Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Will I get the right kind of redundancy from virtualizing a DC off site incase of disaster..?

Posted on 2009-07-06
3
Medium Priority
?
239 Views
Last Modified: 2012-05-07
Hi All, I currently have a single tree forest AD on server 2003 running in 2000 mixed mode I am working on upgrading functionality to 2003 once the NT4 domain goes away.  

Currently the 2003 domain is very simple, about 70 workstations, 10 servers and 2 onsite physical DC's with AD integrated DNS.  

After backing up system state and preparing a test restore of AD on dissimilar hardware, I realized that I can only recover the domain in the event that one of the servers fail, and are able to be physically restored.  If the building were to god forbid burn down, both physical DC's would be gone and the domain would cease to exist making domain recovery impossible, Yikes!

As far as disaster recovery goes I'd like us to be better protected but do not have it in the budget at present to procure physical hardware for off site redundancy, but do have preexisting hardware off site and could conceivably run a virtual DC on Virtual Server 2005.  

Questions are:

Will having an offsite virtual DC that has no FISMO or GC roles allow me to get the domain back up and running in the event of total onsite disaster?

What happens to AD integrated DNS zones (almost all of our zones are) if both DC's were to catastrophically fail and I need to rely on the virtual DC to rebuild?

The DNS servers are also onsite and would conceivably go at the same time if an extreme situation were to take out all physical servers here in the building.  

I am learning as I go here so may post more questions as I think of them but that is the gist of it for now.  

Your thoughts and suggestions are appreciated, I read the Microsoft KB on the subject but it does not talk about a lot.

Thanks!

-Self taught Domain Admin
0
Comment
Question by:MarlinTechSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24787238

In the event of a major disaster, you should be able to recover Active Directory from a System State backup.
The procedure you follow can be convoluted, but it can be done.

>> Will having an offsite virtual DC that has no FISMO or GC roles allow me to get the domain back up and running in the event of total onsite disaster?

It is current industry recommendations that all DCs are also made GCs (even in multi-domain forests), so the new DC should ideally be a GC too.
Without FSMO roles, the off-site DC will still hold a copy of the Active Directory domain information and therefore you are more than capable of using it for disaster recovery. You would simply seize the FSMO roles and run a metadata cleanup of the lost DCs to get yourself running again as quickly as possible.

>> What happens to AD integrated DNS zones (almost all of our zones are) if both DC's were to catastrophically fail and I need to rely on the virtual DC to rebuild?

Install the DNS role onto the third virtualised DC. Any AD-integrated DNS zones are stored in Active Directory, so would be stored locally on this DC anyway in the domain database. However, having the DNS role installed means you can keep going in the event of a failure in the main site.

>> The DNS servers are also onsite and would conceivably go at the same time if an extreme situation were to take out all physical servers here in the building.  

As mentioned above: Install the DNS role, check the zones replicate, then forget about it.
Make all your zones AD-integrated so they replicate more cleanly between DCs.

-Matt
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 500 total points
ID: 24787259
Hi there,

Having any DC off-site replicating is going to give you redundancy for AD and DNS, whether physical or virtual. The principal is the same. You would need to set up a VPN between the two sites to enable replication.

If you lost a server irrecoverably, then on the remaining DC you'd have to seize any FSMOs it held, and clean up AD to remove any trace of the failed DC (metadata cleanup).

Seizing FSMOs : http://www.petri.co.il/seizing_fsmo_roles.htm
Metadata cleanup : http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Your restore would then involve just installing a promoting a new server. This new server will pull a full copy of AD and DNS from the offsite DC. This wouldn't actually be restoring the lost server, just configuring a replacement as far as AD goes. Any other applications/data on the lost server you would have to deal with separately.

In addition to having this DC off-site, you should still make regular backups of your servers' system partitions and system state.

What you also want to bear in mind is the bandwidth of your WAN link and the size of your AD database. Trying to pull (and replicate) a massive db over a 56k dial up isn't going to be pleasant! Nowadays this isn't so much a problem really.

If you're worried about restoring from a disaster, what about some imaging software such as Acronis True Image Echo which can restore the entire system partition to different hardware. Now this is usually a big no-no for DC's as an image restore is not typically AD-aware, but there are ways around this.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question