Skip to main content

Articles in this section

See more
Print

How to use a recovered forest in the cloud

  • Updated

How to use a recovered forest in the cloud

Overview

In some recovery scenarios, organizations may need to bring up their Active Directory forest in a cloud environment (such as Microsoft Azure or AWS) to maintain access to critical services while on-premises infrastructure is unavailable. This article provides general guidance on how to operate or connect to a recovered forest hosted in the cloud.

Guardian supports recovery to cloud-based virtual machines (VMs) and can help restore Active Directory functionality quickly. However, additional network and DNS configuration may be required to make the recovered environment accessible to users and services.

Use a cloud recovery:

  • When physical datacenters are unavailable or compromised.
  • When testing disaster recovery scenarios or validating recovery plans.
  • When maintaining temporary directory services during large-scale maintenance.

Connectivity options

To access a recovered AD forest running in a cloud environment, establish secure network connectivity between on-premises systems and the cloud-hosted VMs. Common options include:

  • Azure ExpressRoute: Provides a dedicated, high-performance connection between your on-premises network and Azure virtual networks.
  • Site-to-Site VPN: Creates a secure IPSec tunnel between your on-premises gateway and cloud network.
  • Point-to-Site VPN: Suitable for temporary or small-scale administrative access.

Refer to Microsoft documentation for configuration details:

DNS and DHCP considerations

When recovering domain controllers (DCs) to the cloud, DNS plays a key role in ensuring clients and services can resolve the new DC locations. If your DNS is hosted on DCs that are now offline, you may need to perform the following steps:

  • Update DHCP scopes to provide IP addresses of the cloud-based DNS servers.
  • Use conditional forwarders or DNS zone transfers to redirect queries to the recovered environment.
  • Review internal and external name resolution rules to ensure hybrid connectivity functions correctly.

Guardian does not automatically modify DHCP or external DNS settings. These changes must be performed manually based on your organization’s networking design.

Additional considerations

  • Verify firewall rules allow required AD and LDAP ports between networks.
  • Consider using Azure Bastion or jump hosts for secure administrative access.
  • Monitor replication between recovered DCs to ensure consistency.
  • When production infrastructure is restored, plan for rejoining or demoting the temporary cloud DCs.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.