Eight Things to Look for in an Active Directory Disaster Recovery Solution

Active Directory is as mission-critical as it gets. If your AD is down, your business is down. It’s that simple.

With 95 million AD attacks every day — along with natural disasters, hardware failures, faulty scripts and the occasional devastating mistake from a well-meaning admin in a hurry — you need a rock-solid solution that delivers reliable Active Directory backup and flexible Active Directory recovery.

But what features and functionality should you look for as you evaluate the products on the market? Here are the eight key things to look for, and why you can find them all in Quest Recovery Manager for Active Directory Disaster Recovery Edition.

1. Stability and reliability

With some DR solutions, you can expect a high percentage of your backups to fail. That means you have to restore to an older backup — potentially losing a great deal of valuable data that was created or modified in the interim.

Quest has nearly two decades of experience creating AD backups for thousands of customers (we introduced Recovery Manager for Active Directory the year Active Directory went commercial). While no vendor can promise zero backup failures, our products wouldn’t sell so much if they failed all the time. Our customers overwhelmingly report that our backups (and backup management) are solid and reliable. You can check out their feedback on TechValidate; you’ll see phrases like “never given us a problem” and “working great for 10+ years,” along with this succinct summary: “peace of mind.”

That long record of success is because Quest experts have invested a lot of time and effort into backup and restore stability, based on their deep knowledge of Windows internals. In particular, Recovery Manager has multiple retry options for many system calls that can potentially fail — if one method fails, it automatically tries another one, which significantly increases the rate of successful completion.

2. Complete and flexible recovery

Shopping for a DR solution requires digging into the details of exactly which recovery scenarios are supported and exactly how they are supported. For example, when some solutions are asked to recover objects or attributes, they rewrite the changes rather than actually restoring them. This is a crucial difference because rewriting does not restore some critical attributes, including passwords and SID History. These missing attributes in a re-write are annoying at best (the user must input a new password) and a major problem at worse (without their SID History restored, the user won’t be able to authenticate properly and access all the resources they need to do their job).

Quest offers several solutions that enable you to control errant changes to objects. Change Auditor can be configured to protect your most important AD objects, such as powerful admin groups, from being changed at all. It also audits all changes happening to AD and makes it quick and easy to reverse most of them.

However, some changes, such as the deletion of an account, require restoration from backup. That’s where Recovery Manager steps up. Recovery Manager includes has an object recovery agent that bypasses native Windows APIs to restore passwords and SID History directly to the NTDS.dit. Although Microsoft generally frowns on anyone writing directly to NTDS, the lack of a native API for this forced our hand over 15 years ago, and we’ve never caused a problem with the directory when doing this.

With Recovery Manager for Active Directory Disaster Recovery Edition, you can even restore attributes for a user account that was not deleted. Imagine how helpful that would be if an admin changed the password of a service account — and then discovered that the account is used in dozens of locations you haven’t even identified. By quickly restoring the old password, you can avert massive business disruptions that would have had your phone ringing off the hook.

3. Reports and notifications

With any DR solution, there is a chance that a backup will fail. If that happens, you need to know right away so you can address the underlying issues and stay protected with a current usable backup. It’s hard to fathom, but some DR solutions actually offer no notifications or reports on backup failures. With Recovery Manager, you can easily configure a notification to be sent via email if a backup fails, so you can take action promptly. The solution can even validate that a backup is viable upon creation.

Of course, failed backups aren’t the only thing you need to know about; you need insight into the complete backup and recovery process. Recovery Manager has you covered with a wide range of reports. For example, one predefined report shows all the changes between a particular backup and your current AD, and other report details exactly what was restored during a recovery procedure.

For Active Directory forest recovery, Recovery Manager enables you to create a report outlining your Active Directory forest recovery plan, which can be exported to MS Word and customized as you see fit. You can also easily run a report after a recovery completes that shows timelines and any errors encountered during the recovery process. Recovery Manager will even run a forest recovery project verification report on the schedule you choose and email you the results, which includes details such as malware scanning results.

All these reports include flexible sorting, filtering and export options. For example, you can limit a report to just the object classes, objects and attributes you care about. You don’t have to print or even email them; you can look at them during recovery, confirm what you want to restore and then discard the report electronically, all in a simple wizard.

Moreover, Recovery Manager writes events to a Windows event log on virtually everything it does. Those events are fully documented in the user guide for you.

Prefer to use your own scripts? No problem. All information is also available via the PowerShell API.

4. Ease of use

IT pros are busier than ever. You don’t have time to waste wrestling with clunky interfaces and remembering to manually check on backup status and forest health. And when a disaster strikes, every second counts — you need know you can restore Active Directory as quickly as possible.

Quest customers rave about their experience with Recovery Manager. The recovery console delivers high-level view of a recovery in progress, and also lets you easily dive into the weeds, whether to troubleshoot or just to take a deeper look. The information is clear and concise. Recovery Manager even makes it easy to validate forest health or tweak your AD infrastructure configuration, all right from a single pane of glass.

5. Top-notch support

If a tool is giving you trouble for any reason, the vendor needs to be ready to help, offering experienced support any time, day or night. When you’re looking at DR solutions, be sure to dig into the quality of their support — with some vendors, you can find customers who report that some of their tickets were closed without any solution being provided.

You won’t get that with Quest. Your Recovery Manager license includes a 24/7 support package, and Quest support staff is top rated and global.

6. Accurate auditing

The information provided by some DR solutions is not always accurate, because correctly correlating a user account with all related activities (failed logins, locked accounts, and so) and producing meaningful, actionable information is a difficult job.

Quest, however, has been doing this for 20 years, since AD and Windows 2000 became commercial. We’ve learned from our experience and built a solution that has proven itself time and time again. Why trust your Active Directory — the cornerstone of your entire IT ecosystem — to a vendor who’s just getting started? Our technology is rock solid, and there’s a reason our competition likes to compare themselves to us: because we are the leader in Active Directory auditing and recovery.

7. Visibility into agent status

If your DR solution’s agents are down, you need to know immediately. With some solutions, the agents are supposed to regularly initiate a connection to the server, but if they fail to do so, no alert is displayed, so you don’t know the agent isn’t working properly.

Recovery Manager agents do not initiate connections. Instead, the server reaches out to the agents during backup and recovery operations, as well as during AD management activity, health checks and other events. The rest of the time, the agents, which run as services, sit idle, listening for an incoming connection. You can easily verify that the forest recovery agent is working by scheduling a verify settings job. You can check on the backup agents from the console, but a failed backup job would automatically notify you if there was an issue.

Also, you can review agent status (installed, outdated, not installed) right from the console, and you can customize each agent’s communication TCP ports. All this information is also available via the PowerShell API.

8. Low resource consumption

The agents of some DR solutions can consume 7GB or more of free space — for no good reason. Yes, that’s gigabyes, not megabyes.

Lab tests show that the Recovery Manager forest recovery agent takes less than 2MB of RAM and less than 50MB of disk space, while the RMAD backup agents take less than 2MB RAM and less than 15MB of disk. These agents need more resources only when they are told to do something, such as when they are actively taking backups or diagnostic logging is enabled. The rest of the time, they just sit and listen, consuming hardly any resources at all.


What you need from your Active Directory disaster recovery plan boils down to this: stability, flexibility and options. With Quest Recovery Manager for Active Directory Disaster Recovery Edition, you’re in control, with recovery options to fit the needs of your business. You can prepare for and recover from any disaster at the object and attribute level, the directory level, and the operating system level across the entire forest. A proven solution backed by first-class support, Recovery Manager is the AD insurance policy that you can’t afford to be without.

Blog Post CTA Image

Related Content