% of large businesses worldwide, AD is the primary identity service, providing user authentication and access to business-critical applications and services. If AD is wiped out by an attack, business operations cease. Because of legacy misconfigurations and unpatched vulnerabilities that have accumulated over time, AD is a frequent target for attackers. The consequences of an AD attack that takes out domain controllers is severe: Without a tested AD disaster recovery plan, your organization is vulnerable to business-crippling cyber incidents.

Semperis 2024 Ransomware Report:

87%

of cyberattacks cause business disruption, even for those who pay ransom

IBM reports it takes on average

277 days

for security teams to identify and contain a breach

Gartner reports

33%

of organizations have no AD defense in place

Semperis 2024 Ransomware Report:

35%

of ransomware victims didn’t receive encryption keys or received corrupted keys

Purpose-built to combat cyber disasters

Active Directory outages are no longer limited to natural disasters or operational mistakes. AD is now the #1 target for cyberattacks, involved in 9 out of 10 attacks, according to Mandiant researchers. In the aftermath of cyber incidents such as the Change Healthcare, Snowflake, and Ascension, Gartner has called for AD-specific backup and recovery. Does your disaster recovery playbook address cyber disasters?

Unlike traditional system-state or bare-metal recovery approaches, patented, purpose-built ADFR fully automates the AD forest recovery process. ADFR reduces downtime by up to 90%, eliminates risk of malware reinfection, provides flexible backup and recovery options—including to immutable Azure storage, and enables post-breach forensics to prevent repeat attacks.

Malware-proof your backups

Confidently restore to your most recent backup, even if domain controllers were infected when backups were taken. Semperis’ patented technology decouples Active Directory from the underlying operating system to prevent malware re-infection. No need for trial-and-error restores in search of clean backups. No rebuilding AD from scratch. Minimize the impact of AD outages and quickly get back to business.

Request a Demo

Automate forest recovery

Recover an entire Active Directory forest with just a few clicks. Automate every aspect of the recovery process, including cleaning up metadata, rebuilding the Global Catalog, and restructuring site topology. Avoid human errors and reduce downtime to minutes instead of days or even weeks. Avert costly business interruptions.

Request a Demo

Recover to any hardware

Recover AD to any hardware—virtual or physical. Cut the cost of maintaining spare equipment, avoid the scramble to procure new hardware, quickly set up a recovery environment, and leverage the cloud as a readily available, cost-effective disaster-recovery site.

Accelerate AD incident response

Speed up AD attack forensic analysis. Mitigate the damage from an attack by quickly finding and eradicating malware. Translate unstructured AD and Azure AD change data into a human-readable format. Easily search, correlate, and undo AD changes at object and attribute levels. Drill down to any point in time to isolate compromised AD accounts and prevent future attacks.

Could you fully recover your Active Directory from a cyber disaster?

What do you do when a cyberattack annihilates your entire Active Directory infrastructure? Microsoft provides a lengthy technical guide that details the 28-step, multi-threaded, manual process required to recover an AD forest. But that error-prone process can take days or weeks. Meanwhile, your organization’s operations come to a halt without access to business-critical applications and services. Or you could use a third-party AD backup tool that relies on bare-metal recovery (BMR). But be warned: Recovery from system-state or bare-metal backups can reintroduce the malware. The risk model for AD recovery has changed. So should your AD recovery plan.

Automated recovery

Automate the entire recovery process, including rebuilding the Global Catalog and cleaning up metadata.

Malware-free recovery

Recover AD without risking malware reinfection.

Automated Azure Cloud Backup

Disaster-proof AD backups with automated storage to Azure cloud storage

Anywhere recovery

Restore AD to any hardware—virtual or physical—on premises or in the cloud.

Support for Windows Server 2025

Back up and restore Windows Server 2025 domain controllers

Clean restore

Prevent re-introduction of rootkits and other malware by starting with a clean Windows OS and restoring only what’s needed for the server’s role.

Post-breach forensics

Prevent follow-on attacks by using built-in forensics capabilities to eradicate malware from the environment before restoring AD after a cyber incident.

Flexible OS provisioning

Quickly set up a recovery environment using a PowerShell-based tool that prepares virtual machines for a full ADFR recovery.

Zero maintenance

Eliminate the need to develop and maintain scripts or manually update configuration information —and the recovery failures that can result from human error.

Backup integrity

Gain confidence that each backup set contains all the data you need to successfully recover your forest, successfully written to one or more locations, with backup verification and notification of any gaps

Share-nothing architecture

Free AD backups from reliance on Windows authentication, DNS, or other AD services—so you can recover immediately, even if AD is completely down.

Easy disaster recovery testing

Spin up an exact replica of the production AD forest in an isolated lab to effortlessly test recovery procedures and document results for compliance with internal and external regulations.

Lightweight AD backups

Back up only AD components for smaller backups, which means less data to retrieve, process, and transfer—and faster restores.

Multi-forest support

Simplify setup and ongoing administration by using just one management server and web portal for backup and recovery of multiple AD forests.

PowerShell support

Use built-in PowerShell commands to easily manage backup groups, backup rules, agents, and distribution points.

Distributed backup failover

Reduce network traffic and backup recovery times by using distribution point servers to store backups close to domain controllers.

View All

Semperis protects some of the largest AD environments

Explore our case studies

Everything starts with an ID and password. First thing you need to recover is credentials to do any other type of recovery.
Kerry Kilker Former CISO
Walmart

Deloitte Tech Fast 500 list 2022 North America

2022 Globee Awards Gold Winner - Information Technnology

David Yancey of Prime Healthcare uses ADFR to overhaul AD disaster recovery strategy

Prime Healthcare cuts AD recovery time with ADFR

A planned internal change that fell short of expectations prompted David Yancey, Senior Systems Engineer, to completely overhaul Prime Healthcare’s entire Active Directory disaster recovery plan. During routine maintenance, storage that contained many of the organization’s domain controllers was accidentally deleted. Semperis ADFR offered a flexible, fast solution for AD backups, comprehensive documentation that empowered other team members to manage backups, and confirmation messages that gave Yancey and his team peace of mind. “Having ADFR at the center of our DR plan put my mind at ease because now I know that if an incident happens again that takes out the DCs, we have a direct course of action to take,” said Yancey.

Reduced downtime
In disaster planning drills, Prime Healthcare reduced AD recovery time from days to minutes
Flexible backups
ADFR simplified Prime Healthcare’s AD backup process, which in turn saves time and resources.
Document compliance
ADFR helps Prime Healthcare document compliance with regulatory requirements.

Frequently asked questions

What is Active Directory Forest Recovery?

ADFR is the only backup and recovery solution purpose-built for recovering Active Directory from cyber disasters. ADFR fully automates the AD forest recovery process, reduces downtime, eliminates risk of malware reinfection, and enables post-breach forensics.

We rely on a traditional DR tool for recovery. Why do we need Semperis ADFR? 

Most backup and recovery products target servers, and Active Directory is included in the backup process because it is a role on the server. But if a cyberattack hits your AD, you need a solution that removes AD from the operating system so you don’t reinfect AD with the malware as part of the recovery process. Semperis ADFR can get AD back online—on a new, trusted server—within minutes, not days, and without reintroducing malware as part of the process. 

We rely on a multi-data center warm failover solution. How would ADFR help in this scenario?

Typically, warm sites contain the necessary hardware, but do not contain the most recent version of the production site. Since data is not being consistently replicated between the production and warm site, there is greater latency for failover. ADFR is capable of restoring to alternate hardware and provides IP mapping to create an exact replica (or clone) of your production AD forest in an isolated lab. ADFR reduces the time and effort required to set up and maintain your warm failover site, making it feasible to replicate the production site more often and reduce data latency issues.

How does ADFR ensure the integrity of a backup?

ADFR validates each backup rule when it’s created to ensure it can be used to generate a valid forest backup set. By default, the ADFR backup validation process checks to ensure there is at least one DC hosting each partition in the backup set. The status of the backup rule validation process is displayed in the Backup Settings page of the ADFR Administration portal.

Why do I need ADFR when I already have a data protection solution?

Data protection solutions do not offer a cyber disaster recovery solution for Active Directory. They offer backup and recovery of individual domain controllers (DCs) and files. This is an important distinction, and one that applies to other backup vendors as well. Backup vendors can back up a DC, and they can restore a DC. But none can orchestrate the many steps required to correctly and successfully restore an AD forest.

In contrast, ADFR offers a fully automated forest recovery solution that enables you to recover AD even if DCs are infected or wiped out. ADFR automates every aspect of forest recovery, including cleaning up metadata, rebuilding the Global Catalog, and restructuring site topology. Manually rebuilding AD following a cyber incident is a time-consuming, error-prone process that can takes days or weeks.

Why are BMR and snapshots not recommended for Active Directory recovery?

Bare metal recovery (BMR) can be a convenient way to restore a computer’s operating system and settings, for example, if an OS upgrade goes wrong, or if you want to move a user or an application to a new machine. However, if a DC has been infected or disabled by a cyberattack, the BMR backups will likely contain boot files, other executables, and OS files where malware can hide. If you restore a DC from a BMR backup, you might also restore any malware present in the backup.

Does ADFR automatically detect problems with a backup and self-correct or trigger an alert?

When a backup set completes with an error or warning, ADFR automatically sends an email notification to designated recipients. In addition, you can opt into receiving email notifications for successful backups. The ADFR Administration portal also displays backup status information: 1) Dashboard provides a list of recent forest backup sets, showing both available and failed backups. 2) Backups Status & History page displays status details for each backup, including backups that failed and transfers of the backup to the distribution point that failed.

Can ADFR support large, complex AD environments?

ADFR is purpose-built for AD and can support the recovery needs of even the most complex AD environments, including multi-organization and multi-forest deployments. Organizations with some of the largest and most complex ADs in existence rely on Semperis to implement a cyber-first approach to disaster preparedness and recovery.

Latest news

View all

New Forrester TEI Report: Semperis Slashes Downtime by 90%, Saving Customers Millions

Sean Deuby | Principal Technologist, Americas

Meet Silver SAML: Golden SAML in the Cloud

Tomer Nahum and Eric Woodruff

Experience a Personalized Demo

Request a Demo and one of our product experts will give you a spin of our solutions.