Forest Recovery: Create, configure, verify and run forest recovery plan

This article describes how to create, verify, and run Active Directory forest Recovery plans using Cayosoft Guardian.

Forest recovery plans enable organizations to design, validate, and regularly test the entire forest recovery process. These plans involve recovering a set of selected domain controllers to a pre- configured recovery site using previously created domain controller backups. Pre-recovery validation ensures the consistency of the recovery plan and the readiness of target machines in the recovery site. The recovery process itself is fully automated, providing a seamless and efficient operation.

Every Active Directory organization should develop a comprehensive recovery plan to address potential outages. Regular testing of these plans is essential to ensure preparedness. Cayosoft Guardian automates the most critical tasks associated with Active Directory forest recovery, simplifying the process and enhancing reliability.

Cayosoft Guardian has the following options:

• Automated Recovery: Cayosoft Guardian automates the forest recovery process, restoring your forest to its state at a selected time. Any modifications to the Active Directory database made after the selected time will be lost.
• Isolated Recovery Site: In the event of a forest-wide failure, diagnosing the cause can take significant time. Learn more about forest-wide failure symptoms in the following article: Detect symptoms of forest-wide failure. Cayosoft Guardian allows you to recover the forest to an isolated recovery site, ensuring that recovery operations do not affect the production environment. This enables immediate execution of the recovery plan without waiting for problem diagnosis.

Preparing a Recovery Site

A recovery site must be prepared in advance to verify the forest recovery plan or to execute it during an actual recovery event.

Components of a Recovery Site

A well-prepared recovery site includes:

• Virtual Machines: These will be used for recovering the domain controllers.
• Storage with Backups: Ensure that backups of the domain controllers are stored and readily accessible.
• Cayosoft Guardian Installation: Install Cayosoft Guardian to manage the recovery process.
• Network Infrastructure: Set up the necessary network infrastructure to support the recovery operations.

Manually creating recovery sites can be time-consuming. It is strongly recommended to have at least one verified recovery site ready for immediate use. This ensures that, in the event of a failure, the recovery process can be initiated without delay, significantly reducing downtime and ensuring business continuity.

Learn more about how to prepare a recovery site manually in the following article: Prepare recovery site manually.

Learn more about how to automate the creation of the recovery site in Azure in the following article: Forest Recovery: Create a cloud recovery site for Forest Recovery plan.

Create a forest recovery plan

Before creating a forest recovery plan make sure that you added all Backup locations containing backups of the domain controllers to be recovered. You might check that you have all the necessary backups registered in the DC Backups node.

Learn more about how to add backup locations in the following article: Forest Recovery: Add backup locations.

To create a recovery plan:

1. Open Cayosoft Guardian web portal.
2. Expand the Forest Recovery node.
3. Select the Recovery Plans node.
4. Click Add button.
5. Select Forest recovery plan option. This is a comprehensive strategy designed to restore the entire Active Directory forest to a functional state after a catastrophic failure. This plan involves recovering all domain controllers across the forest, ensuring that all domains and their respective objects are restored. The process is fully automated, including pre- recovery validation and execution, minimizing manual intervention and ensuring consistency and reliability.

6. Select Active Directory forest to be recovered.
7. Enabling the Recover One Domain Controller per Domain option in a recovery plan ensures that only one domain controller per domain is initially recovered, which is recommended for speeding up the recovery process. This approach minimizes resource usage and complexity, allowing a quick return to operational status. Additional domain controllers can be manually promoted once the initial recovery is successful. Disabling this option allows the recovery plan to include one domain controller per domain to be recovered from a backup, with other domain controllers automatically repromoted, providing a more comprehensive and automated recovery solution.
8. Select a recovery date using Recover to this point in time.
9. After confirmation, Cayosoft Guardian will discover the latest backups created before the selected date on the connected Backup Locations and automatically assign these backups to each domain controller to be recovered.

Configure a forest recovery plan

The recovery plan consists of a list of domain controllers, domain controllers recovery settings, actions settings, and general plan settings. The values of some settings are populated from the backup automatically.

With deploying a recovery site in in CLOUD (Azure or AWS), Cayosoft Guardian automatically populates or modifies settings such as IP addresses, DNS-related settings, new DSRM passwords, credentials to access virtual machines in the cloud, and other settings that are required for successful recovery. Learn more in the following article: Forest Recovery: Create a cloud recovery site for Forest Recovery plan.

With a recovery site created manually, some settings must be specified before launching the verification process or the forest recovery process such as credentials to connect to machines in the recovery site. You also might need to change other settings that are required for successful verification or recovery. Learn more in the following article: Prepare recovery site manually.

Learn more about recovery plan settings in the following article: Manage forest recovery plan settings.

Verify a forest recovery plan

With the verification process, Cayosoft Guardian checks the recovery plan settings and settings of each domain controller to be recovered. Learn more in the following article: Manage forest recovery plan settings. In case any issue is encountered an error or warning message will be shown on the plan itself or the domain controller properties page. Some of the verification checks are performed on the target machine in the recovery site.

Before running verification in the environment recovery site must be ready. Cayosoft Guardian can recover your forest to manually created recovery sites or it can create an Azure Recovery site automatically. Learn more in: Forest Recovery: Create a cloud recovery site for Forest Recovery plan.

To verify the recovery plan:

1. Open the Cayosoft Guardian web portal.
2. Expand the Forest Recovery node.
3. Select the Recovery Plans node.
4. Select your recovery plan and click Properties.

5. To start verification open a recovery plan and press Deploy recovery site or Verify.

   

6. Once the verification process starts Cayosoft Guardian opens execution history.
7. Once verification is complete check the results in the Execution History of a plan. Also on the Domain Controllers tab, the status of each domain controller settings verification is displayed with an icon. If verification fails for a specific DC, on the DC properties page a message is displayed.

After the Verify button is pressed an execution history record appears where you can observe execution steps, the current state, and the duration of each step. Each step produces detailed messages during the execution. These messages can be accessed with a click on the execution step. The Errors and warnings tab in the execution history record allows reviewing important issues related to this run.

To find verification history records related to specific Recovery Plans:

1. Open the Cayosoft Guardian web portal.
2. Expand the Forest Recovery node.
3. Select the Recovery Plans node.
4. Select your recovery plan and press Properties.
5. On the backup plan properties page switch to an Execution History tab.

6. Find a verification history record, select, and click Properties.
   
   
   
    

7. See execution details on the Execution and the Errors and warnings tabs.

Run a forest recovery plan

You can run a recovery plan as soon as verification is complete successfully. With Cayosoft Guardian Forest recovery plan is fully automated. Do not perform any manual actions on target machines, storage, or Guardian Server during the recovery process. In case the forest recovery plan fails with an error, to retry recovery target environment must be reset to its original state before recovery.

To run a forest recovery plan:

1. Open the Cayosoft Guardian web portal.
2. Expand the Forest Recovery node.

3. Select the Recovery Plans node.
   
   
   
    

4. Open a recovery plan and press Run.
5. Once the recovery process starts Cayosoft Guardian opens execution history.
6. Wait until recovery is complete.

After the Run button is pressed an execution history record appears where you can observe execution steps, the current state, and the duration of each step. Each step produces detailed messages during the execution. These messages can be accessed with a click on the execution step. The Errors and warnings tab in the execution history record allows reviewing important issues related to this run.

Review a forest recovery plan execution results

To review a forest recovery plan execution results:

1. Open the Cayosoft Guardian web portal.
2. Expand the Forest Recovery node.
3. Select the Recovery Plans node.
4. Select your recovery plan and click Properties.
5. On the backup plan properties page switch to an Execution History tab.
6. Find an execution history record, and click Properties.
7. See execution details on the Execution and the Errors and warnings tabs.

Switch existing forest recovery plans to use gMSA

This section provides information on how to move existing forest backup and recovery plans from a standard service account to a group Managed Service Account (gMSA).

Before you begin, make sure the following requirements are met:

• gMSA account for Guardian forest recovery
  • A gMSA created in Active Directory (for example, gmsa-guardian-fr$).
  • The gMSA is configured according to your organization’s policies and has:
    • Permission to log on as a service on domain controllers that run the backup agents.
    • Permission to access the backup storage locations that will be used by the forest backup plan.
• Break glass account for forest recovery
  • A dedicated high-privilege account (for example, Domain Admin / Enterprise Admin) used only for forest recovery operations.
  • The account is not used by automated services (such as Entra Connect) and is stored securely according to your security policy.
• Administrative credentials for agent deployment
  • Credentials with local administrator (or equivalent) permissions on the domain controllers where the Guardian agents will be installed or removed.
  • These credentials are used only during agent installation/uninstallation; the agents will run under the gMSA at runtime.

Steps to switch existing backup and recovery plans

To switch existing backup and recovery plans to use a gMSA:

1. Capture the current configuration:
   1. Open the Cayosoft Guardian web portal.
   2. Go to Forest Recovery > Backup Plans and open the existing forest backup plan.
   3. Take screenshots of the backup plan configuration (scope, schedule, backup locations, credentials, etc.).
   4. Go to Forest Recovery > Recovery Plans, open the corresponding forest recovery plan, and take screenshots of the recovery plan configuration (list of domain controllers, recovery site mapping, credentials, general settings, etc.).
2. Delete existing backup and recovery plans (keep recovery sites):
   1. In Forest Recovery > Recovery Plans, delete the recovery plans that still use the old (non-gMSA) credentials.
   2. In Forest Recovery > Backup Plans, delete the associated backup plans.
   3. Do not delete the recovery sites. Keep the recovery sites so that you can reuse them. This ensures you still have a prepared environment in case something unexpected happens while you are rebuilding backups and recovery plans.
3. Uninstall legacy agents from Agent management:
   1. Go to Agent management in the Cayosoft Guardian portal.
   2. Identify the agents installed on domain controllers for the affected forest recovery plan.
   3. Uninstall or delete all legacy agents associated with the old service account from Agent management.
4. Verify credentials are no longer linked to domain controllers:
   1. Go to Configuration > Credentials.
   2. Locate the credential that was previously used by the backup and recovery plans.
   3. Open the credential and verify that no domain controllers are still linked to this credential.
   4. If any DCs are still associated, remove those links so the old credential is no longer in active use.

5. Update Entra Connect configuration to use gMSA (if applicable) if you use Entra Connect in Guardian and it was configured with the old credentials:

   1. Go to Configuration > Entra Connect.
   2. Select the Entra Connect configuration that uses the old credential.
   3. Edit the configuration and change its connection account to the new gMSA.
   4. Save the changes.

   If Entra Connect is not used or is already configured with gMSA, you can skip this step.

6. Recreate the forest backup plan using gMSA:
   1. Go to Forest Recovery > Backup Plans and click Add to create a new forest backup plan.
   2. Use the screenshots you captured earlier to recreate the previous configuration:
      • Select the same forest and scope of domain controllers.
      • Reuse the same backup locations (or updated ones, if needed).
      • Reapply the desired schedule and retention settings.
   3. On the Credentials step for the backup plan, select the gMSA account as the credential to be used by the agents.
7. Install agents with administrative credentials:
   1. From the new backup plan, run the Install agents action.
   2. When prompted, provide the administrative credentials (for example, a domain admin account) that have local admin rights on the domain controllers.
   3. Confirm that agents are installed on all domain controllers included in the plan. These agents will run under the configured gMSA after installation.
8. Run a new forest backup:
   1. Start the new backup plan manually to create a fresh baseline backup using the gMSA.
   2. Monitor the backup execution under the plan’s Execution History.
   3. Confirm that all required domain controllers complete the backup successfully and that no errors remain.
9. Recreate the forest recovery plan using a break-glass account:
   1. Go to Forest Recovery > Recovery Plans and click Add to create a new forest recovery plan.
   2. Rebuild the recovery plan using the screenshots you captured earlier:
      • Select the same forest and domains.
      • Map the domain controllers to the existing recovery sites and target VMs.
      • Adjust any recovery-specific settings as needed.
   3. When configuring credentials for the recovery plan, select the break-glass account you prepared in the prerequisites. This account is used to perform recovery actions in the recovered forest, not to run backup agents.
10. Verify and run the recovery plan:
    1. With the new recovery plan selected, click Verify (or Deploy recovery site followed by verification, depending on your configuration).
    2. Review the verification results and fix any reported issues.
    3. Once verification succeeds, click Run to execute the recovery plan in the recovery site (for a test run) and confirm that:
       • The plan executes successfully.
       • Domain controllers are recovered as expected.
       • No unexpected dependency on the old credentials remains.

After these steps, your forest backup and recovery plans will be fully switched to use the gMSA for backup agents and a dedicated break-glass account for executing forest recovery.