Skip to main content

title: Forest Recovery Procedures sidebar_label: Recovery Procedures description: Complete guide to forest recovery using domain controller backups, restore playbooks, and automated recovery processes for disaster scenarios.

Recover a Forest

You can recover a forest using the domain controller backups generated by Recovery for Active Directory. A restore playbook, also called a recovery playbook, is used to restore a forest. Once the desired domain controllers have been added to the restore playbook, the forest recovery process can be initiated and the forest will be restored using the automated process provided by Recovery for Active Directory.

Use Cases for Restoring Domain Controller Backups

Administrators may need to bring a forest backup created by Recovery for Active Directory online in the following scenarios:

  • Stand up a duplicate of a domain controller, for example, stand up a duplicate in a lab environment for testing purposes
  • Restore a server or domain controller to a specific state-in-time image
  • Restore lost or deleted data

Prerequisites

To perform a forest recovery, the following prerequisites must be in place:

  • Configure backups for one or more domain controllers in each domain in a forest.
  • Next, ensure that backups run as scheduled. You can also force-run a backup.

See the Forest Page topic for additional information.

Recover a Forest

Follow the steps to recover a forest.

  • Step 1 – Prepare an isolated environment to restore the forest to.

    See the Target Server Considerations topic to understand the requirements for a target environment and target servers for restoring domain controllers.

  • Step 2 – Add the desired domain controllers to create a recovery playbook, also called a restore playbook.

    For example, if you have a forest with one root domain and four child domains, you can add one domain controller from the root domain and one from each of the child domains to the recovery playbook, and restore your forest.

  • Step 3 – When your playbook is complete, use the "Start" command to start the forest recovery process.

The following restore capabilities are supported:

  • VM DC backup to VM
  • VM DC backup to Physical
  • Physical DC backup to VM
  • Physical DC backup to Physical DC

Create a Recovery Playbook

A recovery playbook is a list of domains and domain controllers for those domains that you want to restore to an isolated environment. Ideally it should be a physical environment but a virtual environment can work too. For example, you can choose a Hyper-V or a VMware environment hosted in Azure or AWS, and isolated from the rest of the domain.

Once the desired domain controllers have at least one backup to choose from, you can start the forest recovery playbook by adding the domain controllers to it.

NOTE: You only need one backup of a domain controller for each domain in the forest. Any other domains can then be added via the playbook or you should handle them manually using the "add DC to the domain, let replication happen" model.

Follow the steps to create a recovery playbook.

Step 1 – Click Forest in the left pane to open the Forest page.

Step 2 – On the Forest page, select a forest to view the domain controllers in it. To locate a domain controller in a specific domain, expand the forest in the left pane and select a domain. The adjacent pane displays the domain controllers in that domain.

Step 3 – Click the Add Domain Controller to Restore Playbook icon (+) for a domain controller to add it to the recovery playbook. The Add to Recovery Playbook wizard opens, where you can specify the restore settings for the domain controller.

Add to Recovery Playbook wizard - Domain Controller page

Step 4 – On the Domain Controller page, the Source Domain Controller section displays information for the domain controller that is being added to the playbook. It displays the domain it is deployed to, its name, operating system, and the date and time of the most recent backup.

In the Target Server section:

  • In the Server field, enter the IP address of the target server where you want to restore the domain controller from the backup.
  • Provide the credentials of an account in the Account and Password fields. This must be an administrator account for the target server.

See the Target Server and Operating System Requirements topic for additional information.

Step 5 – Click Next.

Add to Recovery Playbook wizard - Options page

Step 6 – From the Backup drop-down menu, select the backup to use for restoring the domain controller. The drop-down menu lists the backups available for the domain controller.

NOTE: If you do not choose a backup for a domain controller, an attempt will be made to join the domain controller to the existing domain that was restored previously in the playbook using a backup of another domain controller.

Step 7 – If the backup is encrypted, provide the password used for encryption in the Encryption Password field. This would allow the recovery process to decrypt the backup.

Step 8 – From the Roles drop-down menu, select the FSMO role(s) the domain controller will acquire when it is restored. You can:

  • Select the Acquire All Roles option to assign all FSMO roles to the domain controller.
  • Select one or more FSMO roles to assign to the domain controller. All five FSMO roles are listed.
  • Select Restore original roles to retain the previously assigned roles that are defined in the backup.
  • Select Do not assign any roles if you do not want to assign any role to the domain controller. This option is selected by default, because the first domain controller in your domain automatically acquires all the FSMO roles.

Step 9 – In the DSRM Password field, set the Directory Services Restore Mode (DSRM) password for the to-be-restored domain controller.

Step 10 – Click Next.

Add to Recovery Playbook wizard - Confirm page

Step 11 – The Confirm page displays a summary of the settings you provided on the pages of the wizard. Use the Back button to return to a previous page and change any setting. Click Complete to finish the wizard.

The playbook has been created with the domain controller added to it.

Repeat this process for all the domain controllers you wish to restore in the target environment. When you add another domain controller, it appears as a new tab added to the playbook. Click the tab representing a domain controller to view its details.

Recovery Playbook created on the Forest Page

The following information is displayed for a domain controller in the playbook:

  • Original Server – The name of the server that you added to the playbook for restore
  • Target Server – The server where the domain should be restored
  • Domain – The domain the domain controller belongs to
  • Operating System – The operating system of the original server (the domain controller to be restored)
  • Version – The operating system of the original server (the domain controller to be restored)
  • Roles – The FSMO role(s) the domain controller will acquire when restored
  • Backup Time – the date and time of the backup that will be restored for the domain controller

Run the Recovery Playbook

When your playbook is ready, click Start to initiate the forest recovery process. The machine will reboot once the recovery process is complete

Your new forest is ready for you to log in using any Administrator credentials from the forest.

Notice that the Forest page displays the operations performed during the restore process.

Forest page showing a restored forest

From here, you can proceed to restore additional domain controllers or promote new ones to the forest.