Overview
Active Directory (AD) Forest Recovery is a critical operation used to restore your entire directory structure in the event of a catastrophic failure or ransomware attack.
This process involves selecting specific domains, identifying healthy target hosts, and applying snapshots to restore data integrity.
πNote: Forest recovery is a critical, non-reversible operation. Ensure you have reviewed all settings and have the necessary administrative permissions before starting.
Initiate Forest Recovery from Druva Console
Log into your management console.
On the Cloud Platform dashboard, navigate to the Global Navigation icon and click Microsoft Active Directory. The Microsoft Active Directory landing page appears. Navigate to Forests.
On the Forests landing page, locate the forest you wish to restore.
Click the Recover Forest button located in the top-right corner of the forest details card.
Select Domains to Recover - Select Domains tab
The recovery wizard will open to the Select Domains tab. Choose which parts of your network you want to restore.
View the list of available domains, including their hostnames and the timestamp of the last completed backup.
Select the checkboxes for the domains you need to recover.
Click Next.
Select Target Hosts tab
In this step, you verify the connectivity of the servers where the data will be restored.
Review the Connection Status for each domain:
Green Checkmark: The host is connected and ready.
Red X: The host is disconnected or unreachable.
If a host is disconnected, click Reregister.
This will open a dialog to download the latest agent and generate a new Registration Key.
Install the agent on the target server and activate it using the key provided.
Once the agents are active, click Sync Now to refresh the connection statuses.
When all target hosts show a successful connection, click Next.
Choose Recovery Points - Recovery Point tab
Specify which point-in-time snapshot to use for each domain.
Select Snapshot: Use the dropdown menu to choose the preferred backup timestamp for each domain.
Shared Folder Path: Enter the network path (e.g.,
\\server\share) where the recovery data should be temporarily stored. Ensure the target path has sufficient disk space for the restore.Click Next.
Review and Execution - Review and Runbook tab
Before the recovery starts, you will see a final summary.
Recovery Summary: Double-check the Domain Names, Hostnames, Snapshots, and Shared Folder Paths.
Runbook: There is a link to a Runbook. This is a document containing manual steps you may need to perform after the automated recovery finishes. It is highly recommended to open this link now.
Once you are satisfied with the settings, click Start Recovery. Once you click on Start Recovery, you cannot undo the action.
Post-Recovery Monitoring
After initiating the recovery, you can track the progress of each domain restoration:
Navigate to the Jobs page in the left-hand sidebar.
Monitor the status until all tasks are marked as "Successful."
Runbook
This section outlines the procedures for recovering Active Directory from Druva System State backups. It covers two scenarios β recovering a single Domain Controller and recovering an entire Active Directory forest. It is designed for Active Directory administrators and security incident response teams.
How to choose your recovery path?
Before initiating the recovery process, use the following questions to determine the appropriate scenario and recovery path.
Step 1: Assess the Scope of the Failure
Is the entire AD forest compromised or down?
No: If only a single Domain Controller (DC) or a few DCs have failed while others remain healthy, follow Section A β Single DC Recovery.
Yes: If the entire forest is down or compromised, proceed to Step 2.
Step 2: Determine Hardware Availability (for Forest Recovery)
Is the original DC server hardware available and operational (bootable)?
Yes: If you are restoring the forest onto the existing, intact server hardware, follow Section B1 β Forest Recovery on the Same Machine.
No: If the original hardware is unavailable and you are restoring onto a new or different server, follow Section B2 β Forest Recovery on a Different/New Machine. This path includes essential preparatory steps for the new machine before the standard recovery phases begin.
Here is a quick summary to help you determine the scenario and correct recovery path:
Scenario | Recovery Path | Complexity |
One DC failed, other DCs healthy | Low | |
Entire forest down, original hardware available | High | |
Entire forest down, original hardware unavailable | Highest |
The following infographic outlines the process for selecting the appropriate recovery path.
Common Pre-requisites for forest recovery
These prerequisites apply to all recovery scenarios:
DSRM Password
Ensure the DSRM password is known. If it is not, reset the password immediately using the following command:
ntdsutil
set dsrm password
reset password on server <DCName>
quit
quit
Pre-Incident Documentation
The following information must be captured while the forest is healthy and stored in a secure offline location (physical binder or encrypted password manager).
Entity | How to capture | Why it matters? |
FSMO role holders |
| Identifies which DC holds each role |
Global Catalog (GC) server names |
| GC must be restored first |
DC hostnames and IP addresses |
| Required for network configuration during restore |
Domain SID |
| Validates identity after restore |
Backup snapshot dates | Druva Console | Selects the correct restore point |
OS version and build number |
| Required if restoring to a new machine |
Before a forest failure, if the necessary documentation has not been collected, execute the following command on a healthy Domain Controller (DC):
netdom query fsmo
Get-ADDomainController -Filter * | Select Name, IPv4Address,
IsGlobalCatalog, OperatingSystem, Site
Required Access and Credentials
Access Required | Details |
Enterprise Admins credentials | Full forest-level administrative access |
DSRM password | Required to boot into Directory Services Restore Mode |
Druva Console access (Cloud Admin role) | Required to initiate system state restore from cloud |
Built-in tools on every Domain Controller (DC)
No additional software installation is required. The following tools are available on every Windows Server Domain Controller:
dcdiag, netdom, nltest, repadmin, wbadmin, ntdsutil, nslookup, w32tm
Once you have ensured the pre-requisites are met, perform the following steps based on the scenario you are in.
Section A β Single DC Recovery
Scenario: The Active Directory (AD) forest remains operational and healthy. A small number of Domain Controllers (DCs) have become unavailable and require restoration using Druva backup. The remaining Domain Controllers in the forest are functioning correctly and maintaining normal replication.
Distinction from Forest Recovery: Since the forest is operational, the restored Domain Controller (DC) will automatically synchronize and replicate data from its healthy peers upon returning online. Consequently, critical post-restoration steps typically associated with a full forest recoveryβsuch as seizing Flexible Single Master Operation (FSMO) roles, invalidating the Relative ID (RID) pool, resetting the Kerberos Key Distribution Center (krbtgt) account password, or re-establishing trusts are unnecessary.
Step A1 Prepare and isolate
Ensure the failed DC is ready for restore.
Verify the DSRM password is known. If unknown, reset it on a healthy DC using the following command:
ntdsutil
set dsrm password
reset password on server <FAILED_DC_NAME>
quit
quit
Step A2 Initiate Restore from Druva
Druva copies system state files (NTDS.dit, SYSVOL, registry) from cloud to the Domain Controller (DC). The Active Directory (AD) state remains unchanged at this juncture.
Initiate Forest Recovery -System State Recovery from the Druva management console. See, how to initiate forest recovery from Druva console.
Proceed directly to Phase 3; do not reboot the Domain Controller (DC) at this time.
Step A3 Apply system state in DSRM
A3.1 Boot into DSRM
Use one of the following methods:
GUI method: Open
msconfigβ Boot tab β Check "Safe boot" β Select "Active Directory repair" β OK β Restart.Command line method:
bcdedit /set safeboot dsrepair
shutdown /r /t 0
A3.2 Apply the System State
Log in with DSRM credentials (.\Administrator with the DSRM password), then run:
wbadmin start systemstaterecovery -backuptarget:<BACKUP_LOCATION>
-machine:<DC_NAME> -quiet
After the reboot, press Enter to continue. (Note: You are still in DSRM Mode after reboot).
A3.3 Set Registry Key
Prevent the DC from waiting for an initial replication sync (it will sync from healthy peers after normal boot):
reg add "HKLM\System\CurrentControlSet\Services\NTDS\Parameters" /v "Repl Perform Initial Synchronizations" /t REG_DWORD /d 0 /f
Mark SYSVOL as ready so Netlogon can advertise the DC:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "SysvolReady" -Value 1
Verify the change using the following command:
Get-ItemProperty -Path
"HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name
"SysvolReady"
A3.4 Restart into Normal Mode
Exit DSRM and restart the system into normal mode.
bcdedit /deletevalue safeboot
shutdown /r /t 0
Or use msconfig: Boot tab β Uncheck "Safe boot" β OK β Restart.
A4 Verify and Rejoin
After the restart, confirm that the following four services are operational before continuing.
A4.1 Verify Core Services
Get-Service NTDS, Netlogon, KDC, DNS | Select-Object Name, Status
All four services must show status "Running" before proceeding.
A4.2 Force Replication from Healthy Peers
repadmin /syncall /AdeP
repadmin /replsummary
repadmin /showrepl * /errorsonly
Expected: zero failures in the replication summary and no errors in showrepl output.
A4.3 Verify DNS
nslookup -type=srv _ldap._tcp.<DOMAIN_FQDN>
nslookup -type=srv _gc._tcp.<FOREST_ROOT_FQDN>
If SRV records are missing, restart the Netlogon service to re-register them:
net stop netlogon && net start netlogon
A4.4 Verify DC Health
dcdiag /v /s:<RESTORED_DC_NAME>
dcdiag /test:advertising /v /s:<RESTORED_DC_NAME>
nltest /sc_verify:<DOMAIN_FQDN>
A4.5 Single DC Recovery Validation Checklist
# | Check | Command | Expected Result |
1 | Services running | Get-Service NTDS,Netlogon,KDC,DNS | All Running |
2 | DC advertising | dcdiag /test:advertising /v | Passed |
3 | DNS SRV records | nslookup -type=srv _ldap._tcp.<DOMAIN> | Returns DC records |
4 | Replication clean | repadmin /replsummary | 0 failures |
5 | SYSVOL shared | net share | findstr SYSVOL | SYSVOL entry visible |
6 | Secure channel | nltest /sc_verify:<DOMAIN> | Success |
7 | Authentication | Log on as a domain user from a client machine | Success |
8 | Event log clean | Get-WinEvent -LogName "Directory Service" -MaxEvents 50 | No critical errors |
Section B β Whole Forest Recovery
Scenario: The entire AD forest is down or compromised. All Domain Controllers need to be recovered from Druva backups.
βImportant: Always recover the forest root domain first, followed by child domains (Parent β Child). Child domains at the same level may be recovered concurrently.
Section B is divided into two sub-sections:
B1 β Forest Recovery on the Same Machine
The original DC hardware is available. No additional machine-preparation steps are needed.
Phase 1 β Prepare for Recovery
Verify the DSRM password is known. If unknown, reset it:
ntdsutil
set dsrm password
reset password on server <DC_NAME>
quit
quitIsolate the DC from the network to prevent stale replication. Do one of the following:
Disconnect the network cable
Disable the NIC in Device Manager
Apply firewall rules to block AD replication ports
Confirm you have the pre-disaster baseline documentation (see Pre incident documentation). If available, locate the saved baseline JSON file (e.g.,PRE_DISASTER_BASELINE_DC1.json).
Phase 2 Initiate Restore from Druva (Data Transfer)
Druva copies system state files (NTDS.dit, SYSVOL, registry) from cloud to the Domain Controller (DC). The Active Directory (AD) state remains unchanged at this juncture.
Initiate Forest Recovery -System State Recovery from the Druva management console. See, how to initiate forest recovery from Druva console.
Phase 3 Apply system state in DSRM
3.1 Boot into DSRM
Use one of the following methods:
GUI method: Open
msconfigβ Boot tab β Check "Safe boot" β Select "Active Directory repair" β OK β Restart.Command line method:
bcdedit /set safeboot dsrepair
shutdown /r /t 0
3.2 Apply the System State
Log in with DSRM credentials (.\Administrator with the DSRM password), then run:
wbadmin start systemstaterecovery -backuptarget:<BACKUP_LOCATION>
-machine:<DC_NAME> -quiet
After the reboot, press Enter to continue. (Note: You are still in DSRM Mode after reboot).
3.3 Set Registry Key
Registry Key 1 β Skip initial replication sync. In forest recovery, no healthy replication partner exists. Without this setting, NTDS waits indefinitely for a sync partner that will never respond.
reg add "HKLM\System\CurrentControlSet\Services\NTDS\Parameters" /v "Repl Perform Initial Synchronizations" /t REG_DWORD /d 0 /f
Registry Key 2 β Mark SYSVOL as ready. Netlogon requires SYSVOL to be flagged as ready before it will advertise the DC. Since there is no DFSR partner to sync from, this must be set manually.
Set-ItemProperty -Path
"HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
-Name "SysvolReady" -Value 1
Verify the change:
Get-ItemProperty -Path
"HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
-Name "SysvolReady"
3.4 Stop Services to Prevent Premature Activity
net stop kdc
net stop Netlogon
Stop the Group Policy client to prevent GPO processing before SYSVOL is stable:
Stop-Service gpsvc -Force
3.5 Exit DSRM and Restart to Normal Mode
bcdedit /deletevalue safeboot
shutdown /r /t 0
3.6 Verify Core Services After Normal Boot
Confirm all four services are running before proceeding to Phase 4:
Get-Service NTDS, Netlogon, KDC, DNS | Select-Object Name, Status
All must show the status "Running".
Phase 4 Post-Restore Configuration
Start with the forest root domain and perform these steps on the first recovered Domain Controller (DC) in each domain.
4.1 Verify FSMO Roles
Verify:
netdom query fsmo
4.2 Raise and Invalidate the RID Pool
After a restore, the RID pool may overlap with RIDs that were already issued before the backup was taken. Raising the pool by 100,000 prevents SID duplication for newly created objects.
$key = "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\RID Values"
$pool = (Get-ItemProperty $key)."RID Available Pool"
$pool = (Get-ItemProperty $key)."RID Available Pool"
$max = [int]($pool -shr 32) + 100000
$next = [int]($pool -band 0xFFFFFFFF)
Set-ItemProperty $key "RID Available Pool" (([long]$max -shl 32) -bor [long]$next)
Invalidate the current pool to force the DC to request a fresh pool from the RID Master:
Remove-ItemProperty $key "RID Allocated Below" -ErrorAction SilentlyContinue
Restart-Service NTDS -Force
Verify the RID pool is healthy:
dcdiag /test:ridmanager /v
4.3 Reset Computer Account Password twice
netdom resetpwd /server:<DCHostname> /userd:<Domain>\<Admin> /passwordd:*
netdom resetpwd /server:<DCHostname> /userd:<Domain>\<Admin> /passwordd:*
Enter the password when prompted for each reset.
4.4 Reset DSRM Password
Security best practice β always change the DSRM password after any recovery.
Reset the DSRN password using the following command.
ntdsutil
set dsrm password
reset password on server <THIS_DC>
quit
quit
Enter the new password when prompted.
4.5 Reset krbtgt Password twice
This invalidates any Kerberos tickets that were issued before the disaster. Two resets are required because AD retains both the current and previous password (N and N-1) for backward compatibility.
Set-ADAccountPassword $krb -Reset -NewPassword
ConvertTo-SecureString "Temp$(Get-Random)!" -AsPlainText
-Force)
Start-Sleep 10
Set-ADAccountPassword $krb -Reset -NewPassword
(ConvertTo-SecureString "Temp$(Get-Random)!" -AsPlainText
-Force)
Wait 10 seconds between resets to allow the first change to propagate
4.6 Sync Time Service
Kerberos authentication requires time to be synchronized within 5 minutes across all DCs. The PDC Emulator is the authoritative time source for the forest.
On the PDC Emulator (forest root DC):
w32tm /config /manualpeerlist:"time.windows.com" /syncfromflags:manual /reliable:YES /update
w32tm /resync /force
Verify:
w32tm /query /status
Phase 5 Multi-Domain Forest Recovery
This phase applies only if your forest contains multiple domains.
βImportant:
Always recover the parent before the child; trust and DNS delegation rely on this order.
Recovery of child domains at the same level can be performed concurrently.
Example: For a forest with root domain usa.com and child domains california.usa.com, newyork.usa.com, and chicago.usa.com:
Recover usa.com first (Phases 1β4).
Then recover california.usa.com, newyork.usa.com, and chicago.usa.com:
β these can be done in parallel (repeat Phases 2β4 for each).
5.1 Repeat Recovery Phases on Each Child Domain DC
For each child domain DC, repeat Phases 2 through 4 (Restore from Druva β Apply in DSRM β Post-Restore Configuration).
5.2 Validate Trust Relationships
After each child domain is recovered, verify the trust between child and parent:
netdom trust <ChildDomain> /domain:<RootDomain> /verify
nltest /sc_verify:<RootDomain>
If the trust is broken, reset it:
netdom trust <CHILD_DOMAIN> /domain:<PARENT_DOMAIN> /reset
5.3 Verify Cross-Domain DNS Delegation
From the forest root DC, verify that child domain DNS resolves correctly:
nslookup <CHILD_DOMAIN_FQDN>
nslookup -type=srv _ldap._tcp.<CHILD_DOMAIN_FQDN>
Phase 6 Reconnect & Verify Replication
6.1 Re-Enable Network Connectivity
Reconnect the DC to the network by re-enabling the NIC, plugging in the network cable, or removing firewall rules.
6.2 Verify Replication
repadmin /syncall /AdeP
repadmin /replsummary
repadmin /showrepl * /errorsonly
Expected Result: Zero failures in the replication summary. No output from the errors-only command.
Check the event viewer for any warnings or failures:
Get-WinEvent -LogName "Directory Service" -MaxEvents 50 | Where-Object { $_.Level -le 2 } | Select-Object TimeCreated, Id, Message6.3 Verify DNS & DC Advertising
dcdiag /test:advertising /v
nslookup -type=srv _ldap._tcp.<DOMAIN_FQDN>
nslookup -type=srv _gc._tcp.<FOREST_ROOT_FQDN>
If SRV records are missing:
net stop netlogon && net start netlogon
6.4 Verify Global Catalog
In AD Sites and Services: NTDS Settings β Properties β check Global Catalog β OK
Check the Directory Service log for Event ID 1119; this verifies that the Global Catalog (GC) is ready.
Get-WinEvent -LogName "Directory Service" | Where-Object Id -EQ 1119 |
Select-Object -Last 5
Verify GC is advertising:
nltest /dsgetdc:<DOMAIN_FQDN> /gc
Step 7 Final Validation Checklist
Execute this runbook on every recovered Domain Controller (DC). Do not declare the recovery complete until all listed items have passed.
# | Check | Command | Expected |
1 | Services running |
| All Running |
2 | DC advertising |
| Passed test Advertising |
3 | FSMO roles correct |
| All 5 roles on expected DCs |
4 | DNS SRV records |
| Returns DC records |
5 | Replication clean |
| 0 failures |
6 | SYSVOL shared |
| SYSVOL entry visible |
7 | Lingering objects |
| No objects found |
8 | GC advertising |
| Returns GC server |
9 | Authentication | Log on as a domain user from a client machine | Success |
10 | Event log clean |
| No critical errors |
For automated validation, run the project script after_recovery.ps1 with appropriate parameters (see Section 6).
Post-Recovery Actions
Action | Required When |
Reset all admin passwords (Enterprise Admins, Domain Admins, Schema Admins) | If failure was caused by a security breach |
Reset trust passwords with external forests | If failure was caused by a security breach |
Re-enable Windows Update | Always |
Redistribute FSMO roles to intended DCs | Recommended |
Register Domain and initiate immediate Druva backup <Link to doc article for Register and Configure backup> | Always β establishes clean baseline |
Update offline environment documentation | Always |
B2 β Forest Recovery on a Different / New Machine
This section covers the additional prerequisites required when the original DC hardware is unavailable and you are restoring onto a new or different server.
πNote: Follow Phases 1 through 7 in Section B1 after completing the necessary prerequisites mentioned below.
B2 Prerequisite 1 β Match OS Version and Build
The new machine must run the exact same Windows Server version and build number as the original DC. A mismatch can cause the system state restore to fail or produce an unstable configuration.
Check the current OS on the new machine:
[System.Environment]::OSVersion
Get-ComputerInfo | Select-Object OsName, OsVersion, OsBuildNumber
If the build does not match the original DC:
Install the exact same Windows Server version.
Apply the same cumulative updates to match the build number.
Then proceed to Prerequisite 2.
B2 Prerequisite 2 βMatch Hardware and Disk Size
The new machine's disk configuration must be compatible with the original DC.
Get-Disk | Select-Object Number, Size, PartitionStyle
Get-Volume | Select-Object DriveLetter, Size, SizeRemaining
The system drive (C:) must be equal to or larger than the original DC's system drive.
If the original DC had separate drives for the NTDS.dit database or transaction logs, create matching drive letters with sufficient space.
B2 Prerequisite 3 β Stop Windows Update
Windows Update must be disabled on the new machine before restoring the system state. This prevents any configuration changes (patches, feature updates) that could create a mismatch between the restored state and the running OS.
Stop-Service wuauserv -Force
Set-Service wuauserv -StartupType Disabled
Verify it is stopped:
Get-Service wuauserv | Select-Object Name, Status, StartType
Also disable auto-updates via registry:
reg add
"HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 1 /f
B2 Prerequisite 5 β Verification Before Proceeding
Complete this checklist before starting Phase 1 from Section B1.
Check | Command | Expected Result |
OS version matches original DC |
| Same version |
Build number matches original DC |
| Same build |
Windows Update stopped and disabled |
| Stopped, Disabled |
Disk space is sufficient |
| Equal or larger than original |
Once all checks pass, proceed to Phase 1 β Prepare for Recovery in Section B1.
Quick Command Cheat Sheet
# FSMO roles
netdom query fsmo
# Replication health
repadmin /replsummary
repadmin /showrepl * /errorsonly
# DNS SRV records
nslookup -type=srv _ldap._tcp.<domain>
# DC health
dcdiag /v /e
# Services
Get-Service NTDS,Netlogon,KDC,DNS,DFSR | Select Name,Status
# GC status
nltest /dsgetdc:<domain> /gc
# Event log errors
Get-WinEvent -LogName "Directory Service" -MaxEvents 100 | Where-Object Level -le 2
# Force replication
repadmin /syncall /AdeP