Solved

Advice for long term disconnected domain controller

Posted on 2008-06-18
16
337 Views
Last Modified: 2010-03-17
Hi,
We have a research vessel which can go out to sea for upto 3 or 4 months at a time (sometimes upto 6 months before returning to our broadband connection). We have just implimented group policy and locked down our desktop machines, one of the advantages with this is that we have taken local admin rights from our users. When they used to go on "the ship" they would take their machines out the domain and put in the ships workgroup, this is no longer an option for them! We are thinking about putting a domain controller on the ship to solve this problem and in turn make our lives easier (ie no repromoting!). How would a Windows 2003 R2 domain controller feel about this, I have read a couple of MS articles that say it should be ok, providing we don't go over 180days (tombstone life). Any advice or tips welcome.
Thanks

Michael
0
Comment
Question by:michaelsage
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 14

Expert Comment

by:plug1
ID: 21812388
From experience mate the server thats leaves port will log pleanty of errors in its event logs because it cant see the domain but it will comtinue to function correctly locally. When it returns to port then it will see the domain and be a happy server, even going by 180days it will still work away although rejoining the domain might be a little more interesting.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21812391
You can increase to tombstone period but is this really necessary ?
Why don't leave the machines in the domain, users can log on with cached credentials and connect to a workgroup without the need to remove them from the domain or to have a domain controller on-board.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21815112
Keep in mind that unless you created a pristine AD forest using 2K3 SP1 or 2K3 SP2 (but not 2K3 R2, as there was a regression bug), your TSL is 60 days, not 180 days, until you manually change it.

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:michaelsage
ID: 21815154
Laura,
Thanks for that didn't realise that! What kind of effect would it have if we uped the time to live to say 300 days? This would be a worst case I guess. Would it lead to huge tombstone issues? I guess the other problem we have is people connecting workstations from the ship before the AD has replicated (things like passwords would be way out of sync).Thats a general problem anyway..
Thanks guys so far
Michael
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21815183
Increasing the TSL will increase the size of your NTDS.DIT file, which may be of issue to you.  There will also be some pain points when the users return to connectivity as it will take some time for the near-offline DC to catch back up and replicate in password changes, etc.  
0
 

Author Comment

by:michaelsage
ID: 21815307
Will have a look at the size of our NTDS.DIT file tomorrow and see what size it is. I understand the point about pain points too. I think we will set the TSL to 180 days (or check it is set at 180 days), and wait until we have satelitte broadband on the ship, we are hoping that way we can get it to replicate every week or so. I guess this question moves to the how does AD cope with unreliable / unstable links? With the TSL I guess this shouldn't be a problem, the only issue would be the event log!
Is that correct?
Thanks
Michael
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21815321
Do you really need to do any of this - Why don't leave the machines in the domain, users can log on with cached credentials and connect to a workgroup server without the need to remove them from the domain or to have a domain controller on-board. No issues.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21815370
If a user attempts to access a resource (file server, whatever) while on-ship that they had not attempted to access before going offline, cached creds will fail the auth request. Cached creds will work for the local workstation since they've obviously already auth'd there (otherwise their creds wouldn't be cached), but if they're doing file sharing or whatever, it could fall down.

AD reacts to flapping WAN links just like anything else would - if it tries to replicate and can't because the WAN is down, your DS logs will fill up with red.  So long as they're able to replicate within the TSL, it's just a matter of reading your logs within the context of understanding your environment.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 100 total points
ID: 21815412
OK here is another option. Use NETSETMAN NetsetMan http://www.netsetman.com/ to allow the users to switch between a workgroup and domain setup. This is free and will allow users to use a workgroup server and do away with all the complexity
0
 

Author Comment

by:michaelsage
ID: 21815450
The problem with this would come if they tried to access anything on our domain while they were at sea, i.e OWA (although I believe this is fixed in XP SP2), the bigger problem would be our Citrix remote access, which would also require a password change. Our users are not very technical so we are trying to create a (management speak) "unified environment".
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 300 total points
ID: 21815510
You're simply not going to be able to provide seamless access in a disconnected or near-offline environment like the one you're describing, as a lack of synchronization will create pain no matter how you try to dress it up. Heck, stick a modem in the back of the DC and RRAS into corpnet once a night if that's the best you can do.
0
 

Author Comment

by:michaelsage
ID: 21815542
Thanks for the software suggestion, unfortunately that would not work for us either as our users don't have local admin rights, i guess we could create a local user with Admin rights, having just removed all local admins it would seem a bit of a step backwards! Our Group Policy is also quite restrictive. Which is where the password expiry issues come in.
Perhaps when we upgrade to a Windows 2008 Domain we could move client machines into a ship container (no pun intended!) and have a different password policy. Thanks for your help guys, any further tips would be great. I am hoping to have the sat link in and that should give us enough, without it it looks like it will be trouble at best!
Thanks again
Michael
0
 

Author Comment

by:michaelsage
ID: 21815599
Thinking about it I guess another idea might be to buy some new workstations stick them on the ship and have a seperate domain where the users could have local admin rights, this might be the best solution and install the software they need for each cruise. At least the environment would be familiar...
Its just a lot of work for us!
Michael
0
 

Author Comment

by:michaelsage
ID: 21815653
Would another solution be to use a trust relationship? The ship could have its own domain that trusts the corp domain and vice versa.Would that work?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21815738
If the point of the exercise is that you don't trust the users in this environment, why are you considering making one (and thus potentially -all-) of them Domain Admins?  (Somebody needs to administer the domain while it's disconnected, after all.)  You're increasing compexity rather than decreasing it.
0
 

Author Comment

by:michaelsage
ID: 21815898
I guess we don't trust our users! There is no IT support on the boat when she goes out. We are in the process of the desktop lockdown. I guess its back to the sync'd domain with the sat connection. It's a difficult situation for us though.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question