Identify the problem

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2

When symptoms of a forest-wide failure appear, such as in event logs or other monitoring solutions, work with Microsoft Support to determine the cause of the failure, and evaluate any possible remedies.

Examples of forest-wide failures

  • All DCs have been logically corrupted or physically damaged to a point that business continuity is impossible; for example, all business applications that depend on AD DS are nonfunctional.

  • A rogue administrator has compromised the Active Directory environment.

  • An attacker intentionally—or an administrator accidentally—runs a script that spreads data corruption across the forest.

  • An attacker intentionally—or an administrator accidentally—extends the Active Directory schema with malicious or conflicting changes.

  • An attacker has managed to install malicious software on DCs, and you have been advised by Microsoft Support to recover the forest from backup.


    This paper does not cover security recommendations about how to recover a forest that has been hacked or compromised. In general, it is recommended to follow Pass-the-Hash mitigation techniques to harden the environment. For more information, see Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.

  • None of the DCs can replicate with their replication partners.

  • Changes cannot be made to AD DS at any domain controller.

  • New DCs cannot be installed in any domain.

Next Steps