MicrosoftPlease note that AD Forest Recovery doesn't mention DPAPI backup keys:
"There currently is no officially supported way of changing or rotating these DPAPI backup keys on the domain controllers. In accordance with the document MS-BKRP, 3rd parties have the ability to develop an application or script that creates a new DPAPI Backup key and sets the new key to be the preferred key for the domain. However, these 3rd party solutions would be unsupported by Microsoft.
Should the DPAPI Backup keys for the domain be compromised, the recommendation is to create a new domain and migrate users to that new domain. If a malicious actor is able to gain access to the DPAPI backup keys, it's likely that they have acquired domain administrator-level access to the domain and have full access to its resources. An attacker may also install other backdoor systems in the domain with the level of access that they now have, hence the recommendation to migrate to a new domain."
Source: https://learn.microsoft.com/en-us/windows/win32/seccng/cng-dpapi-backup-keys-on-ad-domain-controllers#:~:text=There%20currently%20is,a%20new%20domain.
