LWDud
asked on
AD Domain Resiliance
Hi all, I have a 2 site, single domain Active Directory Forrest. The Domain and Forest functional levels are both Windows Server 2003.
The "Main" site has the bulk of our servers including our new Exchange 2010 server, workstations and 2 Physical DC's running 2008r2. For the most part these DC's really only provide the following services:AD and related services/DNS/DHCP.
Our "Secondary" site has 2 vmware virtual servers hosted by a 3rd party. One is an RODC for our domain and the other an iis server that is also joined to the domain. At this location the RODC provides AD and related services/DNS.
All 3 DC's are Global Catalogs but all 5 FSMO roles are held by the beefier of the 2 physical DC's.
I have been doing manual weekly backups of AD using a command prompt and typing
> wbadmin start systemstatebackup -backuptarget:Z:
When the operation is complete on both servers I copy the backup files created in the WindowsImageBackup folder to the opposite server so each server has a backup of itself and the other physical DC. In my mind this way if I lost one of the physical servers I had a good backup still remaining on it's physical counterpart. I don't bother backing up the RODC as it is very slow and if it were to go down unrecoverably, I would simply abandon the old RODC, have the 3rd party hosting company reinstall a fresh OS on an uncorrupt or newly created VM and make it a new RODC rather than attempt to restore.
Question 1: Am I backing up the servers correctly from an active directory standpoint? Is there a better way?
Question 2: Is it wise to only do a system state backup? I don't want to lose the DNS info or the DHCP configuration and certainly nothing AD related.
Question 3: Since both Physical DC's are located in the same server room, if something were to happen to the room and both servers were a loss, is there enough of the AD environment at my secondary site to keep the domain alive and inevidibly recover?
Question 4: Is the FSMO/GC configuration sound?
Question 5: We recently added a new server running VMWare, hosting 1 Windows Server 2008r2 Std vm which is running Exchange 2010 r3. Should the AD backup strategy change at all due to this new service? I know Exchange changed our AD environmant around a little.
Thanks
The "Main" site has the bulk of our servers including our new Exchange 2010 server, workstations and 2 Physical DC's running 2008r2. For the most part these DC's really only provide the following services:AD and related services/DNS/DHCP.
Our "Secondary" site has 2 vmware virtual servers hosted by a 3rd party. One is an RODC for our domain and the other an iis server that is also joined to the domain. At this location the RODC provides AD and related services/DNS.
All 3 DC's are Global Catalogs but all 5 FSMO roles are held by the beefier of the 2 physical DC's.
I have been doing manual weekly backups of AD using a command prompt and typing
> wbadmin start systemstatebackup -backuptarget:Z:
When the operation is complete on both servers I copy the backup files created in the WindowsImageBackup folder to the opposite server so each server has a backup of itself and the other physical DC. In my mind this way if I lost one of the physical servers I had a good backup still remaining on it's physical counterpart. I don't bother backing up the RODC as it is very slow and if it were to go down unrecoverably, I would simply abandon the old RODC, have the 3rd party hosting company reinstall a fresh OS on an uncorrupt or newly created VM and make it a new RODC rather than attempt to restore.
Question 1: Am I backing up the servers correctly from an active directory standpoint? Is there a better way?
Question 2: Is it wise to only do a system state backup? I don't want to lose the DNS info or the DHCP configuration and certainly nothing AD related.
Question 3: Since both Physical DC's are located in the same server room, if something were to happen to the room and both servers were a loss, is there enough of the AD environment at my secondary site to keep the domain alive and inevidibly recover?
Question 4: Is the FSMO/GC configuration sound?
Question 5: We recently added a new server running VMWare, hosting 1 Windows Server 2008r2 Std vm which is running Exchange 2010 r3. Should the AD backup strategy change at all due to this new service? I know Exchange changed our AD environmant around a little.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
the RODC is at a secondary site, not a DMZ
ASKER
Glad to know nothing with this config is horribly wrong just a few possible tweaks!
I get that having both DC's go down for whatever reason at the main site would result in an interuption of AD services for the main site but, couldn't I in a pinch make the RODC a regular DC and sieze all fsmo roles, point servers and critical workstations DNS statically at that secondary site DC and limp along until I build new DC's at the main site..?
This would be miserable but acceptable, the reality is that if something bad happens to that room it probably happens to all my 20+ servers and im looking to bring up operations at the 3rd party site which would have the RODC sitting there already...
Also it's my understanding if you lose all DC's irrecoverably your domain ceases to exist.. Even if you created a new domain with the same name it is not your old one and you are starting from scratch! PAIN PAIN PAIN possibly even Out of business from the interuption!
This was the reason for the RODC at my offsite location. (But perhaps this isnt worth the effort now? Not sure, perhaps it should just be a full fledged DC but this site exists for that one iis server which by design is a public facing webserver so I didnt want a full DC sitting there)
Also I wasn't aware I couldn't use these systemstate backups to restore AD unless all DC's went down irrecoverably. That makes me want to move that info offsite every so often! Am I properly understanding that?
I would love to schedule the backups but the command prompt won't let me and I think I read somewhere that the systemstatebackup that is grabbed in the gui version of the backup feature in windows isn't supported by microsoft for AD Disaster Recovery so I've been doing them manually once a week. The environment really isn't that dynamic. I'm the only one here with my hands on AD systems so I'm rather aware of whats going on with this change wise.