AD Domain Resiliance

Hi all, I have a 2 site, single domain Active Directory Forrest. The Domain and Forest functional levels are both Windows Server 2003.

The "Main" site has the bulk of our servers including our new Exchange 2010 server, workstations and 2 Physical DC's running 2008r2. For the most part these DC's really only provide the following services:AD and related services/DNS/DHCP.  

Our "Secondary" site has 2 vmware virtual servers hosted by a 3rd party.  One is an RODC for our domain and the other an iis server that is also joined to the domain.  At this location the RODC provides AD and related services/DNS.

All 3 DC's are Global Catalogs but all 5 FSMO roles are held by the beefier of the 2 physical DC's.  

I have been doing manual weekly backups of AD using a command prompt and typing

> wbadmin start systemstatebackup -backuptarget:Z:

When the operation is complete on both servers I copy the backup files created in the WindowsImageBackup folder to the opposite server so each server has a backup of itself and the other physical DC.  In my mind this way if I lost one of the physical servers I had a good backup still remaining on it's physical counterpart.  I don't bother backing up the RODC as it is very slow and if it were to go down unrecoverably, I would simply abandon the old RODC, have the 3rd party hosting company reinstall a fresh OS on an uncorrupt or newly created VM and make it a new RODC rather than attempt to restore.

Question 1: Am I backing up the servers correctly from an active directory standpoint? Is there a better way?

Question 2: Is it wise to only do a system state backup? I don't want to lose the DNS info or the DHCP configuration and certainly nothing AD related.

Question 3: Since both Physical DC's are located in the same server room, if something were to happen to the room and both servers were a loss, is there enough of the AD environment at my secondary site to keep the domain alive and inevidibly recover?

Question 4: Is the FSMO/GC configuration sound?

Question 5: We recently added a new server running VMWare, hosting 1 Windows Server 2008r2 Std vm which is running Exchange 2010 r3. Should the AD backup strategy change at all due to this new service? I know Exchange changed our AD environmant around a little.

Thanks
LWDudAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
You have lot of questions: however answer for all are below:

1) Server which hold 5 FSMO roles, if crashed, then you need to do FSMO seize first and transfer the role to another healthy server. http://www.petri.co.il/seizing_fsmo_roles.htm
2) System state backup is enough for AD. However, it is not recommended to do AD restore. Until you lost all DC's.
3) Multiple DC's provide both High Availability , resilience. So no further action required.
0
alicainCommented:
Hello!

Question 1: Am I backing up the servers correctly from an active directory standpoint? Is there a better way?
Question 2: Is it wise to only do a system state backup? I don't want to lose the DNS info or the DHCP configuration and certainly nothing AD related.

From a pure Active Directory perspective, the system state backup is adequte for example to recover objects accidentally deleted.  I would think about doing them more regularly, if an event occurs, you have the potentail for loosing 6 days worth of changes to AD.
Also, there may be other scenarios were a full backup of the server would be useful, e.g. due to loss of the hard disk, so you could do a weekly full and daily system states, for example.

You have DHCP/DNS backup covered with system state - but if you want to read more on DHCP :  http://technet.microsoft.com/en-us/library/dd759235.aspx

Question 3: Since both Physical DC's are located in the same server room, if something were to happen to the room and both servers were a loss, is there enough of the AD environment at my secondary site to keep the domain alive and inevidibly recover?

No.  You have a single point of failure with that location.

Question 4: Is the FSMO/GC configuration sound?

Yes - All DCs are GCs, so having the FSMO/Operations Masters on the same DC is OK.

Question 5: We recently added a new server running VMWare, hosting 1 Windows Server 2008r2 Std vm which is running Exchange 2010 r3. Should the AD backup strategy change at all due to this new service? I know Exchange changed our AD environmant around a little.

I suspect that it was your site topology changed to cater for Exchange 2010, no need to change your AD backup strategy to cater for this - it is in the system state.

Regards,
Alastair.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gary ColtharpSr. Systems EngineerCommented:
I think the experts agree that there is little wrong with your config. I would only suggest that you automate your systemstate backup, replication to the other DC and perhaps even add replication to a target of some sort on the remote network to eliminate the single point of failure.

HTH

Gary
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

LWDudAuthor Commented:
Thanks for the responses...

Glad to know nothing with this config is horribly wrong just a few possible tweaks!

I get that having both DC's go down for whatever reason at the main site would result in an interuption of AD services for the main site but, couldn't I in a pinch make the RODC a regular DC and sieze all fsmo roles, point servers and critical workstations DNS statically at that secondary site DC and limp along until I build new DC's at the main site..?

This would be miserable but acceptable, the reality is that if something bad happens to that room it probably happens to all my 20+ servers and im looking to bring up operations at the 3rd party site which would have the RODC sitting there already...

Also it's my understanding if you lose all DC's irrecoverably your domain ceases to exist..  Even if you created a new domain with the same name it is not your old one and you are starting from scratch! PAIN PAIN PAIN possibly even Out of business from the interuption!

This was the reason for the RODC at my offsite location.  (But perhaps this isnt worth the effort now? Not sure, perhaps it should just be a full fledged DC but this site exists for that one iis server which by design is a public facing webserver so I didnt want a full DC sitting there)

Also I wasn't aware I couldn't use these systemstate backups to restore AD unless all DC's went down irrecoverably.  That makes me want to move that info offsite every so often! Am I properly understanding that?

I would love to schedule the backups but the command prompt won't let me and I think I read somewhere that the systemstatebackup that is grabbed in the gui version of the backup feature in windows isn't supported by microsoft for AD Disaster Recovery so I've been doing them manually once a week.  The environment really isn't that dynamic.  I'm the only one here with my hands on AD systems so I'm rather aware of whats going on with this change wise.
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
One additional thing I could suggest is use NETSH and dump your DHCP configuration.  This way if you need to restore it, you have it.
0
alicainCommented:
It is not possible to convert a RODC to a full DC.  This is documeted here : http://technet.microsoft.com/en-us/library/cc731970(WS.10).aspx#BKMK_Vir
So, that is not a option in the event of loosing both the other DCs.

Yes, loosing all DCs would mean a forest recovery from your backups and if no backups are available it would be a rebuild of the forest which even for a small production environment would be significant effort - to say the least.

If the RODC is in your DMZ then, no you probably do not want to make that into a full DC.

It is not that you cannot use the system state as mentioned, I think amitkulshrestha was indicating that recovering AD from a system state backup is a significant peice of work and it is very important to understand the appropriate scenarios where an authorative restore /non authoratitive restore/restore of a leaf object, should be embarked upon.

Scheduling the backup will be useful.  It'll take some effort to setup but in the long term might save some time, more details here :
Configure Automatic Backups with Task Scheduler http://technet.microsoft.com/en-us/library/dd834883.aspx

Regards,
Alastair.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Answers are below, some may overlap with others as mentioned above...

Q1: System state is a minimum requirement, for backing up. If you want to backup DHCP and DNS you can do so but you will have to run manual commands to accomplish this..

Backup DHCP - http://technet.microsoft.com/en-us/magazine/ff621490.aspx
Backup DNS - http://johndelizo.wordpress.com/2009/08/12/backing-up-windows-server-2008-dns-zone-files/

I would also recommend Backing up your FSMO role holder (1 DC) using an imaged based utility (acronis). You can then easily restore this domain controller in the event you lose "ALL" of your DC's in your environment. "it is not recommended to restore a DC using an image unless you lose your entire Forest"

Q2: See question 1

Q3: If you were to lose both writeable DC's in your main site you would be in trouble. You only have an RODC in your secondary site which get's its updates from the writeable DC's in the main site. Your RODC would work for anyone at the second site which has their passwords cached using "PRP" also for any object/s that are using GMC (group membership caching).

Aside from that you would be out of luck because you are not able to promote your RODC to a writeable DC (you have to demote, then re-promote) it to a writeable DC. Also if both writeable DC's in the main site are completely down, you will not be able to promote a new DC into the domain because the RODC is not authoritative and does not hold the complete AD database.

Q4: In an AD environment all of the servers should be acting as DC/GC, in your second site your RODC will act as a Read-only GC as well. This has a limitation from an Exchange perspective. If you wanted to put Exchange server/s in your secondary site you would have to add a writeable DC to this site because Exchange only talks to writeable DC/GC not RODC's.

Q5: Having Exchange 2010 in your environment is fine but Exchange is a totally different animal and will require different backup/DR procedures. as stated above if you want to have Exchange hosted in your secondary site you will need a writable DC/GC in that site as well.

I read a comment about the RODC in your DMZ? if this is true (definitely not recommended). Just because your RODC is "read-only" this has enough information for someone to hack into your system when you are exposing your RODC to the internet. RODC is read-only for "physical" security concerns. I would consider moving it back in side your firewall. If you have apps that need to function with it in the DMZ I guess you have no choice but I would look into the possibilities..


Hope this helps!
0
Gary ColtharpSr. Systems EngineerCommented:
the RODC is at a secondary site, not a DMZ
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.