RMAD-DRE Forest Recovery, Change Auditor, and GPOADmin Deployment for a Regional Credit Union

TL;DR. Regional credit union, 9,150 users protected, three Quest products (RMAD-DRE, Change Auditor, GPOADmin) deployed across two data center sites (Kings Mountain and RTP) in staging and production. Multi-site Secure Storage, forest recovery validated in lab, SentinelOne exclusions resolved, AGPM-to-GPOADmin migration planned.

What was the client environment?

A regional credit union with operations across multiple branch locations needed to establish a comprehensive Active Directory disaster recovery capability, implement real-time AD change auditing, and modernize Group Policy management. As a regulated financial institution subject to NCUA examination requirements, the credit union needed documented, tested, and repeatable processes for AD recovery, not just installed software. The engagement covered three Quest products deployed across both staging and production environments at two data center sites.

What made this engagement challenging?

Financial institutions face regulatory requirements that go beyond simply having backup software installed. Examiners expect documented recovery procedures, tested runbooks, and evidence that the organization can actually restore critical infrastructure within defined RTOs. For Active Directory, which underpins authentication, Group Policy, and access control across every branch, the stakes are especially high:

• Multi-site RMAD-DRE deployment. The credit union operated domain controllers across two geographically separated sites, Kings Mountain (KM) and Research Technology Park (RTP). Each site needed its own RMAD-DRE server with Secure Storage configured to store backups locally, providing site-level recovery independence.
• Backup retention policy design. The credit union needed a tiered backup retention strategy aligned with their RPO requirements: daily backups Monday through Saturday (retain 6), weekly backups every Sunday (retain 5), and monthly backups on the first of every month (retain 3). This configuration had to be validated in staging before production deployment.
• Forest recovery testing requirement. Beyond installation, the credit union required a validated forest recovery process, including Phase 1 and Phase 2 recovery execution, DC rebuild validation, and documented procedures with environment-specific screenshots. This required an isolated lab environment that the network team needed to provision.
• SentinelOne endpoint security conflicts. The credit union's domain controllers ran SentinelOne endpoint protection, which conflicted with Change Auditor agent deployment. SentinelOne's DLL injection on the DCs prevented Change Auditor agents from connecting to the coordinator, requiring coordination with the security team to configure exclusions without compromising the endpoint security posture.
• AGPM to GPOADmin migration. The credit union was already using Microsoft's Advanced Group Policy Management (AGPM) for GPO change control. Migrating to GPOADmin required careful planning to avoid disrupting existing GPO workflows, including understanding how the GPOADmin ownership script would interact with AGPM's own GPO ownership model.
• Staging-first deployment model. Every product and configuration had to be validated in the staging environment before touching production, a requirement that doubled the deployment effort but was non-negotiable for the credit union's change management process.

How did LeadThem approach the deployment?

Staged multi-product deployment with full knowledge transfer

Day 1: Requirements review and RMAD-DRE staging. Met with the credit union's AD team to review requirements across all three products. Defined RMAD scope: installation and configuration in both staging and production, Secure Storage deployment at both sites, isolated environment for DR testing, training, and full documentation. Began RMAD-DRE installation in the staging environment.

Days 2-3: RMAD-DRE production and Secure Storage. Deployed RMAD agents to staging DCs and configured the tiered backup schedule (daily/weekly/monthly with defined retention). Resolved agent deployment issues. Agents deployed from the RMAD server were being automatically removed, requiring service account permission adjustments. Validated Secure Storage functionality in staging. Installed RMAD-DRE servers and Secure Storage at both KM and RTP production sites. Each site received: RMAD server, Secure Storage server, and backup agents on local DCs.

Days 4-5: Change Auditor and GPOADmin. Installed Change Auditor coordinator, client, and agents on staging DCs. Discovered SentinelOne was blocking CA agent connections and escalated to the security team for exclusion configuration. Installed GPOADmin in staging with service account configured as "Group Policy Creator Owner." Reviewed the GPOADmin ownership script with the team, explaining its interaction with AGPM and production implications. Ran the script in staging to validate functionality.

Days 6-7: Production deployment and validation. Validated that SentinelOne exclusions resolved CA agent issues post-DC reboot. Installed GPOADmin in production. Configured Change Auditor reporting and walked through Best Practice reports, custom report building (Who/What/Where/When), and alerting. RMAD-DRE was waiting on the network team to prepare the isolated recovery environment.

Days 8-10: Forest recovery testing and knowledge transfer. Built lab environment matching credit union's DC OS versions for forest recovery demonstration when the isolated environment was not ready in time. Executed full forest recovery knowledge transfer: registering backups, configuring Secure Server, creating backup criteria, Phase 1 server selection and validation, Phase 1 recovery execution, Phase 2 configuration and recovery, and result validation. Documented the complete process with screenshots. Delivered final documentation package covering all three products.

What technical challenges did we solve?

• RMAD agent auto-removal. During staging deployment, backup agents deployed from the RMAD server were being automatically removed from domain controllers. Our consultant identified a service account permission issue that was allowing the DC's security software to flag and remove the agent process. After adjusting the service account permissions and validating agent persistence, the issue was resolved and the same fix was applied proactively to production, preventing a repeat during the production rollout.
• SentinelOne blocking Change Auditor agents. Change Auditor agents on domain controllers could not connect to the coordinator due to SentinelOne's DLL injection behavior. Endpoint security products require specific exclusion paths for Quest agents (Quest KB 4369353). Our consultant worked with the credit union's security team to configure SentinelOne exclusions on all DCs in both staging and production. After the security team completed the exclusion changes and DCs were rebooted, the CA agents connected successfully, confirmed through validation testing.
• Forest recovery without isolated lab. The credit union's network team could not provision the isolated recovery environment within the engagement window. Rather than defer the forest recovery validation entirely, our consultant built a lab environment matching the credit union's DC operating system versions and ran the complete Phase 1 and Phase 2 forest recovery process in the lab. Screenshots from the lab were incorporated into the documentation, with clear notation that they should be replaced with environment-specific screenshots when the credit union completes their own recovery test.
• AGPM to GPOADmin coexistence. The credit union's existing AGPM implementation meant that GPOs had AGPM-specific ownership and delegation. The GPOADmin ownership script needed to take ownership of GPOs to manage them, but this could disrupt AGPM workflows if done incorrectly. Our consultant reviewed the script's behavior with the team in detail, explaining exactly what would change (ownership attributes) and what would not (GPO content, links, permissions). The script was run in staging first to validate, and a production migration plan was developed that the credit union could execute on their own timeline.
• Multi-site backup architecture. With DCs at two geographically separated sites, the backup architecture needed to ensure that each site could independently recover its local DCs without depending on cross-site connectivity. Our consultant deployed Secure Storage servers at both KM and RTP, configured each RMAD server to back up its local DCs to the local Secure Storage, and validated backup completion at both sites, creating a recovery architecture that survives site-level network failures.

What were the results?

The credit union now has a fully operational Active Directory disaster recovery capability across both data center sites, with RMAD-DRE providing automated backups with tiered retention (daily/weekly/monthly), Secure Storage at each site for backup isolation, and a documented forest recovery procedure validated through Phase 1 and Phase 2 testing. Change Auditor provides real-time visibility into AD changes with custom reporting and alerting. GPOADmin is installed and configured with a documented migration plan from AGPM. The complete documentation package, including recovery procedures, configuration details, and operational runbooks, supports the credit union's regulatory examination requirements.

Which tools and technologies were used?

• Quest Recovery Manager for Active Directory Disaster Recovery Edition (RMAD-DRE) for AD backup, forest recovery, and Secure Storage
• Quest Change Auditor for Active Directory for real-time AD change auditing and reporting
• Quest GPOADmin for Group Policy management and AGPM migration
• RMAD-DRE Secure Storage for isolated backup storage at each data center site

Why LeadThem Consulting

Installing RMAD-DRE is the easy part. The value is in the architecture decisions, the testing, and the knowledge transfer that makes the product operationally useful. LeadThem Consulting's consultant did not just install three products and hand over a license key. We designed a multi-site backup architecture with site-independent Secure Storage, resolved SentinelOne conflicts that would have left Change Auditor non-functional, navigated the AGPM-to-GPOADmin migration carefully to avoid disrupting existing workflows, and delivered a complete forest recovery knowledge transfer, including building a lab environment when the client's isolated network was not ready. The credit union walked away with tested procedures, documented runbooks, and the confidence to pass their next regulatory examination.

What is Quest RMAD-DRE Secure Storage and why is it deployed per site?

Secure Storage is RMAD-DRE's isolated backup repository, hardened against tampering and ransomware encryption. Deploying it at each data center site means each site can recover its local domain controllers independently, without depending on cross-site network connectivity. This protects against scenarios where one site is offline, isolated, or compromised.

Why does SentinelOne block Quest Change Auditor agents on domain controllers?

SentinelOne uses DLL injection to monitor process behavior on protected endpoints. Quest Change Auditor agents run their own DLL on each DC to capture AD change events. Without explicit SentinelOne exclusions for the Quest agent paths, SentinelOne can block the CA agent's coordinator connection. Quest publishes exclusion guidance (KB 4369353) covering SentinelOne, CrowdStrike, and other EDR products.

Can GPOADmin coexist with Microsoft's AGPM during a migration?

Yes, but the migration sequence matters. GPOADmin's ownership script changes GPO ownership attributes, which can conflict with AGPM's own ownership model if not planned. The safe path is to run the ownership script in staging first, document exactly which AGPM workflows are affected, and execute the production migration on a defined timeline once AGPM operators are trained on GPOADmin equivalents.

What are Phase 1 and Phase 2 forest recovery in RMAD-DRE?

Phase 1 is the recovery of one or more domain controllers to a healthy state with replication and authentication restored across a subset of the forest. Phase 2 is the restoration of the full forest to operational status, including all remaining DCs, FSMO roles, trusts, and replication topology. Splitting the recovery into phases lets organizations restore critical authentication faster than a single all-at-once recovery.

Do regulators require AD disaster recovery testing?

Yes, for regulated industries. NCUA examiners for credit unions, FFIEC for banks, HIPAA for healthcare, and similar regimes for other regulated sectors expect documented recovery procedures, tested runbooks, and evidence that the organization can restore critical infrastructure within stated RTOs. RMAD-DRE installation alone does not satisfy these requirements. Tested, documented forest recovery procedures do.