Solved

Advice for long term disconnected domain controller

Posted on 2008-06-18
16
335 Views
Last Modified: 2010-03-17
Hi,
We have a research vessel which can go out to sea for upto 3 or 4 months at a time (sometimes upto 6 months before returning to our broadband connection). We have just implimented group policy and locked down our desktop machines, one of the advantages with this is that we have taken local admin rights from our users. When they used to go on "the ship" they would take their machines out the domain and put in the ships workgroup, this is no longer an option for them! We are thinking about putting a domain controller on the ship to solve this problem and in turn make our lives easier (ie no repromoting!). How would a Windows 2003 R2 domain controller feel about this, I have read a couple of MS articles that say it should be ok, providing we don't go over 180days (tombstone life). Any advice or tips welcome.
Thanks

Michael
0
Comment
Question by:michaelsage
  • 7
  • 5
  • 3
  • +1
16 Comments
 
LVL 14

Expert Comment

by:plug1
Comment Utility
From experience mate the server thats leaves port will log pleanty of errors in its event logs because it cant see the domain but it will comtinue to function correctly locally. When it returns to port then it will see the domain and be a happy server, even going by 180days it will still work away although rejoining the domain might be a little more interesting.
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
You can increase to tombstone period but is this really necessary ?
Why don't leave the machines in the domain, users can log on with cached credentials and connect to a workgroup without the need to remove them from the domain or to have a domain controller on-board.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
Keep in mind that unless you created a pristine AD forest using 2K3 SP1 or 2K3 SP2 (but not 2K3 R2, as there was a regression bug), your TSL is 60 days, not 180 days, until you manually change it.

0
 

Author Comment

by:michaelsage
Comment Utility
Laura,
Thanks for that didn't realise that! What kind of effect would it have if we uped the time to live to say 300 days? This would be a worst case I guess. Would it lead to huge tombstone issues? I guess the other problem we have is people connecting workstations from the ship before the AD has replicated (things like passwords would be way out of sync).Thats a general problem anyway..
Thanks guys so far
Michael
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
Increasing the TSL will increase the size of your NTDS.DIT file, which may be of issue to you.  There will also be some pain points when the users return to connectivity as it will take some time for the near-offline DC to catch back up and replicate in password changes, etc.  
0
 

Author Comment

by:michaelsage
Comment Utility
Will have a look at the size of our NTDS.DIT file tomorrow and see what size it is. I understand the point about pain points too. I think we will set the TSL to 180 days (or check it is set at 180 days), and wait until we have satelitte broadband on the ship, we are hoping that way we can get it to replicate every week or so. I guess this question moves to the how does AD cope with unreliable / unstable links? With the TSL I guess this shouldn't be a problem, the only issue would be the event log!
Is that correct?
Thanks
Michael
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Do you really need to do any of this - Why don't leave the machines in the domain, users can log on with cached credentials and connect to a workgroup server without the need to remove them from the domain or to have a domain controller on-board. No issues.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
If a user attempts to access a resource (file server, whatever) while on-ship that they had not attempted to access before going offline, cached creds will fail the auth request. Cached creds will work for the local workstation since they've obviously already auth'd there (otherwise their creds wouldn't be cached), but if they're doing file sharing or whatever, it could fall down.

AD reacts to flapping WAN links just like anything else would - if it tries to replicate and can't because the WAN is down, your DS logs will fill up with red.  So long as they're able to replicate within the TSL, it's just a matter of reading your logs within the context of understanding your environment.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 100 total points
Comment Utility
OK here is another option. Use NETSETMAN NetsetMan http://www.netsetman.com/ to allow the users to switch between a workgroup and domain setup. This is free and will allow users to use a workgroup server and do away with all the complexity
0
 

Author Comment

by:michaelsage
Comment Utility
The problem with this would come if they tried to access anything on our domain while they were at sea, i.e OWA (although I believe this is fixed in XP SP2), the bigger problem would be our Citrix remote access, which would also require a password change. Our users are not very technical so we are trying to create a (management speak) "unified environment".
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 300 total points
Comment Utility
You're simply not going to be able to provide seamless access in a disconnected or near-offline environment like the one you're describing, as a lack of synchronization will create pain no matter how you try to dress it up. Heck, stick a modem in the back of the DC and RRAS into corpnet once a night if that's the best you can do.
0
 

Author Comment

by:michaelsage
Comment Utility
Thanks for the software suggestion, unfortunately that would not work for us either as our users don't have local admin rights, i guess we could create a local user with Admin rights, having just removed all local admins it would seem a bit of a step backwards! Our Group Policy is also quite restrictive. Which is where the password expiry issues come in.
Perhaps when we upgrade to a Windows 2008 Domain we could move client machines into a ship container (no pun intended!) and have a different password policy. Thanks for your help guys, any further tips would be great. I am hoping to have the sat link in and that should give us enough, without it it looks like it will be trouble at best!
Thanks again
Michael
0
 

Author Comment

by:michaelsage
Comment Utility
Thinking about it I guess another idea might be to buy some new workstations stick them on the ship and have a seperate domain where the users could have local admin rights, this might be the best solution and install the software they need for each cruise. At least the environment would be familiar...
Its just a lot of work for us!
Michael
0
 

Author Comment

by:michaelsage
Comment Utility
Would another solution be to use a trust relationship? The ship could have its own domain that trusts the corp domain and vice versa.Would that work?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
If the point of the exercise is that you don't trust the users in this environment, why are you considering making one (and thus potentially -all-) of them Domain Admins?  (Somebody needs to administer the domain while it's disconnected, after all.)  You're increasing compexity rather than decreasing it.
0
 

Author Comment

by:michaelsage
Comment Utility
I guess we don't trust our users! There is no IT support on the boat when she goes out. We are in the process of the desktop lockdown. I guess its back to the sync'd domain with the sat connection. It's a difficult situation for us though.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now