Forest Recovery: Create, configure, verify and run forest recovery plan

---

Content: 

Summary

This article describes how to create, verify, and run Active Directory forest Recovery plans using Cayosoft Guardian.  

With forest recovery plans, the whole forest recovery process can be devised, verified, and regularly tested. Recovery plans are jobs that allow recovering a set of selected domain controllers to a pre-configured recovery site using previously created domain controllers backups. Pre-recovery validation ensures recovery plan consistency and readiness of target machines in the recovery site. The recovery process itself is fully automated. 

Every organization using Active Directory should consider developing a general recovery plan for events related to Active Directory outages and regularly test it. Cayosoft Guardian provides automation for the most critical tasks related to Active Directory forest recovery.  

Cayosoft Guardian allows you to restore your forest to its state at the selected time and modifications in the Active Directory database that were made after that time will be lost.  When you detect the symptoms of a forest-wide failure, determining the cause of the failure might take sufficient time and since Cayosoft Guardian allows recovering forest to an isolated recovery site, this means that recovery plan execution doesn't affect your production environment and the recovery plan might be executed immediately.

 

Prepare recovery site 

A recovery site must be prepared in advance to verify the forest recovery plan or to run it.

A recovery site consists of virtual machines to be used for recovering domain controllers, storage with backups, Cayosoft Guardian installation, and related network infrastructure.

Manual creation of recovery sites might be time-consuming and it is strongly recommended to have at least one verified recovery site for immediate recovery.  

Learn more about how to prepare a recovery site manually.

Learn more about how to automate the creation of the recovery site in Azure. 

 

Create a forest recovery plan 

Before creating a forest recovery plan make sure that you added all Backup locations containing backups of the domain controllers to be recovered. You might check that you have all the necessary backups registered in the DC Backups node. 

Learn more about how to add backup locations.

To create a recovery plan: 

1. Open Cayosoft Guardian Web Portal
2. Expand Forest Recovery node
3. Click on the Recovery Plans node
4. Press Add button and select Forest recovery plan option
5. Select Active Directory forest to be recovered
6. With Recover one domain controller per domain enabled a recovery plan will be created with only one domain controller in each domain to be recovered. Recovering only one domain controller in the domain is a recommended option to speed up the recovery. Additional domain controllers might be promoted manually once initial recovery is successful. Disabling Recover one domain controller per domain allows creating a plan where one domain controller is recovered from a backup in each domain and other domain controllers will be automatically repromoted. 
7. Select a recovery date using Recover to this point in time
8. After confirmation, Cayosoft Guardian will discover the latest backups created before the selected date on the connected Backup Locations and automatically assign these backups to each domain controller to be recovered.

 

Configure a forest recovery plan

The recovery plan consists of a list of domain controllers, domain controllers recovery settings, actions settings, and general plan settings. The values of some settings are populated from the backup automatically.

With deploying a recovery site in Azure Cayosoft Guardian automatically populates or modifies settings such as IP addresses, DNS-related settings, new DSRM passwords, credentials to access virtual machines in Azure, and other settings that are required for successful recovery.  

With a recovery site created manually, some settings must be specified before launching the verification process or the forest recovery process such as credentials to connect to machines in the recovery site. You also might need to change other settings that are required for successful verification or recovery.

Learn more about recovery plan settings.

 

Verify a forest recovery plan

With the verification process, Cayosoft Guardian checks recovery plan settings and settings of each domain controller to be recovered. In case any issue is encountered an error or warning message will be shown on the plan itself or on the domain controller properties page. Some of the verification checks are performed on the target machine in the recovery site. 

Before running verification in the environment recovery site must be ready. Cayosoft Guardian can recover your forest to manually created recovery sites or it can create an Azure Recovery site automatically. ​

To verify the recovery plan:  

1. Open Cayosoft Guardian Web Portal
2. Expand Forest Recovery node
3. Click on the Recovery Plans node
4. Select your recovery plan and press Properties
5. To start verification open a recovery plan and press Verify.
6. Once the verification process starts Cayosoft Guardian opens execution history.  
7. Once verification is complete check messages on the plan. Also on the Domain Controllers tab, a status of each domain controller settings verification is displayed with an icon. If verification is failed for a specific DC, on the DC properties page a message is displayed.   

After the Verify button is pressed an execution history record appears where you can observe execution steps, the current state, and the duration of each step. Each step produces detailed messages during the execution. These messages can be accessed with a click on the execution step. The Errors and warnings tab in the execution history record allows reviewing important issues related to this run.

To find verification history records related to specific Recovery Plans:

1. Open Cayosoft Guardian Web Portal
2. Expand Forest Recovery node
3. Click on the Recovery Plans node
4. Select your recovery plan and press Properties
5. On the backup plan properties page switch to an Execution History tab
6. Find a verification history record, select and press Properties
7. See execution details on the Execution and the Errors and warnings tabs  

Run a forest recovery plan 

You can run a recovery plan as soon as verification is complete successfully. With Cayosoft Guardian Forest recovery plan is fully automated. Do not perform any manual actions on target machines, storage, or Guardian Server during the recovery process. In case the forest recovery plan fails with an error, to retry recovery target environment must be reset to its original state before recovery.    

 

To run a forest recovery plan: 

1. Open Cayosoft Guardian Web Portal
2. Expand Forest Recovery node
3. Click on the Recovery Plans node
4. Open a recovery plan and press Run.
5. Once the recovery process starts Cayosoft Guardian opens execution history. 
6. Wait until recovery is complete.    

After the Run button is pressed an execution history record appears where you can observe execution steps, the current state, and the duration of each step. Each step produces detailed messages during the execution. These messages can be accessed with a click on the execution step. The Errors and warnings tab in the execution history record allows reviewing important issues related to this run.

 

Review a forest recovery plan execution results

To review a forest recovery plan execution results:

1. Open Cayosoft Guardian Web Portal
2. Expand Forest Recovery node
3. Click on the Recovery Plans node
4. Select your recovery plan and press Properties
5. On the backup plan properties page switch to an Execution History tab
6. Find a verification execution history record, select and press Properties 
7. See execution details on the Execution and the Errors and warnings tabs