Skip to main content
commvault.com commvault.com
StickyAMA

Active Directory and Identity Resilience AMA: Ask Commvault's Experts Your Best Questions (December)

  • December 8, 2025
  • 13 replies
  • 169 views
Jennifer Kelley
Vaulter
Forum|alt.badge.img+19

‘Tis the season to ask the experts your burning or confounding questions about Active Directory and Identity Resilience! We’re excited to announce our first Commvault Community AMA (“Ask Me Anything”), running throughout December. Let’s ring out 2025 with some fun and deep insights!

Do you want to know more about forest-level recovery? Wondering how to recover active directory without active directory? Have an obscure trivia question related to AD or a serious question about AD and identity security best practices? Put it to Dan and Jerry here. 

For those familiar with AMAs and with questions top of mind, you can always go straight to “reply” at the bottom of this post and put your question there. 

 

Meet Dan Conrad and Jerry Carlson

First, meet our resident experts and AMA hosts... ​@Dan Conrad a.k.a DCPromo, Commvault Principal Technologist and CTO and ​@Jerry Carlson, Commvault Field CTO. Between them, Dan and Jerry have spent 50+ pioneering Active Directory environments and identity security best practices. Hear from them directly:

 

Dan has been working with Active Directory since it launched in 2000, after cutting his teeth on NT. He’s supported environments from 12,000 users all the way past the million-user mark and has spent the last 17 years focused on identity security and recovery. He’s seen everything from routine restores to full forest rebuilds and loves helping teams get confident in recovering identity when things go sideways. 

Jerry has recently joined Commvault to expand our depth in AD protection and identity security, and shares, “In the late 90’s I worked for a company called Novell.  We had a “directory”  called Novell Directory Services “NDS”  this is similar to Active Directory and built on the similar foundation. I started work at Microsoft early 2000 when Active Directory was “born” and my first 2 years I spent implementing AD for one of the largest Automotive makers worldwide.

 

AMA tips and FAQs

Below is a quick overview of how we’ll conduct the AMA and award the prize. If you have general questions about the AMA format or how to participate, send me (Jenn) a direct message here or email here

  • Our AMA is not real-time but will be conducted “almost live” - asynchronously - throughout the month of December 2025. We know our Community membership is global and not everyone is online here at the same time. Two to three times per week, Dan and Jerry will review and reply to questions submitted up to that point.  
  • To ask your question and join the AMA, just reply to this thread at the bottom. If you have multiple topics, we recommend one question per reply for best feedback.
  • The AMA will run during the month of December 2025. Details on the prize award and entry rules are below.
  • Please follow our (common sense) community guidelines and terms of use – bring your most pressing and challenging AD questions, just be respectful and a good human. Admins reserve the right to moderate questions for any objectionable or inappropriate content.
  • We welcome questions about best practices and different environments, but please do not post logs or specific details about your environment in the AMA. Where appropriate, we’ll connect with you offline and summarize guidance in the replies. 
  • Feel free to also vote up (“like”) other participants’ replies as well – that lets us know where there is a lot of interest.
  • General how-tos for posting in the Community can be found here.

 

About the prize and drawing

Entering is simple:

  1. Submit a question (reply) to join the AMA.
  2. That’s it — you’re automatically entered!

You are welcome to submit multiple questions, but entries will be capped at one per person to keep things fair.

One lucky winner will receive a Commvault Recovery Kit, or, for certain international participants, an equivalent eGift card. Prize options are subject to availability and may be substituted with items of equal or greater value at Commvault’s discretion. No purchase necessary. Void where prohibited.

Commvault Recovery Kit (20 oz Yeti tumbler and mini massager)

 

Need inspiration?

Not sure what to ask? We’ve got you! Check out these AD-related demos from SHIFT and our resource page on Identity Recovery and Resilience for some starters. 

We can’t wait to hear your questions and connect. Start thinking of what you’ve always wanted to know about Active Directory and how the industry continues to evolve around identity security and resilience. Good luck in the drawing!

 

Nikos.Kyrm
Sougato Roy
C

13 replies

Erase4ndReuseMedia
Community All Star
Forum|alt.badge.img+16

Hello Dan and Jerry, 

Not a particularly technical question, but when looking at Commvault's offering in the Active Directory space, what is the single biggest carrot to dangle in front the Active Directory Team to convince them to let go of their antiquated backup and recovery methods?

Jennifer Kelley
Sougato Roy
Dan Conrad a.k.a DCPromo
Vaulter

​Q: Not a particularly technical question, but when looking at Commvault's offering in the Active Directory space, what is the single biggest carrot to dangle in front the Active Directory Team to convince them to let go of their antiquated backup and recovery methods?


A: It’s important to understand your AD but also understand how complex it is to recover.  I’ve seen some creative plans around AD recovery but the sense I get from organizations with these creative plans is a strong hope they never have to use one of them.

Seeing the complete forest recovery laid out in an organized, step-by-step, automated runbook brings the lightbulb moment.  

And my other catch phrase:  “If you haven’t tried your recovery plan, it doesn’t work.” 

... DCPromo
Jennifer Kelley
Nikos.Kyrm
Community All Star
Forum|alt.badge.img+16
  • Nikos.KyrmCommunity All Star
  • Community All Star
  • December 10, 2025

Hi ​@Jennifer Kelley 

In order to join the AMA, we should submit a question here - in this thread?

Best regards,
Nikos

Jennifer Kelley
Dan Conrad a.k.a DCPromo
Vaulter

Yes

... DCPromo
Craig Heath
Novice
  • Craig HeathNovice
  • Novice
  • December 10, 2025

Good morning from Texas and thank you for this somewhat live Q&A!  How does Commvault orchestrate and automate a full Active Directory forest recovery in the event of a ransomware attack?

Jennifer Kelley
Dan Conrad a.k.a DCPromo
Vaulter

Q: How does Commvault orchestrate and automate a full Active Directory forest recovery in the event of a ransomware attack?

 

There are many pieces to the “how” answer.  Here are some highlights.

Using a system state backup, we can recover the DCs to a VM through a “Vituralize Me” process, which restores the entire DC, or you can recover to clean OS through a template cloning process.  The magic starts after the OS is recovered and where it gets complicated.  We’re using the steps outlined in the MS Forest Recovery Guide

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-guide

Using the Commvault agent on the DCs, we then orchestrate the “magic”.  Steps like:

Suspend replication

Seize FSMO roles

Raise the RID Pool

Invalidate the RID Pool

and more steps.

 

This is all built into the runbooks.  In my lab environments I create runbooks for different purposes, such as recovery to an isolated recovery network (practice run) and recovery to production.

... DCPromo
dude
Jennifer Kelley
Craig Heath
K
Novice
Forum|alt.badge.img
  • KeithNovice
  • Novice
  • December 11, 2025

Onsite AD and Entra.  I have a process to restore AD, but I have not integrated Entra into a restore process.  We replicate Entra from AD- what’s different in Entra and how do you integrate Entra into the restore process?

Jennifer Kelley
K
Novice
Forum|alt.badge.img
  • KeithNovice
  • Novice
  • December 11, 2025

I heard of announcements at the latest Shift related to AD enhancements and Synthetic restores of AD.  Could you elaborate on these enhancements?  Do they require additional licensing?

Jennifer Kelley
Dan Conrad a.k.a DCPromo
Vaulter

 

I heard of announcements at the latest Shift related to AD enhancements and Synthetic restores of AD.  Could you elaborate on these enhancements?  

 

Keith,
We will soon be offering a few different types of restores.  One of those is what I’ve always called an “In Place” restore that will restore AD to the existing DCs.  The purpose of this restore is to cover a scenario such as schema corruption.  

... DCPromo
Jennifer Kelley
Jennifer Kelley
Vaulter
Forum|alt.badge.img+19

Hi ​@Keith - additionally, there is more info on Synthetic restores in the blog post below, and in the new year we’ll share more via webinars and other content. Synthetic Recovery Recover Clean, Recover Fast | Blogs | Commvault

Nikos.Kyrm
Community All Star
Forum|alt.badge.img+16
  • Nikos.KyrmCommunity All Star
  • Community All Star
  • December 12, 2025

Hello Team,

We are interested in one of our clients in Active Directory and Entra ID backup/recovery. While the backup process is clear, we have concerns regarding the restore operation, specifically the responsibility for executing and validating the Commvault-managed recovery workflows.

Commvault utilizes workflows to execute the Microsoft recovery scripts, but our question is simple: Who should own the execution and validation of these critical recovery workflows?

  1. The Backup Team?

  2. The Microsoft (AD/Entra ID) Team?

We need clarification on the operational responsibility to define our recovery Runbook.

Thanks for your feedback.

Best regards,
Nikos

Jennifer Kelley
Dan Conrad a.k.a DCPromo
Vaulter

We are interested in one of our clients in Active Directory and Entra ID backup/recovery. While the backup process is clear, we have concerns regarding the restore operation, specifically the responsibility for executing and validating the Commvault-managed recovery workflows.

… We need clarification on the operational responsibility to define our recovery Runbook.

 

Nikos,

The runbooks are built based on your recovery options (i.e. CleanOS vs system state recovery).  Are you looking to validate the runbook settings, such as target hypervisors, credentials, etc.?

I recommend creating practice runbook(s) where you can test your settings in an IRE recovery.  

If that’s not what you’re asking please let me know.  Happy to talk 1:1 if that works too.  

... DCPromo
Jennifer Kelley
Dan Conrad a.k.a DCPromo
Vaulter

Onsite AD and Entra.  I have a process to restore AD, but I have not integrated Entra into a restore process.  We replicate Entra from AD- what’s different in Entra and how do you integrate Entra into the restore process?

Keith,

If a user or group has been replicated to Entra ID, you start the recovery onprem.  Of course, for Entra only users or groups, you would recover them in Entra.  Also consider the parts of Entra such as Conditional Access Policies, Roles, Enterprise Apps, etc. may also require recovery.

 

... DCPromo
Jennifer Kelley
Terms & ConditionsCookie settingsAccessibility statement