Tim Springston Principal Product Manager, Semperis

Increasing resilience—the ability to recover business operations quickly from a cyberattack—is our core mission with Active Directory Forest Recovery (ADFR). We purpose-built ADFR to address the time-consuming complications of fully recovering AD to a trusted, secure state after a cyberattack. To add to this resilience story, ADFR includes Azure Cloud Backup, which integrates backup rule automation with Azure Cloud Storage.

How Azure Cloud Backup increases backup resilience

ADFR Azure Cloud Backup allows automatic and secure distribution of your forest backups to one or more cloud-based distribution points so that they remain available regardless of what is happening to the on-premises environment. The ADFR Azure Cloud Backup feature integrates with Azure storage containers that are set up, controlled, and managed by your organization—similar to the way you manage your distribution points. ADFR leverages a simple Entra ID application to copy backups from the primary distribution point to the Azure storage containers using rules and configurations specified by your organization.

The ability to use Azure storage containers opens a whole new vista of resilience, security, and integrity for forest backup storage. You can use multiple Azure storage containers for distribution across the cloud so “all the eggs aren’t in one basket.” And global organizations can align automatic backups to Azure datacenters all over the world.

Enhancing AD backup immutability and security

ADFR’s integration with Azure lets you configure Write Once Read Many (WORM) immutability on the AD backups to ensure backup integrity is never altered. As a result, your recovery point is intact when you need it most.

ADFR Azure Cloud Backup provides cloud security as well as immutability. In addition to benefiting from integrated encryption of ADFR backups and native AES256 encryption of Azure storage, your organization can gain assurance that the forest backup data is secure from exfiltration, tampering, or access with Microsoft Defender for Storage. This comprehensive defense strategy for your cloud-based backups adds a layer of security that will actively monitor, alert, and guard against threats to your critical backup storage infrastructure.

Storing ADFR backups in Azure storage adds another tool in your resilience toolkit: Geo-redundant storage and failover. Per Microsoft documentation: “When configured to use geo-redundant storage (GRS, GZRS, and RA-GZRS), Azure copies your data asynchronously to a secondary geographic region. These regions are located hundreds, or even thousands of miles away. This level of redundancy allows you to recover your data if there’s an outage throughout the entire primary region.”

Reducing AD forest recovery time

The number one goal in storing and securing AD forest backups is to reduce recovery time. To that end, one of the coolest aspects of ADFR’s Azure Cloud Backup feature is that you can rebuild the entire environment—including the ADFR server itself—from what is backed up to Azure. Each Azure Cloud Backup contains the ADFR data you need to quickly and easily set up your forest recovery orchestration in an isolated recovery environment. This means that you can recover both AD and ADFR from the cloud. Azure as a cloud recovery point gives flexibility to rapidly rebuild and restore your Active Directory environment to production from anywhere to any environment.

The extended resilience and control of ADFR Azure Cloud Backup—along with ADFR support for Windows Server 2025 and accelerated recovery time—demonstrate why Semperis’ forest recovery is the industry’s best. If you’re not already using Active Directory Forest Recovery, just reach out. We’d be happy to demonstrate why Semperis is called a “force for good.”

Further reading