Protecting Active Directory Against Petya and Her Friends

Many companies have struggled to restore their business-critical services like Active Directory or Exchange for weeks after the (Not)Petya malware outbreak. What could they have done better to prevent such catastrophes? And what can be done when all DCs, including their backups, get lost?