Active Directory Backup & Recovery

Accelerate AD Forest Recovery After a Cyberattack

Reduce downtime and increase operational resilience with fast, automated, malware-free Active Directory forest recovery after a cyberattack.

Save time recovering AD after a cyberattack

When your Active Directory is wiped out by a cyberattack, the clock is ticking to restore access to business-critical applications and services. Traditional data backups that include AD won’t help: Those backups will likely contain malware. To fully recover from a cyber disaster, you need automated AD forest recovery to a known-secure state. Without AD-specific cyberattack recovery technology and processes, your business is at risk.

Microsoft Digital Defense Report:
of organizations lack effective cyberattack recovery and response plans
Semperis survey reports
of organization are “only somewhat” or “not at all” confident in their AD recovery plan
Maersk reports:
$300 million
in costs associated with recovering from the NotPetya attack, including AD recovery

Malware-free AD forest recovery

Because 9 out of 10 attacks involve AD in some way, you need a tested, cyber-first AD backup and forest recovery plan to reduce the risk of business-crippling downtime after an attack.

Malware-Free Backup

To prevent follow-on attacks, ensure your AD backup is malware-free.

Automated Recovery

Cut downtime by automating the entire AD forest recovery process.

Post-Breach Analytics

Accelerate post-attack forensics and close security backdoors.

Recovering AD after a cyberattack is challenging

Traditional backups don’t help with Active Directory forest recovery

Although many organizations rely on traditional data protection solutions or bare-metal recovery, those approaches will not help with AD recovery in the case of a cyber disaster. Gartner analyst Nik Simpson stated in his report “How to Protect Backup Systems from Ransomware Attacks,” that leaders focused on securing data center infrastructure should “accelerate recovery from attacks by adding a dedicated tool for backup and recovery of Microsoft Active Directory.” Without AD-specific recovery, organizations are at risk of losses in revenue, downtime, reputational damage, and litigation while they scramble to recover AD and restore access to applications and services that power business operations. Here are some of the reasons traditional backups are not adequate for recovering AD from a cyber incident:

  • Potential reintroduction of malware: In the case of a cyberattack, traditional data backups might contain rootkits, ransomware or other malware
  • Data loss: Malware remains latent for weeks or months before discovery, increasing the risk that malware will be restored with the backup
  • Prolonged outages: Traditional data backups do not address the significant challenges of hardware setup, backup retrieval, and rebuilding AD.
Learn More
Manually recovering an AD forest is time-consuming and error-prone

Recovering an AD forest using the Microsoft guidelines (a 28-step process) can take days or weeks. When malware is affecting business operations, you can’t afford to waste time in recovering AD through a manual process. In the event of a cyber disaster that requires you to recover AD, you need the ability to:

  • Recover multiple AD forests simultaneously
  • Recover AD faster than you could do it manually by automating the process, ideally cutting recovery time from day or weeks to minutes or hours
  • Recover AD without reintroducing malware
  • Recover AD even if your DCs are infected or wiped out
  • Quickly provision new physical or virtual hardware for the recovery
  • Easily set up and test your AD forest recovery plan
Learn more
Our mission resonates with industry leaders
Gartner Peer Insights

If there’s one thing you need in the case of an Active Directory attack, out of any solution out there, it’s ADFR. With other backup solutions, there’s nothing that can guarantee you’re not reintroducing malware.

Senior Security Manager Global Consulting Firm
World Business

When I saw Semperis ADFR for the first time, it nearly brought tears of joy to my eyes. It is exactly what I hoped for in an AD recovery tool. Over the years, I’ve had numerous concerns about AD forest recovery, and Semperis addresses them all.

Learn more InfoSec Identity and Directory Lead Global Fortune 500 Retailer
Gartner Peer Insights

Active Directory Forest Recovery is a proven recovery solution that works every time.

Read review Lead IAM Engineer, IT Security & Risk Management Enterprise Healthcare & Biotech Company
Prime Healthcare logo

Having ADFR at the center of our disaster recovery plan put our mind at ease because now we know that if an incident happens again that takes out the DCs, we have a direct course of action.

Learn more David Yancey Prime Healthcare Senior Systems Engineer

Frequently asked questions about Active Directory backup and recovery

Will a bare-metal recovery (BMR) backup work for recovering AD after a cyberattack?

BMR, although historically a convenient way to recover an entire server, has several downfalls in an AD attack incident.

The first is potential reintroduction of malware. BMR backs up and restores everything on the domain controller (DC), including the OS, registry, and system files. In the case of a cyberattack, the backup might contain rootkits, ransomware, or other malware installed by threat actors. When you restore the backup, those malicious DLLs and executables will be restored along with the backup.

Second is data loss. Determining the time window for a malware-free backup can be difficult if—as with many recent cyberattacks—malware remains latent for weeks or months before discovery. The further in the past you must go to find a clean backup, the more data is lost.

The third downside of BMR recovery is prolonged outages. BMR extends recovery time in several ways:

  • Hardware setup: BMR is designed for recovery to matching hardware, so you are dependent on another infrastructure that might not be working because of the attack.
  • Backup retrieval: Because BMR backups contain the entire system, they are large. Bigger backups consume more storage and network bandwidth and take longer to retrieve, especially when stored in the cloud.
  • Rebuilding AD: Restoring AD from an older BMR backup requires recreating directory changes, reconfiguring applications, rejoining workstations—all of which requires time that delays recovery.
  • Backup selection: Finding a clean BMR backup is an iterative process (retrieve, mount, extract, test, repeat) that takes time, further delaying recovery.
What criteria should I look for in an AD backup and recover solution to cover cyber incidents?

To ensure AD recovery in a cyberattack scenario, you need the ability to:

  • Recover multiple AD forests
  • Recover AD faster than you could do it manually by automating the process—ideally in minutes or hours
  • Recover AD without reintroducing malware
  • Recover AD even if your DCs are infected or wiped out
  • Quickly provision new physical or virtual hardware for the recovery
  • Easily set up and test your AD forest recovery plan
  • Easily conduct post-breach forensics to ensure that malware is eradicated (you’re restoring AD to a clean environment)
We have virtualized our domain controllers. Can I use DC snapshots for AD backup and recovery?

No: DC snapshots are no substitute for a purpose-built AD backup and recovery solution for cyber disasters, for a few reasons. First, a forest recovered from snapshots will have data consistency problems. Second, if malware was on the DCs at snapshot time, you’ll simply be restoring the malware. Third, you must rebuild whatever servers you don’t restore from the snapshots, which will be a manual, time-consuming, and error-prone process. For more details on this, check out “Why DC Snapshots Are No Substitute for Active Directory Backups.” Fourth, Microsoft does not recommend DC snapshots for disaster recovery. 

Should AD backups be stored offline?

Offline AD backups are an essential part of any comprehensive data protection strategy. By saving backups on a non-domain joined server, companies can ensure a safe place to start for AD recovery. To further enhance security, it’s recommended to protect backups from being overwritten by using a tested, secure offline storage methodology. Alternatively, third-party tools can be used to copy backup images to Azure or AWS blob storage for added redundancy. For more information, see “The Dos and Don’ts of AD Recovery.”

Reduce cyberattack downtime with automated AD backup and recovery

How quickly could you recover AD after a cyberattack? Learn how to ensure fast AD backup and recovery with this step-by-step guide from Semperis AD security and recovery experts.

Download the AD Backup & Recovery Guide