Thank you for reading this post, don't forget to subscribe!

Introduction

Active Directory is the core of your Microsoft infrastructure.
A corrupted AD forest = complete stop of authentication, GPOs, business applications, and therefore business operations.

A simple raw hypervisor snapshot, a ransomware attack, or the accidental deletion of an OU can bring your IT system to its knees.

This AD Forest Recovery Plan (with 3-2-1 compliance) details, step by step, best practices:

• Native System State backup (GUI and PowerShell),

• VM-aware VSS backup (Hyper-V, VMware, Veeam),

• Offsite backup with Azure Backup (MARS),

• Non-authoritative restore (classic),

• Authoritative restore (objects/OU),

• SYSVOL (DFSR) checks,

• Regular monitoring & testing.

Every command, every GUI click, every screenshot is documented.

Prerequisites

• One or more domain controllers Windows Server 2019/2022.

• A Domain and local Administrator account.

• The DSRM password known and stored in a vault.

Update the DSRM password

This secret is used to log in Directory Services Restore Mode (DSRM) during critical restores.

Explanation of ntdsutil commands for the DSRM password

set dsrm password

This ntdsutil subcommand is used to manage the DSRM (Directory Services Restore Mode) password.

It is this password that is used when a domain controller starts in directory services restore mode.

reset password on server null

Here we indicate the action: reset the DSRM password.

The keyword null means the operation applies to the local server.

If you wanted to reset the DSRM password on another remote domain controller, you would replace null with the target server name.

q q

The first q quits the set dsrm password context.

The second q exits the ntdsutil tool completely.

3-2-1 Backup strategy applied to AD

Principle:

• 3 copies of the backup,

• 2 different media,

• 1 offsite copy.

Practical matrix:

Native System State Backup

Install Windows Server Backup

GUI

• Open Server Manager → Manage → Add Roles and Features.

• Choose Feature-based installation.

• Check Windows Server Backup.

• Install.

PowerShell

Run an immediate backup

GUI

• Windows Server Backup → Local Backup → Backup Once.

• Choose Custom → Add Items → System State.

• In Advanced Settings, VSS Settings tab, leave VSS Full (default).

• Choose a dedicated disk (e.g. E:).

• Run backup.

PowerShell

If you have multiple backup solutions running in parallel, use -vssCopy instead of -vssFull.

Schedule the daily backup

GUI

• Windows Server Backup → Backup Schedule.

• Add System State.

• Frequency: Daily 02:00.

• Destination: dedicated disk or volume E:.

• Validate.

PowerShell

Scripts provided for download below:

• Backup-SystemState.ps1 (backup + rotation + logs)

• Backup-SystemState-Daily-02h.xml (scheduled task)

VM-aware Backup (Hyper-V, VMware, Veeam)

Check VSS Writers

All Writers must be Stable (notably NTDS and DFS Replication).

Hyper-V — Production Checkpoints

GUI Hyper-V Manager

• Right-click VM (DC) → Settings → Checkpoints.

• Check Enable checkpoints + Production checkpoints.

• Disable “If production checkpoints fail, create standard…”.

• Ensure Integration Services (Time Sync, VSS) are enabled.

PowerShell

VMware vSphere — Quiesced Snapshots

GUI vSphere

• Right-click VM → Snapshots → Take Snapshot.

• Uncheck Snapshot the VM’s memory.

• Check Quiesce guest file system.

• Validate.

Veeam — Application-aware Processing

GUI Veeam

• Create a Backup Job.

• Add the DC.

• Guest Processing tab → Enable Application-aware processing.

• Veeam should detect the Domain Controller.

• Check Require successful processing.

Post-job control: the report should show Application-aware: Success.

Offsite copy with Azure Backup (MARS)

Create the Recovery Services Vault

• Azure Portal → Create resource → Backup and Site Recovery → Recovery Services Vault.

Install and configure the MARS agent

• Download the MARS agent and Vault Credentials.

• Install on the DC.

• Configure the passphrase (store it offline).

• Create a Backup Policy including System State.

• Run a Backup Now.

Monitor:

• Event Viewer (Microsoft-Windows-Backup, Azure Backup)

• MARS console (Job Status)

Non-authoritative Restore (classic)

Enter DSRM

Log in with the local account + DSRM password.

Restore System State

GUI

• Windows Server Backup → Recover.

• Source: This server (or remote backup).

• Choose date/time.

• Type: System State.

• Mode: Original location.

• Run.

PowerShell

Verify after reboot

Authoritative Restore

Correct sequence

• Restore System State in DSRM.

• Do not reboot immediately.

• Run authoritative restore of desired OU/objects.

• Reboot → replication to other DCs.

Example ntdsutil

Also possible object by object:

Post-restore checks

SYSVOL (DFSR)

Check backlog:

DFS Replication logs:

Never raw rollback of a DC snapshot.
If SYSVOL remains stuck → follow official DFSR procedure or rebuild DC.

Monitoring & Tests

• Logs: Microsoft-Windows-Backup, Azure Backup.

• Critical EventIDs: 5, 9, 14, 49.

• Annual test: simulate authoritative restore in lab.

Useful commands

Bonus

Guided restore GUI script available for download below.