AD Forest recovery:

Restore of the Forest

When to Perform Forest Recovery
This procedure is the last resort to restore Active Directory. See the following for a list of
possible cases:
 All domain controllers within the forest are corrupted.
 The database has been compromised
 Spread of corrupted data across the forest.
 Domain controllers are not able to replicate with their partners.
 Unable to make any changes on any domain controller.
 Cannot add a new domain controller on any domain.
 Need to restore the schema partition.
Even if the forest is concerned by one of the previously invoked cases, the decision of performing
a forest recovery still have to be taken in conjunction with the Microsoft Customer Support
Services.

Consequences of restoring forest

Performing a forest recovery involves restoring it from backup and reinstalling Active Directory
Domain Services on every domain controller in the forest. Recovering the forest restores each
domain in the forest to its state at the time of its latest good backup. So, you may lose data during
the restore:
- All objects added after the latest good backup.
- All updates done after the latest good backup.
Selecting latest good backup is to avoid the point of corruption that caused the forest recovery
scenario.

Recovery Road map

 Pre recovery Steps: Collect all data about the structure of the forest (Topology), the
function of each domain controller and the recovery sites priority.
These documents should be at the disposal of IT and Microsoft CSS to identify a domain
controller eligible for the restore and define clearly the schedule of the forest recovery.

 Descriptive Table of Domain Controllers: A table of every domain controller in the

domain and the details of which servers are included in the backup has to be created to
decide which domain controller is eligible to the restoration. This table will be helpful
after the restore of the forest to reinstall each domain controller.

 Identify trusted backup per domain: Identify the trusted backup that can be used for
forest recovery.

 Shutdown, and disconnect if possible, all DC’s in the forest: Shutdown all the Domain
Controllers in the Forest.
High level steps in Forest Recovery:

1. Isolate the Domain controller that will be restored by disconnecting it from the network.
Restore the first writeable domain controller in each Domain.

Detailed steps can be found at:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-
recovery-perform-initial-recovery#Restore-the-first-writeable-domain-controller-in-
each-domain

2. Verify DC was successfully restored after rebooting.

3. Configure DNS

4. Disable Global Catalog (if enabled)

5. Raise RID pool by 100,000

6. Seize FSMO roles

7. Perform metadata cleanup of all other DC’s in the forest root domain (also delete DC
computer objects for dc’s that will not be restored from backup in this domain).

8. Reset machine account twice

9. Reset the krbtgt account password twice

10. Reset all trust passwords twice

11. As you restore each DC, you will want to point them to the recovered forest root DC for
DNS.

12. Connect the restored DC’s back to the network (prior to performing this step ensure
that no old dc’s are still online)

13. Perform a full replica set sync of AD

14. Enable forest root dc as a GC

15. Seize schema master on forest root dc (if the schema master wasn’t the dc that was
restored)

16. Recover additional DC’s in each of the domains using dcpromo

Post-Recovery:

1. Revert forest back to original DNS configuration

 2. Redistribute FSMO roles

3. Enable additional Global catalog servers

4. Get a good system