Abstract: Technology for analyzing and tracking states of a directory service by correlating changes from multiple different data sources related to the directory service. A first data source may be based on synchronization data of the directory service and a second data source may be based on security data of one or more domain controllers hosting the directory service. The synchronization data and security data may both correspond to changes to the directory service but may include different information. For example, synchronization data may provide the content of a modification to the directory service and the security data may provide an entity that initiated the modification. The multiple sources may be compared to identify inconsistencies (e.g., detect malicious activity).

Abstract: Technology for analyzing and tracking states of a directory service by correlating changes from multiple different data sources related to the directory service. A first data source may be based on synchronization data of the directory service and a second data source may be based on security data of one or more domain controllers hosting the directory service. The synchronization data and security data may both correspond to changes to the directory service but may include different information. For example, synchronization data may provide the content of a modification to the directory service and the security data may provide an entity that initiated the modification. The multiple sources may be used to generate and enrich modification data of the directory service. The modification data may be used to determine a prior state of the directory service, to undue modifications initiated by a particular user, or to detect malicious activity.

Abstract: Technology for backing up and restoring directory services that have a domain hierarchy (e.g., a domain forest). The technology may analyze operating system level backup data of multiple domain controllers and decouple data of the directory service from the backup data. The decoupled data may be absent executable data and may represent the backed up state of the directory service. The decoupled data may be enriched to include additional information about the computing environment and stored in a storage object (e.g., a forest recovery object). The technology may use the storage object to restore the directory service to the same set of computing devices or to a different set of computing device. This may involve configuring one or more of the computing devices to support directory services and coordinating an update to the configured computing devices to restore the backed up state of the directory service.