Mishaps to Meltdowns: Protecting and Recovering AD and Entra ID

AD and Entra ID manage access and authentication across the enterprise. If compromised, attackers can escalate privileges, deploy ransomware broadly, and shut down business operations—making identity systems the highest-value targets. 

AD recovery involves hundreds of technical steps, dependencies, and domain controller rebuilds. Under pressure, manual processes often break down, creating delays and increasing the risk of reinfection or incomplete restoration. 

Minimum viable AD identifies the essential identity components needed to restart business operations quickly. It enables teams to focus on restoring what matters most first instead of rebuilding the entire identity environment immediately. 

Cleanroom testing allows teams to practice identity recovery in an isolated, safe environment. This helps uncover gaps, validate automation workflows, and build confidence before facing a real cyber incident. 

Please view video here for a time-stamped transcript

Hello and welcome to the Shift podcast, recovering Active Directory and Entra ID. 

I’m Darren Thompson and I’ll be your host today. 

Now Active Directory and Entra ID remain the backbone of identity for most organizations
and also one of the biggest attack targets. 

When AD goes down, everything from business systems to physical access can stop. 

Yet many recovery strategies are still manual or non-existent. 

In this session, I’m going to be talking to Dan Conrad, global expert in everything
identity. 

We’re to talk about the evolving challenges of AD recovery and how Commvault Cloud helps
organizations to automate and accelerate that process. 

Dan, thanks so much for being with us today. 

Good to be here, Darren. 

So let’s start with the basics. 

Why does Active Directory and Entry ID remain one of the most critical, yet one of the
most vulnerable assets in our organizations today? 

There’s many facets to an answer to that question, but I think one of the reasons it’s
most vulnerable is because it’s highly functional. 

You know, high functionality creates a lot of possibly open doors, um but it’s still
vulnerable because it’s been around for 25 plus years. 

Organizations depend on it and it hasn’t failed in 25 years, right? 

It’s the same Active Directory they stood up 25, you know, maybe 20 years ago. 

Sure, it’s been upgraded. 

It’s been it’s evolved a little bit. 

It’s been extended. 

But at the core, still the same Active Directory and it’s still running and they haven’t
needed to recover it yet. 

It’s sort of like electricity in a data center. 

You just assume it’s going to be there and we’ve forgotten about it. 

So it’s not part of a recovery plan. 

But it’s certainly in recent years, I guess, become a target for criminals. 

Talk a little bit about that. 

If that wasn’t an issue, we probably wouldn’t be having this conversation today because
the directory services themselves are still fairly vulnerable, but they were less valuable 

until things like ransomware came around. 

Like you had breaches like Target and you had breaches like the OPM breach, but those
weren’t attacks where they actually compromised the entire organization and shut it down. 

They simply stole data, which was bad enough. 

Now when you can steal the data and then on the way out shut the organization down from a
factor they weren’t going to realize was going to happen or didn’t consider a possibility, 

things change quite a bit. 

Interesting. 

Now, I know we’ve been working quite hard on a piece of functionality in particular, and I
hear a lot about forest recovery. 

Tell us a little bit about that. 

What is it and why does forest recovery look more complex to an administrator as opposed
to any other recovery? 

Well, right. 

We’re not talking about server recovery or even file system recoveries or even simply
putting data back where it came from. 

there’s a complicated process to recover an Active Directory forest. 

And if you’re not familiar with the terminology, Active Directory, one of the
organizations within Active Directory is the forest structure. 

So forests contain domains, which contain domain controllers, which is what people relate
to as the servers. 

I can recover a server, so I should be able to recover a forest. 

And Active Directory is this moving, living, breathing being that interacts with all the
other parts. 

And from a security perspective, 

It’s like you and I are constantly resetting a trust relationship. 

We know who we are. 

So if you go away for a while and somebody replaces you with a copy of Darren, I’m going
to be very aware and it’s not going to function that way. 

And that’s what Active Directory does. 

So if an individual domain controller fails, most AD admins know you don’t recover a
domain controller because that will actually corrupt the rest of the directory. 

You need to rebuild a new one. 

You clean up where the old one was, you rebuild a new one. 

When you’re talking forest recovery, 

you need to do that to all of the domain controllers at the same time. 

So there’s operating system recovery, and then there is the 125 orchestration steps you
need to do to make the forest function once it comes back. 

And I think I’m starting to see the answer to my next question, but talk to us a little
bit about how organizations who do this very manually suffer as a result of that manually 

intensive process. 

Right. 

It’s not to say it can’t be done. 

It is a process that can be done. 

Microsoft publishes the forest recovery guide. 

uh Most AD admins are very aware of this guide, but hope they never have to use it. 

And the wrong time to figure out how to recover a forest is when you need to recover a
forest. 

So unless you’ve planned for that and even built your Active Directory to be recovered,
it’s going to be a very difficult process because all of these, and I say, you know, I’ll 

throw out varying number of steps because it depends on how many steps you need and all of
them need to be executed correctly or sometimes you get to start over. 

One organization came to us about 40,000 employees, they had a single domain forest, which
in the Active Directory world is the easiest thing to recover. 

What they determined was their minimum viable Active Directory would be eight domain
controllers. 

Like that’s pretty lean, but it’s doable. 

And they wanted to try to do it themselves. 

Like how do we try, you know, great effort, let’s practice this and see what it does. 

So they recovered it and it took them 33 hours. 

That’s a Herculean effort of many people and they got it done. 

They know how to do it. 

And they came to us and said, can you beat that? 

Right. 

Well, of course we can. 

Right. 

So we we did the same process. 

Given the opportunity to compete in race, we cheated. 

So we were able to recover the forest in just under two hours. 

So, yeah, just because we automated all those steps, you don’t have to, you know,
reference it and gather the right information to apply. 

You know, every individual step is going to be different. 

Now as a CISO, what I obsess about is recovery times, right? 

So I’ve been breached, Active Directory and everything else has gone. 

So, you know, those hugely extended periods of time needed for manual process like that is
all going to affect the amount of time it takes me to get my business back online again. 

Right. 

The recovery time of Active Directory is always a main concern. 

I try to move focus away from recovery time into recovery accuracy. 

Right. 

You know, the knee jerk reaction. 

when you need to recover a forest is to recover it back to production from the last
possible backup. 

You know, when you knew it was running. 

I would encourage organizations to take a breath, recover to an isolated recovery
environment. 

Because, as we’ll probably get into, we’re going to encourage you to practice your forest
recoveries into this isolated recovery environment. 

So you can bring up, a minimum viable version of your Active Directory, which in a single
domain forest is one domain controller. 

very easy to do in a multiple domain force would be one domain controller per domain to
look at the directory, see what’s there, possibly figure out how it got compromised to 

make sure that it doesn’t happen again. 

Once you’ve got that process nailed down, might take you a couple hours, jump over to
production and do your production recovery. 

Right. 

And then do all of that under stress and chaos, right? 

Right. 

that’s what a feels like. 

Exactly. 

The wrong time to learn to do it is when it’s down. 

Yeah, absolutely. 

So we’ve touched on quite a few topics already. 

Let’s just take a step back and talk a bit in general about how Commvault helps with all
of this. 

Just give us the overview to begin with. 

So were basically automating the Microsoft process. 

um I’m looking at it from two perspectives. 

We’re engaging customers and having them realize that the plans that they think they have
in place. 

are probably not going to work. 

And I would even say, when I ask customers about their plan and they start to tell me, I
really love gathering these stories because there’s some very creative answers out there. 

Anything from designing the forest to be recovered, which is a one-off, to designing or
spinning up 49 additional domain controllers. 

was one of them. 

Every day they turned seven off and turned seven back on. 

Like, that’s not going to do anything. 

um 

You know, from our perspective, we’re going to automate that complete process. 

So if we can get them to practice this and execute it and, just have that muscle memory on
forest recovery and then realize that it needs to be recovered a certain way, those are 

huge steps forward. 

Yeah. 

And talk to us about the USP. 

So other people do that. 

You know, why convol what makes us different? 

Um, well, because we’re doing it, we’re a data protection company first off, right? 

So we’re, we know how to protect data where we’re doing our forest recovery on the
underlying convol platform. 

And whether that’s software or SAS, I’m definitely a fan of the SAS solution in Active
Directory Forest Recovery. 

But it’s all built into our platform. 

So we’re using things like immutable storage, threat scan underneath. 

And if you don’t have an isolated recovery environment to practice to, we’ve got
Cleanroom. 

We’ll probably have a discussion later on one of these podcasts about Cleanroom Recovery. 

And this is an environment that doesn’t exist until you need it. 

So if you need to practice a forest recovery once a quarter, Cleanroom’s a great place to
do that. 

You’re not going to take that to production, it gives you a great place to learn your
steps, learn your muscle memory. 

A customer a few weeks ago asked me, if we do the solution with Commvault, how do we know
it’s going to work? 

I was like, well, you’re going to do it every Friday. 

Why wouldn’t it work when you need it on Monday? 

So it’s not a concept of wait till you need to push the button and push the button. 

You know because you’ve done it over and over again. 

And it’s a simple process by just simply executing the automated scripts that take
everything from 

you know, building the operating system out of a clean OS or recovering from a system
state backup or a DC promo recovery and then executing those 150 steps along the way. 

You know, it’s an oldie but it’s a goodie. 

Practice makes perfect. 

It does. 

That’s true in IT as well as everywhere else. 

It does. 

And you know, your organization will evolve, situations will change. 

So when you practice, you’ll identify those changes. 

Maybe you added some structure to your Active Directory that you missed out on your
recovery. 

It’s a great place to point that out. 

So tell us about, I know this is a really active part of our roadmap at Commvault. 

There’s a lot of engineering effort going into this area of our product. 

Tell us about the sort of latest and greatest features that we’re applying to your latest
code. 

Sure, just between us. 

Just between us. 

Just between us. 

Nobody’s listening. 

Yes, the latest and greatest, we’ve just introduced Clean OS Recovery, which is a great
step forward in the world of forest recovery because we’re not bringing over any 

residual OS’s, none of that part of the existing operating system. 

Now, Commvault had ways to take care of that anyway, but this is going to be a clean OS
with Active Directory on top of it. 

So you don’t have to worry about, if you had saved things on the domain controllers, was a
bad idea, but you’re going to bring over just a brand new Active Directory domain 

controller to do that. 

The other side of that is we’re going to bring in, in the very new future, Active
Directory assessments. 

When your backups run, say it’s daily, it’s going to gather information about your
directory and say, 

you’ve created vulnerabilities in these five areas, and here’s what you need to do to
resolve those vulnerabilities. 

So it’s going to be right there in your face. 

And with that information, the chances of you needing to do a forest recovery are much
less. 

And then we’ll have real-time Active Directory auditing in the near future as well. 

We’re going to be talking about that later this afternoon in one of the sessions, where if
somebody changes your directory in a certain way, you’re going to have the ability to roll 

it back based on either your backups or the existing data. 

And we’ve been hearing at the conference this week about Unity, the Unity platform, the
latest release. 

And you mentioned the idea that this is compelling because it’s part of a platform, it’s
part of the general sort of convolt approach. 

But now we’re bringing security, identity and protection and recovery all together. 

Talk a little bit about that and what that means to somebody that worries about Active
Directory every day. 

Well, you know, from a Commvault perspective, we’re using the data, the backup and
recovery of the data, really just the backup as a choke point for data, whether that’s, 

you know, file systems, virtual machines, know, M365, Salesforce, as a point to analyze
the data and make decisions based on the information that you have. 

Gathering the information is almost pointless if you can’t use it to make decisions,
right? 

So, you know, it’s sort of like the pilot telling you you’re going to be flying at 35,000
feet. 

Like, I don’t know what I do with that information. 

But telling me that, you know, 

if we’re going to be going to the wrong airport, I might want to get off the plane. 

So based on the information we’re gathering in these analysis of the data coming through
the backup system, we’re going to be able to analyze and give you real-time insight on 

your data. 

Yeah, that’s incredible. 

And I’ve been speaking to actually CISOs and CTOs this week in New York around what this
means in context, which is, I’ve got under one pane of grass, I’ve got the ability to 

think about Active Directory in the way that we’ve described. 

corporate data, my applications, wherever they might be, cloud, hybrid, on-prem, and so to
have a single platform managing all of that plus my governance is pretty compelling. 

We focus because I come from this world on AD, but let’s talk a little bit about Entra,
Entra ID. 

Just explain where does that fit, how do things extend into that world for us? 

So most organizations, everybody has Active Directory, let’s just say that. 

I can say probably 95 % of the organizations have Active Directory. 

Most of those organizations also have Entra ID because they have M365. 

So they’re hosting their SharePoint, their mail, their teams, all in M365. 

So Entra ID is the directory service behind that. 

Again, 95 % of those organizations synchronize that data in Entra ID from their on-prem
Active Directory. 

So on-prem Active Directory is the authoritative source for most of those identities. 

So that’s synchronizing into Entra and giving users access to cloud-based applications. 

I am seeing a very slow shift of organizations realizing that they don’t need 

user objects or user entities and identities on-prem and just moving to just an Entra
identity. 

So for instance, a large retail customer, you know, maybe they have 25,000 employees,
maybe only 5,000 of those working in office where they need to access the printers and the 

shares and things like that, old school stuff. 

The rest of them just need to authenticate the cloud-based applications. 

It’s a great place to store Entra. 

So they can have Entra-only objects. 

But with Entra comes some complexities, right? 

First off, there’s no forest recovery for Entra. 

That’s not a concept. 

It’s not possible. 

It’s object and attribute level recovery. 

The user, since they’re synchronizing from on-prem or maybe another identity provider or
something like that, recovering the objects is good, but it’s not absolutely critical. 

But the important parts of the configurations, so conditional access policies, your
enterprise applications that give users access to SaaS applications, that’s what you 

really need to focus on recovering there. 

Right. 

Makes sense. 

So let’s change gear, come out a little while. 

I want to paint 

an awful picture for you. 

We’ve just been compromised. 

The organization’s down. 

Clearly, AD is going to be one of the first things I turn to to recover. 

Without that, I’ve got no users, I’ve got no identities, no privileges. 

Just talk us through, at a high level, what that recovery process would look like. 

So what I’ve found is when an organization, when I’m looking at their DR plans or their CR
plans, they’re inadvertently using Active Directory to recover Active Directory. 

And it’s a strange concept. 

It’s one of those palm to the forehead moments. 

So when you go to execute your cyber recovery plan, the first thing you do is you try to
log on to your control plane, whether it’s CommBald or something else. 

Most of the time, that authenticator into the control plane is an Active Directory
credential. 

So you can’t use Active Directory to recover Active Directory. 

Or the server you’re doing it on is domain-joined. 

Not going to be there. 

So you have to take that into account. 

Once you get to that point where you’re going to recover your Active Directory, there’s a
lot of work to be done. 

If you were in the right mindset ahead of time, that work’s gonna be a little bit simpler
because you’ve designed for recovery. 

In a Commvault world, it’s gonna be like I said, would most likely, you would listen to
Dan and you would recover to an isolated recovery environment after you’ve taken a breath 

and realized, you know, to do this right, I need an extra hour to do this. 

Look at my minimum viable Active Directory recovery to see how I’ve been compromised and
analyze that. 

Even go so far as to compare backups. 

That’s one thing that Commvault offers that other people don’t is, 

we can take a point in time from a backup, say three months ago, of the objects and
attribute in Active Directory and compare it to the live environment if it still exists, 

or to the backup you took yesterday to see what the changes are. 

Did somebody gain elevated privileges? 

Were group policies changed and things like that? 

So in our session this afternoon, we’re going to show the way an attack chain would work
for an Active Directory and rolling back a group policy that was linked to the top that 

applied a malware package is really what we’re focused on from that perspective. 

And being able to use 

the data resilience or the recovery process of an object or an attribute to eliminate an
attack chain. 

So you’ve touched on a couple, but let’s talk about that. 

Let’s talk about the features of Commvault specifically that you’re most excited about,
about somebody that helps people recover attribute directory all the time. 

What are the things in Commvault, the features, the functions, the product differentiators
that really make us different? 

I’ve been at Commvault just a little over a year now, and I’m still 

granted, I’ve been doing nothing but Active Directory for 25 years, but when I push that
button and do a forest recovery, it’s pretty cool. 

Things are moving, and it’s not an illusion, things are moving. 

Things are running simultaneously. 

Domain controllers are being spun up and provisioned in the back end. 

For instance, the demo environment that I’ve created, it’ll kick off. 

It’s a multi-tree, multi-child forest, fairly complex architecture, but the way it
recovers… 

is pretty amazing. 

It spins up five domain controllers immediately because there’s five domains in two
different trees. 

After that, it circles back and it runs all the forest recovery processes, things like
seizing the fismal rolls, raising the rid pool. 

But it’s an interactive run book. 

You’re watching it happen right in front of you. 

So if you want to get involved, you can get involved. 

You can pause the process. 

You can take a step. 

If you really like part of the forest recovery, something very obscure like raising the
rid pool, that’s your thing. 

You can pause it right there, log on, log on to a domain controller, open up ADSI edit,
find the attribute, open Windows calculator, paste the number in, add 100,000 to it, paste 

it back. 

If you like that complicated process, you can do that as part of our run book and then
come over and hit continue. 

um And it’s an interactive run book. 

We call it the human in the loop. 

You’re watching it happen right in front of you and you can see all of the processes
executing either in series or at the same time because many of them will fire off and it, 

you know, parallelization is what we call it. 

Amazing. 

I know that the demos that we do to prospects out there and with our partners create a lot
of excitement and you can see why, right? 

And to their credit, we make it look cool. 

So when you do the forest recovery and you take the most elaborate recovery scenario and
it just starts raining domain controllers, it’s a pretty amazing process. 

So let’s step back from the technology slightly. 

If I think about people processing technology as they pertain 

to recovery and clean recovery and recovery that the business can be confident in. 

What are the sort critical success factors there across those three? 

Well, from an Active Directory perspective, I like to identify minimum viable. 

As I mentioned, the organization that brought that to our attention and they decided that
eight domain controllers was their minimum viable. 

It was a great step forward. 

Yeah. 

Because in the world of Active Directory recovery, the getting to the, you know,
discovering minimum viable, identifying it. 

And then once you get over that hump, like you’ve recovered your minimum viable. 

90 % of the pressure is off. 

The directory is there, maybe I don’t have all the domain controllers yet, maybe there’s a
user on the other side of the world that’s having trouble authenticating, but for the most 

part, you’re in pretty good shape. 

That’s identifying the people get involved in that. 

Where do I need my domain controllers? 

The people that understand their own directory service, the legacy people, like me, the
legacy people in the organization. 

And then getting the process in place, and then even the politics that go behind that. 

So when you’ve outlined the people and the processes, you need to stick to those plans and
realize they could possibly change based on scenarios. 

But for the most part, you’re going to be right on target if you have a plan and you’ve
practiced it. 

Yeah. 

And let’s close by talking about that practice, right? 

Testing. 

I love this idea of testing with chaos because oh I’ve been exposed to breach. 

I know what that feels like. 

It’s emotional. 

Your brain’s racing. 

There’s fingers pointing all over the place. 

All the things that you thought you could do suddenly 

you know, feel like they’re really more complicated than they should be. 

So talk us about the best practices for testing, for practice. 

What are the technologies we can use? 

What can we apply in our own organization to practice well? 

Well, yeah, least injecting that level of chaos. 

So when you look at a recovery plan or even when you’re practicing a recovery plan, when I
hit this button, what if the thing that connects to doesn’t exist anymore? 

You know, just pull the rug out from under it and that’ll get you in the process of
building even redundancy in your own mindset. 

Like, how am I going to do this? 

And I’ve lived through some major outages in my time in the US military and things like
that. 

it wasn’t about the technology. 

It was about the creativity of the people. 

Just the wheels are starting to turn. 

And I remember some of the most creative recoveries we went through were not pretty. 

But at the end of the day, it came back. 

for the most part, the users were unaware anything even happened. 

Not saying that’s going to happen with Active Directory, but it’s going to be based on
your flexibility, your knowledge of your own organization, 

the recovery plan that you’ve designed as a team and your ability to adjust when chaos
happens. 

And I love the idea that the more we practice the better we get and as we bed down process
is there’s the ability to automate those processes. 

Exactly. 

Yeah, we see we see all too often IT things being automated before the process is ready. 

So that’s another benefit of a practice. 

So Dan, as expected, we’re out of time. 

Thank you so much for spending time with us. 

So much deep 

knowledge and content there. 

Hopefully the the audience can can take that away with them. 

But thanks very much. 

I appreciate it Darren thanks. 

If today’s conversation has got you thinking about your own active directory and its
recovery plan or how quickly you could bounce back from a compromise please visit 

commvault.com/ ad exposed. 

You’ll find practical guidelines and tools on how to automate orchestrate and test your ad
or enter ID recovery with Commvault cloud It’s everything you need to turn what could be a 

meltdown 

into a fast and confident recovery. 

Thanks for tuning in. 

you