Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Active Directory DR Failover help

Posted on 2014-10-01
6
386 Views
Last Modified: 2014-10-02
I am working on performing DR exercise for Active Directory server. We have multiple sites globally, but I am working on performing the fail over exercise for specific site due to data center move.

I have 2 AD servers in IND SITE, One server ADDC1 in data center and another ADDC2 server in DR. Both the servers are in different location but its in same AD SITE GROUP and IP address is different.

My plan is to shutdown the data center ADDC1 server, after few min AD requests automatically redirect the AD requests to DR ADDC2 server.

- Need help to perform the DR exercise in better way.
- How can I validate that fail over is happened after shutdown the server ADDC1
- Is there any logs where I can get the details or any commands.

FYI - We manage DNS\DHCP using third party tools, AD servers handling only AD related task.
0
Comment
Question by:Sekar Chinnakannu
  • 3
  • 2
6 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 40356193
The security event log on each DC records the requests it receives.

What DNS a setup is on the site where the DCs are not present.

Your Failover will be two fold if your DCs are the only DNS servers and presumably, both DCs are vonfigured as GCs.

Each system initially uses DNS a to locate a DC, the DNS timeout will need to be reached before the request is sent to the DNS a server at the DR location.
The traffic and available bandwidth will dictate how much delay you might experience.

Often, DR planing that reduce overhead use TS/Remote desktop servers at the DR that the local users will be connecting to.

Enabling auditing workstation/systems to include login/logout events will record those events in the local security log which also reflects which system authenticated the user.

One option you can use. Ip routing on a local system to make ADDC1 inaccessible
This way only this system is impacted. Then logout/login and ..........
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 40356527
My plan is to shutdown the data center ADDC1 server, after few min AD requests automatically redirect the AD requests to DR ADDC2 server
.  -  This is the correct way to simulate a disaster. The most important part of DR exercises is the planning for the DR event and most especially your rollback plan for restoring services when you're done with your exercise.

Remember; everything you do to simulate DR needs to be undone in the same order.
This could include: isolating network traffic/switching off multiple systems/restoring AD integrated applications.
In some instances the best recovery of your DR site DC is to rebuild it after the DR exercise.
Note: I didn't say restore, as I prefer to rebuild a DC if these is already an existing DC. Restores can give more headaches than rebuilds. However, if you are the kind of Engineer who wants to be able to troubleshoot lost DC's then go for it and restore a DC. You'll learn about all the AD Tools and authoritative and non-authoritative restores.

- Need help to perform the DR exercise in better way.
What you've achieved thus far is the DR simulation. i.e. I lost my main site!
While authentication requests can be serviced by the next available DC you still need to do the recovery of Server Roles to the new DC or your AD will be running in 'limp mode'.

It also depends how far you're going with your DR scenario.
In a full DR scenario you would seize roles on the new DC and delete the 'dead' DC from AD.
Also consider how you're going to restore the site after your DR exercise; if you have seized the roles and bring the other server back online again you'd have to re-seize the roles.

 - How can I validate that fail over is happened after shutdown the server ADDC1
The easiest way to check this from the workstation is to check the environment variable named "logonserver".
Use 'set' in a command prompt and check the value. It reports the name of the DC that authenticated the user session.

You can also check the security logs of your DR DC for authentication requests.

 - Is there any logs where I can get the details or any commands.
See above
0
 
LVL 25

Author Comment

by:Sekar Chinnakannu
ID: 40356539
@ Leon, We are going to perform only AD DR exercise no other devices going to involve.When I am done with the DR exercise I am planning to power on the ADDC1 to restore the connection.  Why you mentioning to rebuild the server in DR site? we are going to keep the same for long term for fail over.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 26

Expert Comment

by:Leon Fester
ID: 40356598
If that is all you're doing then the power-off/power-on scenario will work.
The rebuild of server at DR is only required if you're doing the role transfer and testing for an extended period.

In my Company we do annual DR testing in a few scenario's:
1. Full DR simulation with HO failing over to DR including full server recovery and remote sites logins to DR.
In this case we typically rebuild the DR server after the exercise.
2. Simulated DR: were our HO in another Country fails to their DR site and then connects to HO Prod servers.
In this case we simulate all the tasks so that we can roll-back the forced changes through manual tasks.

Quick question: Do you currently have more than 1 DC at your IND SITE?
If yes, then you've probably perform this failover exercise every time you do patching or server restarts as you'd be powering down one of the DC's during each operation.

NB. It is recommended that you have at a least 2x DC's per site.
0
 
LVL 25

Author Comment

by:Sekar Chinnakannu
ID: 40356668
We have only one DC in data center and one in dr data center and both are in IND AD site for failover. Also we have few other AD sites which is near to IND site they are all in different AD sites.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 40356751
In that configuration then you be simulating this failover process each time you patch your DC in the data center.

But yeah, do the exercise as you've suggested with the power down of the main DC and the restore it later.

Have a read through the following links to get a better understanding of how a Domain Controller is found (DC locator process) and how DNS affects AD.

http://support2.microsoft.com/kb/247811
http://technet.microsoft.com/en-us/library/cc978011.aspx
http://technet.microsoft.com/en-us/library/cc759550(v=ws.10).aspx

It will be helpful in increasing your understanding of the impact of the main DC going down and how windows manages to find another DC. So when somebody asks you if you're sure you can point them to the Microsoft answer. :)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question