Active Directory Resiliency Assessment

Question 1 of 11

Active Directory Complexity Single domain forest

Excellent! A single domain forest is the gold standard for simplicity and manageability. You’re minimizing complexity and risk—well done!

Single forest with root and single child

Nice! A manageable structure that still maintains some logical separation. Keep monitoring for unnecessary domain sprawl.

Root domain with multiple child domains

You’ve got structure, but it might be adding complexity. Consider consolidation opportunities to simplify management and reduce replication overhead.

Multiple forests

That’s a complex setup! If possible, review whether all forests are truly needed—consolidation could reduce attack surface and simplify operations.

Number of Domain Controllers 5 or fewer

Nicely balanced! You’ve kept your DC footprint efficient and easier to manage while still maintaining resilience.

6-10

Good coverage. You’ve got a healthy number of DCs for redundancy—just ensure patching and replication remain consistent.

11-50

Growing larger! As environments scale, it’s critical to maintain standardized management and backup practices.

50-100

That’s a lot of DCs—complexity and overhead can add up. Review whether all are necessary or if consolidation could improve efficiency.

Greater than 100

That’s a massive AD footprint! Consider modernizing with consolidation or cloud integration to reduce operational burden.

AD Backup Strategy Daily, full system state backups of all DCs

Fantastic! You’re setting the standard for AD resilience—this is the best practice.

Weekly system state backups of some DCs

Solid start, but increasing frequency or coverage will strengthen your recovery posture.

VM backups of DCs only

Partial protection—remember, VM backups alone don’t always ensure full AD recovery. Consider dedicated system state backups.

No dedicated AD backups

Risk alert! Without system state backups, AD recovery could be painful. Implement a dedicated backup strategy ASAP.

Privileged Access Management (PAM) PAM solution implemented and managing all privileged accounts

Excellent! Most organizations haven’t fully implemented PAM, so you’re ahead of the curve. Keep up the great governance!

PAM solution implemented, managing most accounts

Strong progress! You’re nearly there—close the final gaps to ensure complete privileged account coverage.

Limited PAM implementation

You’re on the right path—consider expanding PAM to cover more accounts and improve auditability.

No PAM solution

Time to act! PAM is critical for stopping lateral movement and credential abuse. Start evaluating PAM options soon.

Domain Controller Patching Monthly patching with formal testing/change management

Excellent hygiene! You’re modeling disciplined patch management—key for AD security.

Regular patching without formal testing

You’re staying current—adding structured testing could take you from good to great.

Inconsistent or manual patching

Some progress, but inconsistent patching leaves windows of vulnerability. Automate where possible.

DCs not patched in 90+ days

Critical risk! Unpatched DCs are prime targets—establish a consistent patch cycle immediately.

Tiered Administration Model Full tiered administration implemented

Excellent! You’ve separated privileges smartly—this is key for containing attacks.

Partial tiering implementation

Strong effort. Expand your model to close privilege escalation paths across all systems.

Admin accounts segregated by some function

Decent start! You’ve reduced some risk but full tiering will give you stronger isolation.

No tiering - same credentials across all systems

High risk! Shared credentials create major exposure—implement tiering soon.

Multi-Factor Authentication Coverage MFA enforced for all users (admin and standard)

Outstanding! You’ve built a robust security culture that goes beyond compliance.

MFA enforced for administrative/high-risk accounts only

Good progress—next step is to extend MFA to all users for complete protection.

MFA available but not consistently enforced

Close, but enforcement is key. Attackers love inconsistent MFA setups.

No MFA implementation

Urgent! MFA is one of the easiest and most effective defenses—get started right away.

Business-Critical Application Identification All business-critical applications identified

Excellent visibility! You know what matters most—a strong foundation for resiliency.

Most business-critical applications identified:

Solid footing. Take it one step further to ensure everything mission-critical is accounted for.

Some business-critical applications identified

You’re making progress. A complete inventory will drive more effective recovery planning.

Business-critical applications not identified

Time to start mapping! You can’t protect what you haven’t identified.

Disaster Recovery Planning Detailed DR plans for all business-critical applications

Excellent! You’re ready to recover quickly and confidently.

DR plans for most business-critical applications

Great progress—expand coverage and practice those plans regularly.

Some DR plans for some applications

You’re thinking about DR, but coverage gaps remain. Build consistency across all critical apps.

No DR plans for business-critical applications

High risk! Without DR plans, downtime could be costly—time to prioritize recovery strategy.

AD Authentication Dependencies Business-critical apps don't depend on AD/Entra ID

Smart architecture! You’ve designed resilience into your stack.

Some business-critical apps require AD/Entra ID

Partial dependency—review alternatives or ensure strong AD recovery plans exist.

All business-critical apps require AD/Entra ID

Heavy dependency—if AD goes down, everything stops. Prioritize AD recovery readiness.

AD Integration in Cyber-Resiliency Plans AD in cyber-resiliency plan with practiced forest recovery

Gold standard! You’ve moved from planning to practiced readiness—impressive!

AD in DR plan with documented procedures (not practiced)

Strong documentation. Add regular testing to truly validate readiness.

AD-specific disaster recovery plan exists

Good start—integrate it into your broader cyber-resiliency strategy for complete coverage.

AD not included in any recovery plans

Major gap—AD is mission-critical. Make it part of your resiliency plan immediately.

You are at risk — see how you compare and get your full report.

Results

RED ZONE: Critical Risk

Your AD infrastructure faces critical security and recovery gaps that could result in extended downtime during an incident.

Minimal to no backup strategy

No privileged access management

Limited or no recovery planning

High vulnerability to ransomware/cyberattacks

You may be at risk — see how you compare and get your full report.

Results

ORANGE ZONE: Moderate Risk

Your AD has foundational protections but lacks comprehensive resiliency measures for business continuity.

Basic security measures in place

Some backup and recovery planning

Room for significant improvement

Moderate resilience to incidents

You are not at risk — see how you compare and get your full report.

Results

GREEN ZONE: Strong Resiliency

Your AD demonstrates strong resiliency practices with minor optimization opportunities.

Comprehensive security posture

Robust backup and recovery plans

Well-prepared for incident response

Strong business continuity capabilities

First Name

Last Name

Business Email

Work Phone

Company

Job Title

Country