Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Will I get the right kind of redundancy from virtualizing a DC off site incase of disaster..?

Posted on 2009-07-06
3
Medium Priority
?
240 Views
Last Modified: 2012-05-07
Hi All, I currently have a single tree forest AD on server 2003 running in 2000 mixed mode I am working on upgrading functionality to 2003 once the NT4 domain goes away.  

Currently the 2003 domain is very simple, about 70 workstations, 10 servers and 2 onsite physical DC's with AD integrated DNS.  

After backing up system state and preparing a test restore of AD on dissimilar hardware, I realized that I can only recover the domain in the event that one of the servers fail, and are able to be physically restored.  If the building were to god forbid burn down, both physical DC's would be gone and the domain would cease to exist making domain recovery impossible, Yikes!

As far as disaster recovery goes I'd like us to be better protected but do not have it in the budget at present to procure physical hardware for off site redundancy, but do have preexisting hardware off site and could conceivably run a virtual DC on Virtual Server 2005.  

Questions are:

Will having an offsite virtual DC that has no FISMO or GC roles allow me to get the domain back up and running in the event of total onsite disaster?

What happens to AD integrated DNS zones (almost all of our zones are) if both DC's were to catastrophically fail and I need to rely on the virtual DC to rebuild?

The DNS servers are also onsite and would conceivably go at the same time if an extreme situation were to take out all physical servers here in the building.  

I am learning as I go here so may post more questions as I think of them but that is the gist of it for now.  

Your thoughts and suggestions are appreciated, I read the Microsoft KB on the subject but it does not talk about a lot.

Thanks!

-Self taught Domain Admin
0
Comment
Question by:MarlinTechSupport
3 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24787238

In the event of a major disaster, you should be able to recover Active Directory from a System State backup.
The procedure you follow can be convoluted, but it can be done.

>> Will having an offsite virtual DC that has no FISMO or GC roles allow me to get the domain back up and running in the event of total onsite disaster?

It is current industry recommendations that all DCs are also made GCs (even in multi-domain forests), so the new DC should ideally be a GC too.
Without FSMO roles, the off-site DC will still hold a copy of the Active Directory domain information and therefore you are more than capable of using it for disaster recovery. You would simply seize the FSMO roles and run a metadata cleanup of the lost DCs to get yourself running again as quickly as possible.

>> What happens to AD integrated DNS zones (almost all of our zones are) if both DC's were to catastrophically fail and I need to rely on the virtual DC to rebuild?

Install the DNS role onto the third virtualised DC. Any AD-integrated DNS zones are stored in Active Directory, so would be stored locally on this DC anyway in the domain database. However, having the DNS role installed means you can keep going in the event of a failure in the main site.

>> The DNS servers are also onsite and would conceivably go at the same time if an extreme situation were to take out all physical servers here in the building.  

As mentioned above: Install the DNS role, check the zones replicate, then forget about it.
Make all your zones AD-integrated so they replicate more cleanly between DCs.

-Matt
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 500 total points
ID: 24787259
Hi there,

Having any DC off-site replicating is going to give you redundancy for AD and DNS, whether physical or virtual. The principal is the same. You would need to set up a VPN between the two sites to enable replication.

If you lost a server irrecoverably, then on the remaining DC you'd have to seize any FSMOs it held, and clean up AD to remove any trace of the failed DC (metadata cleanup).

Seizing FSMOs : http://www.petri.co.il/seizing_fsmo_roles.htm
Metadata cleanup : http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Your restore would then involve just installing a promoting a new server. This new server will pull a full copy of AD and DNS from the offsite DC. This wouldn't actually be restoring the lost server, just configuring a replacement as far as AD goes. Any other applications/data on the lost server you would have to deal with separately.

In addition to having this DC off-site, you should still make regular backups of your servers' system partitions and system state.

What you also want to bear in mind is the bandwidth of your WAN link and the size of your AD database. Trying to pull (and replicate) a massive db over a 56k dial up isn't going to be pleasant! Nowadays this isn't so much a problem really.

If you're worried about restoring from a disaster, what about some imaging software such as Acronis True Image Echo which can restore the entire system partition to different hardware. Now this is usually a big no-no for DC's as an image restore is not typically AD-aware, but there are ways around this.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question