 
            With the Quest solution, we have peace of mind that we can recover Active Directory — and get the business back on its feet — within hours, rather than the days it would have taken with our previous approach.
 
                        Like most enterprises today, a leading manufacturer in the skyscraper-building sector relies on Active Directory for the vital identity services that keep nearly all its business processes running. “Active Directory is critical for us: It’s essential for everything from enterprise software like SAP to Azure cloud services to our custom applications,” explains the firm’s head of infrastructure. “We have around 8,000 Active Directory objects, including about 3,000 human user accounts along with thousands of service accounts, computer accounts and groups.”
With the relentless attacks on Active Directory today, the IT team recognized the need for fast and reliable AD disaster recovery. “Our concern was that we have only one forest and only one domain,so all our users worldwide rely on the same Active Directory to log on and access IT resources,” says the head of infrastructure. “Cyber criminals often attack Active Directory because they know that it is a single point of failure — if Active Directory is down, almost everything is down.”
Without an enterprise-quality disaster recovery solution, bringing Active Directory back online can take quite a long time, and every minute means lost productivity, lost revenue and frustrated customers. When done manually, the forest recovery process involves restoring domain controllers from backup and then painstakingly configuring each one. In fact, Microsoft’s Active Directory Forest Recovery Guide outlines 12 configuration procedures comprising 40+ steps that must be performed on each DC once it has been restored from backup. Failure to properly complete these steps can cause AD to break or leave lingering security vulnerabilities.
“We were using a traditional backup solution with a plugin for Active Directory,” recalls the head of infrastructure at the manufacturing company. “If we had ever needed to restore Active Directory from a disaster, it would have taken days or even weeks because we have about 30 domain controllers spread across the world.”
While the IT team at the company’s headquarters manages the domain controllers, local IT teams handle many tasks at their own locations, such as creating new user accounts. “Because there are so many administrators that can make changes to Active Directory, errors are bound to happen, such as deleting an account by mistake,” the head of infrastructure says. “Unfortunately, restoring an object could easily take half a day and required taking the domain controller offline. As a result, it was often faster and less disruptive to recreate the account from scratch than to restore it from backup.”
If an object was changed rather than deleted, the recovery process was even more complicated and time consuming. “First, we had to restore Active Directory on an offline domain controller using yesterday’s backup, search for the object and check the value of the attribute,” the head of infrastructure explains. “If the value is the same as it is now, we know the modification didn’t happen yesterday. So then we need to restore using the backup from two days ago and check it, and so on and so on, until we find the backup we need. This process can easily take an entire day or longer.”
The manufacturing company was already using several Quest solutions with great satisfaction, so they requested a demo of the Quest hybrid AD disaster recovery suite: On Demand Recovery integrated with Recovery Manager for Active Directory Disaster Recovery Edition. A thorough assessment confirmed that it was the right choice for the company. From a central console at the headquarters location, the infrastructure team can control backup and recovery for all 30 domain controllers worldwide.
“Fortunately, we have never needed to restore our Active Directory from a true disaster,” the head of infrastructure reports. “But we are prepared. We were able to create a test environment that is an exact copy of our production Active Directory on virtual machines. That enables us to regularly practice and test the disaster recovery procedure. With the Quest solution, we have peace of mind that we can recover Active Directory — and get the business back on its feet — within hours, rather than the days it would have taken with our previous approach. Plus, we can use the test environment for other purposes, such as testing new scripts.”
The Quest disaster recovery suite also makes granular recovery of specific AD objects or attributes quick and easy. “Before, restoring an accidentally deleted AD object could easily take half a day, but with the Quest solution, it takes just one minute,” notes the head of infrastructure. “Similarly, we used to need a day or more to restore a modified attribute, but now it is quick and easy — we can see exactly when the attribute was changed, know what its previous value was, and restore it, all in few clicks.”
The manufacturer found that having fast disaster recovery delivered an unexpected additional benefit. “When we renewed our cybersecurity insurance policy, the vendor asked us questions about our backup and recovery capabilities,” recalls the head of infrastructure. “When I told them that we use the Quest hybrid AD disaster recovery solution, they appreciated its ability to minimize business downtime. I think that resulted in the company saving some costs on the insurance policy.”
The company has not had to use the Quest solution to recover from a disaster, and hopes it never has to. Yet both the IT team and senior management recognize that it is a valuable investment. “A recovery tool is like automobile insurance — you hope you never need it, but if you have an accident, you are very glad you have it,” explains the head of infrastructure. “If Active Directory is not working, we cannot use SAP or Azure or other important applications. Before, that downtime could easily have lasted a week or more. With OnDemand Recovery and Recovery Manager, we have confidence that we can get Active Directory back up and running quickly so business operations can resume.”