Go Premium for a chance to win a PS4. Enter to Win


Active Directory DR Failover help

Posted on 2014-10-01
Medium Priority
Last Modified: 2014-10-02
I am working on performing DR exercise for Active Directory server. We have multiple sites globally, but I am working on performing the fail over exercise for specific site due to data center move.

I have 2 AD servers in IND SITE, One server ADDC1 in data center and another ADDC2 server in DR. Both the servers are in different location but its in same AD SITE GROUP and IP address is different.

My plan is to shutdown the data center ADDC1 server, after few min AD requests automatically redirect the AD requests to DR ADDC2 server.

- Need help to perform the DR exercise in better way.
- How can I validate that fail over is happened after shutdown the server ADDC1
- Is there any logs where I can get the details or any commands.

FYI - We manage DNS\DHCP using third party tools, AD servers handling only AD related task.
Question by:Sekar Chinnakannu
  • 3
  • 2
LVL 80

Expert Comment

ID: 40356193
The security event log on each DC records the requests it receives.

What DNS a setup is on the site where the DCs are not present.

Your Failover will be two fold if your DCs are the only DNS servers and presumably, both DCs are vonfigured as GCs.

Each system initially uses DNS a to locate a DC, the DNS timeout will need to be reached before the request is sent to the DNS a server at the DR location.
The traffic and available bandwidth will dictate how much delay you might experience.

Often, DR planing that reduce overhead use TS/Remote desktop servers at the DR that the local users will be connecting to.

Enabling auditing workstation/systems to include login/logout events will record those events in the local security log which also reflects which system authenticated the user.

One option you can use. Ip routing on a local system to make ADDC1 inaccessible
This way only this system is impacted. Then logout/login and ..........
LVL 26

Expert Comment

by:Leon Fester
ID: 40356527
My plan is to shutdown the data center ADDC1 server, after few min AD requests automatically redirect the AD requests to DR ADDC2 server
.  -  This is the correct way to simulate a disaster. The most important part of DR exercises is the planning for the DR event and most especially your rollback plan for restoring services when you're done with your exercise.

Remember; everything you do to simulate DR needs to be undone in the same order.
This could include: isolating network traffic/switching off multiple systems/restoring AD integrated applications.
In some instances the best recovery of your DR site DC is to rebuild it after the DR exercise.
Note: I didn't say restore, as I prefer to rebuild a DC if these is already an existing DC. Restores can give more headaches than rebuilds. However, if you are the kind of Engineer who wants to be able to troubleshoot lost DC's then go for it and restore a DC. You'll learn about all the AD Tools and authoritative and non-authoritative restores.

- Need help to perform the DR exercise in better way.
What you've achieved thus far is the DR simulation. i.e. I lost my main site!
While authentication requests can be serviced by the next available DC you still need to do the recovery of Server Roles to the new DC or your AD will be running in 'limp mode'.

It also depends how far you're going with your DR scenario.
In a full DR scenario you would seize roles on the new DC and delete the 'dead' DC from AD.
Also consider how you're going to restore the site after your DR exercise; if you have seized the roles and bring the other server back online again you'd have to re-seize the roles.

 - How can I validate that fail over is happened after shutdown the server ADDC1
The easiest way to check this from the workstation is to check the environment variable named "logonserver".
Use 'set' in a command prompt and check the value. It reports the name of the DC that authenticated the user session.

You can also check the security logs of your DR DC for authentication requests.

 - Is there any logs where I can get the details or any commands.
See above
LVL 25

Author Comment

by:Sekar Chinnakannu
ID: 40356539
@ Leon, We are going to perform only AD DR exercise no other devices going to involve.When I am done with the DR exercise I am planning to power on the ADDC1 to restore the connection.  Why you mentioning to rebuild the server in DR site? we are going to keep the same for long term for fail over.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 26

Expert Comment

by:Leon Fester
ID: 40356598
If that is all you're doing then the power-off/power-on scenario will work.
The rebuild of server at DR is only required if you're doing the role transfer and testing for an extended period.

In my Company we do annual DR testing in a few scenario's:
1. Full DR simulation with HO failing over to DR including full server recovery and remote sites logins to DR.
In this case we typically rebuild the DR server after the exercise.
2. Simulated DR: were our HO in another Country fails to their DR site and then connects to HO Prod servers.
In this case we simulate all the tasks so that we can roll-back the forced changes through manual tasks.

Quick question: Do you currently have more than 1 DC at your IND SITE?
If yes, then you've probably perform this failover exercise every time you do patching or server restarts as you'd be powering down one of the DC's during each operation.

NB. It is recommended that you have at a least 2x DC's per site.
LVL 25

Author Comment

by:Sekar Chinnakannu
ID: 40356668
We have only one DC in data center and one in dr data center and both are in IND AD site for failover. Also we have few other AD sites which is near to IND site they are all in different AD sites.
LVL 26

Accepted Solution

Leon Fester earned 2000 total points
ID: 40356751
In that configuration then you be simulating this failover process each time you patch your DC in the data center.

But yeah, do the exercise as you've suggested with the power down of the main DC and the restore it later.

Have a read through the following links to get a better understanding of how a Domain Controller is found (DC locator process) and how DNS affects AD.


It will be helpful in increasing your understanding of the impact of the main DC going down and how windows manages to find another DC. So when somebody asks you if you're sure you can point them to the Microsoft answer. :)

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question