I’m excited to tell you about the results of a new commissioned study conducted by Forrester Consulting on behalf of Quest*. It answers a key question: What potential business impact can an Active Directory backup and recovery solution actually deliver?
When Active Directory is down, your business is down.
When one of your key applications becomes unavailable, the productivity of the teams who rely upon it will suffer. That’s bad enough. But if Microsoft Active Directory (AD) is unavailable, nearly everything shuts down. That’s because AD provides the vital authentication and authorization services required for users and applications to access nearly any IT resource, from on-premises data and applications to cloud-based services like Microsoft 365. Therefore, in the wake of an AD disaster, whether caused by nefarious intent or an innocent mistake, it’s vital to restore Active Directory quickly and safely.
But exactly how much difference does it make which particular AD recovery methods and tools you use? In other words, what actually is the business impact of an Active Directory backup and recovery solution?
To find out how much value Recovery Manager for Active Directory Disaster Recovery Edition (RMAD DRE) delivers, Quest commissioned a study from Forrester Consulting. Forrester interviewed five customers that suffered AD outages both before and after having RMAD DRE in place, aggregated their experiences into a composite organization, and enumerated the savings and other benefits that the organization gained from the RMAD DRE Active Directory backup and recovery solution.
The resulting February 2023 study is now available. Titled “The Total Economic Impact™ of Quest Recovery Manager for Active Directory Disaster Recovery Edition,” it provides a number of eye-opening and actionable results. This article reveals some of the key findings.
RMAD DRE slashed recovery time by two orders of magnitude compared to having no Active Directory backup tool, and by one order of magnitude compared to other third-party Active Directory backup solutions.
The study found that RMAD DRE “consistently reduced recovery time for Active Directory down to 1 to 4 hours for those interviewed….” In contrast, participants reported that when they had no Active Directory backup solution, the average time required to recover from an AD disaster was almost 100 times longer. Moreover, RMAD DRE can significantly reduce the risk of malware reinfection during the recovery process with the option to restore to a clean operating system (OS).
For example, one interviewed vice president of enterprise services from a managed service provider (MSP) recalled that with manual processes, fully restoring one of their client’s AD took 6 days, but with RMAD DRE in place, recovery took just 1 hour and 15 minutes. They also noted that using RMAD DRE reduced AD recovery time by an average of 93% for hundreds of their other clients.
Even using another vendor’s Active Directory backup solution resulted in recovery times that were 10x longer than with RMAD DRE. For instance, one interviewee reported that switching from another Active Directory backup tool to RMAD DRE reduced AD recovery time from 1–2 days to 1–4 hours. And the interviewed vice president of enterprise services for an MSP said, “There are other backup tools out there, but they don’t do the automation or orchestration. They don’t give my business the same level of guarantee. In the end, [RMAD] DRE is best-of-breed.”
RMAD DRE delivered $19.7M in value by speeding AD disaster recovery.
The cost savings from reduced AD downtime can be significant. For example, an interviewed directory services senior lead at a consumer packaged goods company noted, “If we have an issue with Active Directory and 80,000 people can’t work, we’re talking about millions of dollars a day until it is resolved.”
For the composite organization in the Forrester study, one hour of Active Directory downtime was calculated to cost $730,000. Without the RMAD DRE Active Directory backup and recovery solution, the organization could expect 30 hours of AD downtime each year, for a total cost of $21.9M.
However, in the first year after adopting RMAD DRE, the organization would reduce their downtime by 85%, yielding a savings of $18.6M. By year three, the IT team’s familiarity with the tool would increase the time savings to 90%, resulting in a potential savings of $19.7M.
The same directory services senior lead interviewed for the study described the ROI succinctly: “Essentially, the cost of [RMAD] DRE is a rounding error compared to the potential revenue loss from an attack.”
RMAD DRE’s granular recovery delivered an additional $470,284 in value.
RMAD DRE is valuable not only in disaster scenarios, but also in everyday situations in which AD objects, such as user accounts or security groups, are improperly modified or deleted, either accidentally or deliberately. Until the objects are restored, business operations can be disrupted, since users may be unable to authenticate or access the IT resources they need to do their jobs.
RMAD DRE can reduce this downtime from hours to minutes — an admin simply needs to select the particular objects or properties to roll back to a previous state from the Active Directory backup, and the rest of the recovery process is automated. For example, one interviewee reported that about 1,000 employees at their organization were unable to work 3–4 times per year due to errant deletion of AD objects; deploying RMAD DRE shortened recovery time from 6–7 hours to just to 30 minutes.
The associated cost savings add up quickly. Using assumptions such as an average employee salary of $40 per hour and applying a 15% risk adjustment, the study calculated the three-year savings from using RMAD DRE for granular recovery to be $470,284.
The study detailed qualitative benefits as well.
The study also called out several additional benefits that interviewees reported from adopting RMAD DRE:
Saving budget on insurance
At Quest, we know that organizations without an enterprise-quality Active Directory backup and recovery solution may need to spend a good chunk of their budget on business insurance. Moreover, being able to demonstrate that you have proper backup and recovery capabilities for critical systems like Active Directory may be a requirement for even qualifying for cybersecurity insurance policies that cover disaster scenarios like ransomware recovery.
These factors add to the demonstrable value of RMAD DRE, as illustrated by this quote from the Forrester study:
“We created a business case when deciding on [RMAD] DRE. The alternative was to pay millions of Euros every year for insurance to cover the risk to our production in case Active Directory was down for a few days.”
— Global infrastructure and operations manager, manufacturing company, Forrester Consulting Total Economic Impact study
Meeting regulatory and business mandates
Quest also recognizes that recovery is a core pillar of commonly used cybersecurity frameworks like the NIST CSF. Accordingly, this capability is often a requirement of both internal security policies and regulatory mandates like the Health Insurance Portability and Accountability Act (HIPPA) and the Sarbanes-Oxley Act (SOX). RMAD DRE can help you achieve and prove your compliance with these requirements by delivering reliable and secure Active Directory backup and recovery.
Here is one relevant quotation from the study:
“Speed of recovery is a big thing in securing executive trust and ensuring you can meet regulatory standards.”
— Senior Active Directory DevOps engineer, insurance company, Forrester Consulting Total Economic Impact study
Gaining secure and flexible recovery options
Quest has extensive experience with Active Directory recovery, and we know that not every Active Directory disaster recovery scenario is the same. Accordingly, you need the flexibility to choose the best option in a given situation. Less comprehensive solutions might limit you to bare metal recovery (BMR), which imposes requirements on the disk layout and size of the target machine, and provides a lot of places where malware can hide because it restores entire volumes. RMAD DRE, on the other hand, offers a full suite of recovery methods:
- Restore to clean OS — Restore AD onto a new Windows Server while reducing the risk of reinfection by excluding files that are not part of AD.
- Bare metal recovery — Recover all volumes of your DC to the same or different hardware.
- Install Active Directory — Promote new servers to take the place of DCs you did not restore from backup.
- Uninstall Active Directory — Force-demote a DC and remove all metadata for it from the directory.
- Reinstall Active Directory — Force-demote and re-promote DCs where the operating system is still intact.
- Restore AD from backup — Restore AD onto an otherwise healthy server.
- Repromotion — Promote the remaining DCs in a partially recovered forest.
The Forrester study references these capabilities in this quotation:
“The flexibility we get from [RMAD] DRE is its biggest value. We can back up physical, virtual, and cloud-based servers. In case of disaster, we would just create a clean virtual machine and use Quest's Clean OS function to completely restore the Active Directory.”
— Directory services senior lead, consumer packaged goods company, Forrester Consulting Total Economic Impact study
Enabling remote IT operations and protecting hybrid Active Directory environments
At Quest, we know that most organizations have a hybrid IT ecosystem and that it’s essential to empower IT teams to work remotely. Accordingly, RMAD DRE enables you to store your Active Directory backups in secure cloud locations, such as immutable Azure Blob Storage and Amazon Web Services (AWS) S3 storage, and easily recover AD to a Microsoft Azure virtual machine. Moreover, RMAD DRE integrates with On Demand Recovery to cover your hybrid Active Directory and Azure AD environment from a single recovery dashboard.
The Forrester study refers to these capabilities in the following quotation:
“One of the biggest things that we find valuable about [RMAD] DRE is the integration with cloud platforms, which allows us to do a cloud-based restore.”
— Senior Active Directory DevOps engineer, insurance company, Forrester Consulting Total Economic Impact study
Conclusion
At Quest, we know that Active Directory is the lifeblood of most organizations today. It is responsible for the authentication and authorization processes that enable users to access IT resources both on premises and in the cloud. When Active Directory goes down, the losses begin to mount quickly — a single incident can cost the organization millions of dollars. Here is one quotation from the Forrester study on this core topic:
“Executives should understand that at least 90% of their organization is dependent on Active Directory to function, and 90% to 100% of their authentication is dependent on Active Directory to be available. So, the ability to recover Active Directory is paramount for their business to be able to function.”
— Vice president of enterprise services, managed service provider, Forrester Consulting Total Economic Impact study
Accordingly, it’s no wonder that experts recommend investing in a dedicated backup and recovery tool for Active Directory. The new study from Forrester shows that Recovery Manager for Active Directory Disaster Recovery Edition delivered a solid ROI. Indeed, the composite organization in the study would see a value of $19.7 million for faster recovery during a disaster scenario, plus $470,000 over three years from faster and more comprehensive recovery of specific AD objects and attributes.
To learn more about this comprehensive Active Directory backup and recovery solution, please visit https://www.quest.com/products/recovery-manager-for-active-directory-disaster-recovery-edition.
*The Forrester Consulting Total Economic Impact™ study for Quest Recovery Manager for Active Directory Disaster Recovery Edition is a commissioned study conducted by Forrester Consulting on behalf of Quest in February 2023.