Runbooks include manual steps, which are pauses in the runbook for you to validate recovered data and to complete other tasks that are required for restoring business continuity
If a manual step is not necessary during a forest recovery, you can configure the step to be skipped in the runbook, so it does not interrupt the recovery.
| Step | Description | Mandatory | Links to the Active Directory Forest Recovery Guide and other Microsoft content |
|---|---|---|---|
Isolate the recovery environment from the original Active Directory |
Verify that the isolated recovery network is fully isolated from the production network. If recovered domain controllers can communicate with the original AD, corruption might be reintroduced in the recovered environment. Methods to isolate your network include using virtual network segmentation and physically disconnecting network cables. This manual check is your final opportunity to verify that the recovery network is isolated before proceeding with the recovery. |
Mandatory |
|
Pause for confirmation prior to recovering domain |
Verify that the recovery steps in the runbook for the domain are correctly configured and that the recovered AD data from the previous domain matches your expectations. During this pause, you can perform additional verification, such as testing connectivity and applications. |
Not mandatory |
|
Reset all admin passwords |
If you suspect that the AD failure is caused by a malicious act, you can reset the passwords of administrative accounts—such as the Enterprise Admins and Domain Admins groups—to prevent further access by malicious actors. |
Not mandatory |
Perform the initial recovery |
Reset all user passwords |
If you suspect that the AD failure is caused by a malicious act, you can reset the passwords of all user accounts in the AD domain to prevent further access by malicious actors. |
Not mandatory |
Perform the initial recovery |
Re-connect network cables |
After the forest recovery is complete and the recovered AD is fully operational, you can make the recovered AD services available to clients, applications, and users. Verify that no domain controllers from the original AD environment are present because communication with the original AD can reintroduce corruption. |
Mandatory |
None |
Domain and Forest trusts
If the forest recovery is in response to a security breach, after the runbook completes, you can reset the trust passwords. For information, see Reset a trust password on one side of the trust.
If there is more than one forest in your environment, after the runbook completes, you may have to re-establish the recovered forest’s trust with other forests. For information, see How trust relationships work for forests in Active Directory.
Microsoft recommends several DNS configuration requirements to support forest trusts. IP addresses and DNS configuration may have changed during a forest recovery and need to be adjusted to re-establish a forest trust. For example, if conditional forwarding rules were used to route DNS queries between forests, after a runbook completes, the conditional forwarding rules may need to be updated to use the recovered IP address of the primary DNS server in the recovered forward.