Runbooks organize AD forest recovery into 3 phases: 1) for each domain, restore a single DC from backup; 2) restore additional DCs from backup; 3) promote the other DCs.
Note
In runbooks, steps are color-coded as follows to indicate which phase the steps are in:
-
Phase 1: Dark blue
-
Phase 2: Light blue
-
Phase 3: Gray
Phase 1: Restore a Single DC from Backup in Each Domain
In the first phase of a forest recovery, for each domain, a single DC is restored from backup. This is the minimum required to get a functioning forest back in place, without consideration for users and authentications at volume. After a single DC is restored from each domain, you can check the recovered data and perform forensics to verify that no attack artifacts remain, minimize data loss, and confirm the directory is healthy.
Phase 2: Restore Additional DCs from Backup
In the second phase of a forest recovery, additional DCs are restored from backup. This is a critical phase in enterprise organizations because a single DC can't satisfy the load placed on it by globally distributed authentication requests. Without additional DCs recovered quickly, bringing the AD forest back online in production in larger organizations is impossible.
Phase 3: Promote the Other DCs
In the third phase of a forest recovery, the remaining original domain controllers are rebuilt using DC promotions so they can replicate a fresh copy of the AD database from their partners.
