Cayosoft Guardian standby forest post-recovery steps

NOTE: This document applies only in the event of a complete Active Directory Forest outage. It is not intended for routine recovery testing.

Prerequisites

For Azure:

• A valid license for Cayosoft Guardian Standby Forest Recovery.
• An existing, accessible recovery site in Azure.
• A working ExpressRoute or Azure VPN connection.
• Gather and record the following:
  • ExpressRoute or VPN VNET Name
  • Recovery Site VNET Address Space
  • Recovery Site Subnet
  • Server VM IP addresses

For AWS:

• A valid license for Cayosoft Guardian Standby Forest Recovery.
• A configured AWS-based recovery site.
• Site-to-Site VPN or Direct Connect configured.
• Gather the following:
  • VPC ID and subnet CIDRs
  • VPN/Direct Connect settings
  • Elastic IPs (if used)
  • Private IPs for domain controllers
  • Security Groups and route tables

Azure Recovery Steps

1. Log in to the Azure portal using an account with Contributor access to the recovery site's resource group.
2. Open the Standby Forest recovery site resource group (e.g., RecoverySite-ADDomainFQDN-yymmddtttt).
3. Modify the recovery VNET:
   • Add the address space and subnet documented in prerequisites.
   • Create VNET peering to the production network. See Azure virtual network peering .
4. Configure VM network interfaces:
   • Attach a new NIC to each VM using documented IPs.
   • Remove the original NIC after the new one attaches fully.
   • Refer to Attach/detach network interfaces in Azure .
5. Update DNS on the new interfaces:
   • Set DNS to Custom.
   • Add required AD DNS server IPs.
6. Power on all VMs.
7. (Optional) Remove any unused or detached NICs.

AWS Recovery Steps

1. Log into the AWS Console with EC2/IAM permissions.
2. Navigate to the recovery region.
3. Review VPC settings and verify routing and VPN access.
4. Configure EC2 network:
   • Create and attach ENIs with static IPs.
   • Ensure DNS settings match your configuration.
   • See AWS Elastic Network Interfaces .
5. Power on all EC2 instances.

Checking VM access

Use one of the following methods depending on the deployment:

Deployment Type	Access Method
Public IP	Power on the VM and connect via RDP. Find public IPs here.
Bastion	Requires Azure access. Azure Bastion documentation.
Internal only	Add a temporary VM with a public IP to the recovery VNET, Or, Assign a public IP to one of the restored DCs. Create public IP guide

NOTE: Review and update firewall rules when using public IPs.

IMPORTANT: Do not use outdated steps involving “production network adapters.” Use VNET peering and DNS configuration instead.

Post-recovery testing

1. Log in using recovered domain admin credentials.
2. Open Active Directory Users and Computers (ADUC).
3. Verify directory content (OUs, users, computers).
4. Create a test object (user/group) to check write access.
5. Run nslookup from a recovered domain controller.
6. Check for presence and replication of zone data.
7. From a peer or on-prem network, access the recovered forest via VPN.
8. Deploy a new VM into the recovery subnet and attempt domain join.
9. Check the following logs on each DC:
   • System
   • Directory Services
   • DNS Server
10. Confirm the Cayosoft Guardian portal is accessible and services are running.