Release Notes
Quest® Disaster Recovery for Identity for Active Directory
Release Notes
November 12, 2025
Disaster Recovery for Identity for Active Directory offers off-network abilities to manage on-premises domain controllers, including Active Directory® backups and restore operations, in the case of a disaster. It is essential for any modern business have uninterrupted network and computer systems, which are essential for business continuity. Unforeseen outages, like directory service failures, can significantly disrupt operations. To mitigate such risks, critical infrastructure must be designed for swift recovery from failures.
Disaster Recovery for Identity for Active Directory leverages advanced technologies to minimize downtime resulting from Active Directory corruption or accidental modifications. This solution automates backups and enables rapid, remote recovery of data stores in Active Directory. Disaster Recovery for Identity for Active Directory dramatically reduces the time required to restore Active Directory.
Disaster Recovery for Identity for Active Directory allows you to perform the following operations:
- Configure and manage backups using Backup Plans.
- Store Active Directory backups in Quest Azure tenant.
- Configure and manage recovery of an Active Directory forest.
- Restore Active Directory using Clean OS method, allowing you to restore the entire forest or any of its parts on a freshly installed Windows machine.
- Schedule backup of domain controllers based on business needs
- Verify recovery configurations to validate your disaster Recovery Plan
|
|
Caution: Microsoft Entra is a dynamic and rapidly evolving platform, which means its APIs may be updated or changed with limited notice. These ongoing changes may occasionally impact features in Disaster Recovery for Identity for Active Directory. When possible, Quest aims to provide timely notification to customers in cases of such impact. For the latest updates on Entra ID APIs, refer to the Microsoft Entra ID documentation and Microsoft Graph Changelog. |
These release notes provide information about Disaster Recovery for Identity for Active Directory deployments.
Topics:
Release History
The following lists the new features, enhancements, and resolved issues by deployment.
Current Deployment
Release: November 12, 2025
| When using the Restore to Clean OS recovery method, the restore gets stuck at the operation "Restart domain controller in normal mode," resulting in a blue screen and making the target virtual machine non-functional. |
ADO-590266 |
Previous Deployments
Release: November 4, 2025
|
Email notifications now display the date and time (in UTC) of events. |
ADO- 576612 |
| When filtering domain controllers by the In Backup Plans filter, the Topology page crashes. |
ADO-587545 |
Release: October 16, 2025
|
Notification templates for email notifications now include completed and failed events for Recovery Plan verification and recovery. |
ADO- 559555 |
| The domain configuration is now displayed as a full-page view. |
ADO-566918 |
| SignalR connection is unstable when switching rapidly between screens and during cross-continent communication. |
ADO-584116 |
Release: October 1, 2025
|
You can now configure a Recovery Plan, along with all domains and domain controllers in the forest, in a centralized location. After creating a Recovery Plan on the Recovery tab, select Open on the tile to access the Recovery Plan configuration, where you can edit basic details on the General tab and configure domains and domain controllers on the Domains and Domain Controllers tabs, respectively. Monitor the progress of ongoing or recently completed verification and recovery tasks by selecting View Progress in the toolbar or on the Recovery Plan tile. |
ADO-550106 |
|
Notification templates for email notifications now include events for Backup Plan, Recovery Plan, and Forest. |
ADO-550692 |
| Notification banners for errors in the Recovery Plan configuration now include a link to the relevant tab where the issue needs to be resolved. If multiple issues exist, the banner includes a View Details link that opens the Recovery Plan Validation flyout, where you can review errors and warnings related to domain or domain controller configurations. Additionally, hovering over the warning icon next to a domain controller on the Domain Controller tab displays detailed error information. |
ADO-561062 |
| When verification or recovery tasks are in progress, or users do not have the required permission to manage and verify Recovery Plans, Recovery Plan configurations are displayed in read-only mode. |
ADO-524082 |
| When creating or editing a forest, the Use Secure LDAP (LDAPS) for Hybrid Agent Queries toggle allows you to choose whether Secure LDAP (LDAPS) is used for the hybrid agent when performing topology discovery queries. By default, this toggle is enabled if Secure LDAP is set during hybrid agent installation. |
ADO-554911 |
| If the Domain Controllers tab of the Recovery Plan configuration is open but users navigate away, a connection error message appears and persists even if connection is re-established. |
ADO-581459 |
| Changes to domain credentials cannot be saved unless the recovery method for the domain is also updated. |
ADO-582724 |
| Incorrect domain controller name is displayed when manually selecting a backup for the Install from Media (IFM) option. |
ADO-582834 |
| If the Ignore Healthy Domain recovery method is selected and domain credentials are provided, the Credentials column on the Domains tab displays Not Provided. |
ADO-583750 |
Release: September 11, 2025
|
When the plugin version is outdated, a tooltip on the Forest tile under Hybrid Agent displays the latest available version and prompts you to restart the hybrid agent to force the update. |
ADO-522966 |
| A new button Manage Notifications in the toolbar on the Forests page navigates you to On Demand global settings, where you can manage email notification templates. |
ADO-541863 |
| When enabling a schedule for backups, the time is set using the UTC (Coordinated Universal Time) time zone. The corresponding local time is now displayed below the selected UTC time. |
ADO- 551456 |
| Validation for the IP address in the Target Server field on the DC Configuration page is enhanced to ensure the IP address is unique. |
ADO- 574555 |
| If no environment exists, navigating to another tab displays an empty state page with an option to add a new environment. |
ADO-566241 |
Release: August 20, 2025
|
Recovery Plans that restore specific domains (i.e., at least one domain is set to Ignore Healthy Domain) now automatically streamline the process of unhosting and rehosting global catalog partitions, speeding up overall recovery. |
ADO- 571302 |
| The Override domain-level credentials checkbox is removed from the Server Access Credentials section of the domain controller configuration. You can now directly override inherited domain-level credentials by entering one or more credentials for the domain controller. |
ADO-574735 |
Release: July 24, 2025
|
Revised UI terminology by renaming the Environments tab to Forests and updating related UI labels from 'environment' to 'forest' to align with Active Directory terminology. |
ADO-565083 |
| You can now manage email notifications by configuring notification templates in On Demand Global Settings (Settings | Notifications). For a list of the available notification templates, see the user guide. |
ADO-554178 |
| Failed Backup Plans for scheduled backups generate notification emails even if the environment is offline. |
ADO-566989 |
| Upgrade of the JRS Plugin does not complete and requires that the agent service is manually restarted. |
ADO-551429 |
Release: July 9, 2025
|
The Forest Summary on the Topology tab includes two new columns: FSMO Role, which displays a badge for each FSMO role assigned to the domain controller, and Type, which shows the domain controller type (GC, DC, or RODC). |
ADO-531981 |
| When manually selecting a backup in the Select Backup flyout, you can now specify a date range to filter backups by their creation date. |
ADO-444246 |
| Information about agent installation progress is now displayed on the Tasks page. |
ADO-522639 |
| The minimum supported version of the DC Agent is updated to 10.3.2.45365 (RMAD 10.3.2 Hotfix 1). |
ADO-556035 |
| The action bar on the Topology page is enhanced with an option to edit columns. Additionally, agent-related options can now be accessed through the new DC Agent button. |
ADO-562889 |
| The domain recovery method Recover Damaged Domain is renamed to Recover Domain. Descriptions of recovery methods on the user interface are enhanced for clarity. |
ADO-565087 |
| Applying a date filter to the Events or Tasks table and refreshing the page causes the application to crash. |
ADO-566237 |
| When a Recovery Plan is added and saved with default settings, the summary above the action bar displays the status Ready. |
ADO-566677 |
| After starting an installation task on a domain controller, you are able to start another installation task on the same domain controller. |
ADO-566882 |
| Actions on the Operations page, such as Skip and Continue or Cancel, can be performed without the required permissions. Permissions are now required for all actions. |
ADO-567947 |
Release: June 26, 2025
| You can now view environments in read-only mode. This allows you to review environment details even when operations are in progress for the environment or if you do not have permission to edit the environment. |
ADO-525113 |
| You can now view Backup Plans in read-only mode. This allows you to review Backup Plan details even when a Backup Plan is running or if you do not have permission to edit Backup Plans. |
ADO-541869 |
| You can now selectively override one or more domain-level credentials for a domain controller by selecting the Override domain-level credentials checkbox in the configuration and entering the desired credentials. When default domain-level credentials apply, the credential set is marked with a badge labeled Inherited credentials. |
ADO-530835 |
| When creating a Recovery Plan, a new column Backup Coverage in the Domains table shows the number of domain controllers (DCs) that have backups matching the selected backup criteria out of the total number of DCs in the domain. |
ADO-556720 |
| Domain controller IP addresses are persistently stored during topology discovery. Recovery Plans use these pre-resolved IP addresses to access domain controllers even when they are not reachable by FQDN. |
ADO-499767 |
| When using the Ignore Healthy Domain and Adjust to Active Directory Changes recovery methods, only domain credentials (set in the domain or domain controller configuration) are required. |
ADO- 558580 |
Release: June 11, 2025
| Added the option to enable Install From Media for the Install Active Directory recovery method, providing the ability to pre-populate Active Directory and Sysvol with data from a selected backup. |
ADO-550966 |
|
Support for the deletion of domains during recovery. One of the following recovery methods can be specified for each domain: Recover Damaged Domain, Ignore Healthy Domain, or Delete Domain.
|
|
IMPORTANT: Recovery Plans created before this feature release will become invalid and must be updated. | |
ADO-519109 |
| Names for Backup Plan and Recovery Plan within an environment must be unique. If a duplicate name is entered for either, an error is displayed. |
ADO-510803 |
| Backup plans are now sorted by date created, with the most recent at the top of the list. |
ADO-515795 |
| Added validation of backup availability. If no backup exists when starting verification or recovery, the operation does not start and an error is displayed. |
ADO-519091 |
| Added Recovery Plan validation. If the IP address for the target server is not specified for the domain controller when starting recovery, the recovery does not start and an error is displayed. |
ADO-519906 |
| On the Topology page, enabled searching for domain controllers and filtering by domain, DC agent status, or Backup Plan. |
ADO-522453 |
| Added a badge on the Operations page that displays the number of canceled operations for the domain controller. |
ADO-531908 |
| When selecting domain controllers to back up, enabled filtering the list of domain controllers by domain, site, DC agent status, or Backup Plan. |
ADO-546462 |
| Support of LDAPS queries in topology discovery. Users can enable LDAPS for the hybrid agent during installation or post-installation. |
ADO-550094 |
| In the Status column on the Recovery Plan details page, the text length of entries are limited regardless of the cell width. |
ADO-561377 |
Release: April 17, 2025
| Copy button added to Events and Tasks screens to allow copying event and task descriptions to the clipboard. |
ADO-550064 |
| Domain controller agent updated to version 10.3.2.44604. |
ADO-546342 |
Release: March 26, 2025
| Improvements to services to support stateless allowing for deployment and updates to Disaster Recovery for Identity for Active Directory to be completed without stopping ongoing backup, verification and recovery operations. |
ADO-520301 |
| Updates to Environment tile to improve user onboarding and product understanding, including removal of DC Agent section from tile and updates to About Agents. |
ADO-524845 |
| OWASP ASVS V5.5, V5.19, V5.20, V5.21, V18.4: Enhanced server validation of inputs |
ADO-525649 |
| Deployment to Australian and Canadian regions. Disaster Recovery for Identity for Active Directory now supports the following regions: Australia, Canada, EU, UK and US. |
ADO-530535 |
| Show notification when verification or recovery is running and hybrid agent goes offline. |
ADO-535753 |
| Domain controller agent updated to version 10.3.2.44484. |
ADO-544324 |
Release: March 13, 2025
| Limit domain controllers that can be backed up by domain. Limit domain controllers that can be backed up by Backup Plans per domain. A maximum of 10 domain controllers per domain can be included in Backup Plans. |
ADO-523055 |
| Display Total Elapsed Time on Tasks. |
ADO-531124 |
| Compatibility with Recovery Manager for Active Directory Forest/Disaster Recovery Edition (RMAD FE/DRE): Domain controller agent version checking for installation of DRI AD and RMAD FE/DRE in the same Active Directory environment. RMAD FE/DRE 10.3.2 or later is required. It is recommended to install the DRI AD hybrid agent on the same machine as RMAD Forest Recovery Console. |
ADO-540986 |
| New detail panel RMAD Compatibility to view guidance information for usage of DRI for AD and RMAD in the same Active Directory environment. |
ADO-541695 |
| Proper handling of ODRAD and RMAD communication certificates and error messages when mismatches are found. (Certificate Handling between Blob Storage and Plugin). Information available by clicking on RMAD Compatibility on the Environment tab. |
ADO-546318 |
Release: March 04, 2025
| Add clarification about DC agent and hybrid agent on the Create/Edit Environment page |
ADO-524870 |
| Backup name format in Selected Backup dropdown is the same as on Backups list |
ADO-532002 |
| "Hybrid agent is offline or unavailable" notification should disappear |
ADO-546318 |
Release: February 12, 2025
| Support of 'Install Active Directory' method' |
ADO-379572 |
| Display time of the last discovery on the Topology tab |
ADO-504703 |
| Ability to see when the hybrid agent is offline |
ADO-517362 |
| Download DC Agent from the Topology tab |
ADO-526146 |
| Display the total elapsed time from the Tasks tab |
ADO-531124 |
| Increase retention period for backups to 180 days |
ADO-535313 |
Release: January 10, 2025
| First deployment of Disaster Recovery for Identity for Active Directory |
N/A |
Incident response management
Quest Operations and Quest Support have procedures in place to monitor the health of the system and ensure any degradation of the service is promptly identified and resolved. On Demand relies on Azure and AWS infrastructure and as such, is subject to the possible disruption of these services.
You can view the following status pages:
System requirements
The following web browsers are supported with On Demand:
- Microsoft Edge
- Google Chrome (latest version)
- Mozilla Firefox (latest version)
Hybrid agent requirements
- A standalone or domain-joined server (standalone server is highly recommended).
- Ensure that the hybrid agent server has a stable internet connection and uses a DNS server that is not affected by a forest failure.
- A service account used to run the hybrid agent must be a local administrator account on the computer where the hybrid agent is installed.
- The domain FQDN\username should at least have forest-wide read permissions.
Domain Controller Agent requirements
- A service account used to run the domain controller agent is always a Local System account.
- An account used to install the domain controller agent remotely must be a member of the Local Administrators group.
- The minimum supported version for the domain controller agent is 10.3.2.44484.
Endpoint requirements
Hybrid agent requirements
The hybrid agent must be able to access the following endpoints associated with the region where your On Demand organization resides.
| 389 |
Outbound |
Domain Controllers |
LDAP port to domain controllers to discover environment. |
| 445 |
Outbound |
Domain Controllers |
SMB port to domain controllers to install domain controller agents. |
| 443 |
Outbound |
AU
odjrs-auprod-au-iothub.azure-devices.net
https://odjrsauprodaugrssto.blob.core.windows.net
https://odrjsauprodausto.blob.core.windows.net
CA
odjrs-caprod-ca-iothub.azure-devices.net
https://odjrscaprodcagrssto.blob.core.windows.net
https://odrjscaprodcasto.blob.core.windows.net
EU
odjrs-euprod-eu-iothub.azure-devices.net
https://odjrseuprodeugrssto.blob.core.windows.net
https://odjrseuprodeusto.blob.core.windows.net
UK
odjrs-ukprod-uk-iothub.azure-devices.net
https://odjrsukprodukgrssto.blob.core.windows.net
https://odjrsukproduksto.blob.core.windows.net
US
odjrs-usprod-us-iothub.azure-devices.net
https://odjrsusprodusgrssto.blob.core.windows.net
https://odjrsusprodussto.blob.core.windows.net |
Agent connection to Disaster Recovery for Identity for Active Directory backend services (see On Demand Global Settings User Guide for more) |
| 80 |
Outbound |
AU
odjrsauprodauiotinst-odjrsauprodauiotacct.b.nlu.dl.adu.microsoft.com
CA
odjrscaprodcaiotinst-odjrscaprodcaiotacct.b.nlu.dl.adu.microsoft.com
EU
odjrseuprodeuiotinst--odjrseuprodeuiotacct.b.nlu.dl.adu.microsoft.com
UK
odjrsukprodukiotinst--odjrsukprodukiotacct.b.nlu.dl.adu.microsoft.com
US
odjrsusprodusiotinst--odjrsusprodusiotacct.b.nlu.dl.adu.microsoft.com |
Agent connection to Disaster Recovery for Identity for Active Directory backend services (see On Demand Global Settings User Guide for more) |
Domain controller agent requirements
The domain controller agent must be able to access the following endpoints associated with the region where your On Demand organization resides.
| 445 |
Inbound |
|
SMB port to allow automatic agent installation. |
| 135 |
Inbound |
|
RPC Endpoint Mapper port used by the RPC runtime. |
| 49152-65535 |
Inbound |
|
RPC dynamic port range to accept RPC connection from hybrid agent. |
| 443 or proxy server port |
Outbound |
AU
https://odradprodausa.blob.core.windows.net
CA
https://odradprodcasa.blob.core.windows.net
EU
https://odradprodeusa.blob.core.windows.net
UK
https://odradproduksa.blob.core.windows.net
US
https://odradprodussa.blob.core.windows.net |
Download and upload backups from Azure Blob Storage accounts. |
