?
Solved

Domain Controller - DR design best practices

Posted on 2010-08-25
8
Medium Priority
?
1,526 Views
Last Modified: 2012-05-10
Hello there;

OK So we are setting up a new environment for a Client and we want to make the best design plan possible.

DR_Project  
Site 1 (left):  Production environment   (2 DC )

AD1: DHCP, DNS, CG & Holds all 5 FSMO Roles

AD2: DHCP,DNS,CG

Site 2 (right): DR Site (1 DC)

AD: DHCP,DNS,CG

Required:

Best design plan for DHCP,DNS,CG,FSMO, domain design "i.e child domain"

After hours of reading I reached a conclusion that we don't really need to make any changes to  FSMO Roles & we don't need to have a child domain on the DR site.

- Both sites "Production and DR" can be on the same domain in one single forest.
- First domain controller will be hosting all Five FSMO roles and there is no need to transfer or  or seize it.

If AD one goes offline and no hope of getting it back online:

-  seize FSMO roles to AD2

If the hole production site goes offline and there is no hope of getting it back online:

-  seize FSMO roles to DR AD


- Split the DHCP pool between 3 servers

- Make DNS available on 1st DC and DR DC


My question is: what do you think about this setup ?

Thanks  
0
Comment
Question by:atigris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 10

Accepted Solution

by:
dhruvarajp earned 334 total points
ID: 33523296
i would say GOOD design .. let us have the different Active directory sites for both physical sites
configure replication interval as less as 15 minutes

and have then different subnets and configure DHCP servers for 80-20 rule
http://technet.microsoft.com/en-us/library/cc958936.aspx 

Dhruv
0
 
LVL 2

Author Comment

by:atigris
ID: 33524332
OK very good, How about DNS ? what is your though on that ? Thanks
0
 
LVL 10

Assisted Solution

by:Dextertronic
Dextertronic earned 332 total points
ID: 33527956
I use the same setup betwen our core prod site and our remote DR site.
I'm assuming you have two different subnets with associated AD sites.
Tested successfully including Exchange failover using Doubletake.
Straight forward and simple to support.
AD replication is pretty good for what it does.
 
 
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 1

Assisted Solution

by:perplexd
perplexd earned 334 total points
ID: 33539277
Child domains just add extra complexity. If you need different domain password policies, or you want completely separate administrators to be delegated control of a child company, then that might be of value, but otherwise it is complexity that doesn't buy any value.

I think your design looks good - KISS.
0
 
LVL 2

Author Comment

by:atigris
ID: 33567468
well,
- I could create 2 sites this way the  replication dose not have to be over the hole domain.
- each site on it's own subnet.
- NO need to use child domains.
- DHCP use 80-20 rule & use SuperScope to simplify DHCP administration.
- Primary and Secondary DNS server on the production site and one DNS on the DR site.
- NO need to change  FSMO roles - all roles can be on first created machine.
- All machines can be Global Catalog server.

 
0
 
LVL 2

Author Closing Comment

by:atigris
ID: 33567478
no complete answer was provided.
0
 
LVL 10

Expert Comment

by:dhruvarajp
ID: 33567494
about dns
you already have inclused a that in the ADC on the DR site
0
 
LVL 1

Expert Comment

by:perplexd
ID: 33583853
You only need superscopes if you have a multi-net.
http://technet.microsoft.com/en-us/library/cc757614(WS.10).aspx

Otherwise your plan looks good to me.

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question