Active Directory - Disaster Recovery Testing

Hello,

I'm having some issues testing our backups/replicas for disaster recovery purposes when it comes to Active Directory on our domain controllers.

We are currently running Windows 2003 servers for active directory.
We have two forest level controllers, one physical and one virtual.
We have 10 domain level controllers, one physical and the rest virtual.
All virtual controllers are on VMware ESXi 5.1.

I setup an isolated "test" network within VCenter in order to test this disaster recovery.
I made replicas of one virtual forest controller and one domain controller using Veeam 7 and made sure to enable application-aware image processing.
After I boot these VMs in the test environment Active Directory is not working properly.
The error logs show both servers are unable to find the domains they are a part of.

What are some best practices/methods for disaster recovery/testing that could be employed withing the environment we have?
We are obviously missing something to cause these replica servers not to work right.

Thanks.
asantiaIT EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
I was at a discussion last week at Microsoft Research, because for the last few months, we have been testing DR scenarios of Active Directory 2003, 2008 and 2012, and we have found, unless "ALL" Domain Controllers are restored from the same backup (time) at the same time, if a single DC as part of the AD DC/Forest is not correct, AD would have issues.

So the question put to Microsoft was "why have more than a single DC" if we can now restore a DC so fast because it's virtual!

and they agreed, just have a single DC!

Now this works, if you do not have Remote Offices, or need more than one because of loading....

but its' food for thought!

Why have you go so many, because we have found the more DCs, the worse DR gets.....I can only assume you have so many because of loading, users, and Remote Offices ?

We are now working on, if a DC goes BAD, do not restore, remove from AD, and Sieze the roles.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asantiaIT EngineerAuthor Commented:
Correct. The main reason for the number is remote offices, so no way past keeping at least one at each location.
The physical servers are the originals before the virtual environment was setup, so they are here for now.
We do have two domain controllers in our corporate center because of load.
All the other offices only have one.

The initial test (as described above):
Trying to go almost worse-case scenario...
If all but one forest and one domain controller were gone, how could we get up and running?

The second test:
Our corporate data center is lost...
How can we recover from just our remote offices' domain controllers?
(The forest controllers are only in our corporate office, so assume they are both unavailable.)
0
compdigit44Commented:
At work we have 6 DC's and all FSMO roles on one DC. We then use vRanger backup to restore full images of our FSMO roll holder DC to our lab environment which does not connect to or production network regularly all the time without issue.
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
@compdigit44 2008 or 2012 ? as part of our head scratching exercise....

This DC with the FSMO rolls, how is DNS configured?

e.g. does it refer to itself as first DNS in TCP/IP settings?

as 127.0.0.1 or IP Address, or is it using a different DNS server ?

and are the other 6 DCs, also DNS ?
0
asantiaIT EngineerAuthor Commented:
All DCs reference themselves as the primary DNS by their actual internal IP address.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Disaster Recovery

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.