Detect symptoms of forest-wide failure

This article describes some scenarios that might require forest recovery.

When symptoms of a forest-wide failure appear, such as in event logs or other monitoring solutions, work with Microsoft Support to determine the cause of the failure, and evaluate any possible remedies.

In the meanwhile, Cayosoft Guardian recovery process does not have any dependencies on the production site and doesn't interrupt investigation. The recovery process can be initiated as soon as some symptoms of possible forest-wide failure are confirmed.

A recovery site is required to proceed with the forest recovery process.

Manual creation of recovery sites might be time-consuming and it is strongly recommended to have at least one verified recovery site for immediate recovery.

• Learn more about how to prepare a recovery site manually: Prepare recovery site manually.
• Learn more about how to automate the creation of the recovery site in Entra ID: .

Examples of forest-wide failures

1. All DCs have been logically corrupted or physically damaged to a point that business continuity is impossible; for example, all business applications that depend on AD DS are nonfunctional.
2. A rogue administrator has compromised the Active Directory environment.
3. An attacker intentionally or an administrator accidentally runs a script that spreads data corruption across the forest.
4. An attacker intentionally or an administrator accidentally extends the Active Directory schema with malicious or conflicting changes.
5. An attacker has managed to install malicious software on DCs, and you have been advised by Microsoft Support to recover the forest from backup.
6. None of the DCs can replicate with their replication partners.
7. Changes cannot be made to AD DS at any domain controller.
8. New DCs cannot be installed in any domain.