Solved

Will I get the right kind of redundancy from virtualizing a DC off site incase of disaster..?

Posted on 2009-07-06
3
220 Views
Last Modified: 2012-05-07
Hi All, I currently have a single tree forest AD on server 2003 running in 2000 mixed mode I am working on upgrading functionality to 2003 once the NT4 domain goes away.  

Currently the 2003 domain is very simple, about 70 workstations, 10 servers and 2 onsite physical DC's with AD integrated DNS.  

After backing up system state and preparing a test restore of AD on dissimilar hardware, I realized that I can only recover the domain in the event that one of the servers fail, and are able to be physically restored.  If the building were to god forbid burn down, both physical DC's would be gone and the domain would cease to exist making domain recovery impossible, Yikes!

As far as disaster recovery goes I'd like us to be better protected but do not have it in the budget at present to procure physical hardware for off site redundancy, but do have preexisting hardware off site and could conceivably run a virtual DC on Virtual Server 2005.  

Questions are:

Will having an offsite virtual DC that has no FISMO or GC roles allow me to get the domain back up and running in the event of total onsite disaster?

What happens to AD integrated DNS zones (almost all of our zones are) if both DC's were to catastrophically fail and I need to rely on the virtual DC to rebuild?

The DNS servers are also onsite and would conceivably go at the same time if an extreme situation were to take out all physical servers here in the building.  

I am learning as I go here so may post more questions as I think of them but that is the gist of it for now.  

Your thoughts and suggestions are appreciated, I read the Microsoft KB on the subject but it does not talk about a lot.

Thanks!

-Self taught Domain Admin
0
Comment
Question by:MarlinTechSupport
3 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 125 total points
ID: 24787238

In the event of a major disaster, you should be able to recover Active Directory from a System State backup.
The procedure you follow can be convoluted, but it can be done.

>> Will having an offsite virtual DC that has no FISMO or GC roles allow me to get the domain back up and running in the event of total onsite disaster?

It is current industry recommendations that all DCs are also made GCs (even in multi-domain forests), so the new DC should ideally be a GC too.
Without FSMO roles, the off-site DC will still hold a copy of the Active Directory domain information and therefore you are more than capable of using it for disaster recovery. You would simply seize the FSMO roles and run a metadata cleanup of the lost DCs to get yourself running again as quickly as possible.

>> What happens to AD integrated DNS zones (almost all of our zones are) if both DC's were to catastrophically fail and I need to rely on the virtual DC to rebuild?

Install the DNS role onto the third virtualised DC. Any AD-integrated DNS zones are stored in Active Directory, so would be stored locally on this DC anyway in the domain database. However, having the DNS role installed means you can keep going in the event of a failure in the main site.

>> The DNS servers are also onsite and would conceivably go at the same time if an extreme situation were to take out all physical servers here in the building.  

As mentioned above: Install the DNS role, check the zones replicate, then forget about it.
Make all your zones AD-integrated so they replicate more cleanly between DCs.

-Matt
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 125 total points
ID: 24787259
Hi there,

Having any DC off-site replicating is going to give you redundancy for AD and DNS, whether physical or virtual. The principal is the same. You would need to set up a VPN between the two sites to enable replication.

If you lost a server irrecoverably, then on the remaining DC you'd have to seize any FSMOs it held, and clean up AD to remove any trace of the failed DC (metadata cleanup).

Seizing FSMOs : http://www.petri.co.il/seizing_fsmo_roles.htm
Metadata cleanup : http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Your restore would then involve just installing a promoting a new server. This new server will pull a full copy of AD and DNS from the offsite DC. This wouldn't actually be restoring the lost server, just configuring a replacement as far as AD goes. Any other applications/data on the lost server you would have to deal with separately.

In addition to having this DC off-site, you should still make regular backups of your servers' system partitions and system state.

What you also want to bear in mind is the bandwidth of your WAN link and the size of your AD database. Trying to pull (and replicate) a massive db over a 56k dial up isn't going to be pleasant! Nowadays this isn't so much a problem really.

If you're worried about restoring from a disaster, what about some imaging software such as Acronis True Image Echo which can restore the entire system partition to different hardware. Now this is usually a big no-no for DC's as an image restore is not typically AD-aware, but there are ways around this.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now