Active Directory DR Failover help

Posted on 2014-10-01
Last Modified: 2014-10-02
I am working on performing DR exercise for Active Directory server. We have multiple sites globally, but I am working on performing the fail over exercise for specific site due to data center move.

I have 2 AD servers in IND SITE, One server ADDC1 in data center and another ADDC2 server in DR. Both the servers are in different location but its in same AD SITE GROUP and IP address is different.

My plan is to shutdown the data center ADDC1 server, after few min AD requests automatically redirect the AD requests to DR ADDC2 server.

- Need help to perform the DR exercise in better way.
- How can I validate that fail over is happened after shutdown the server ADDC1
- Is there any logs where I can get the details or any commands.

FYI - We manage DNS\DHCP using third party tools, AD servers handling only AD related task.
Question by:Sekar Chinnakannu
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 79

Expert Comment

ID: 40356193
The security event log on each DC records the requests it receives.

What DNS a setup is on the site where the DCs are not present.

Your Failover will be two fold if your DCs are the only DNS servers and presumably, both DCs are vonfigured as GCs.

Each system initially uses DNS a to locate a DC, the DNS timeout will need to be reached before the request is sent to the DNS a server at the DR location.
The traffic and available bandwidth will dictate how much delay you might experience.

Often, DR planing that reduce overhead use TS/Remote desktop servers at the DR that the local users will be connecting to.

Enabling auditing workstation/systems to include login/logout events will record those events in the local security log which also reflects which system authenticated the user.

One option you can use. Ip routing on a local system to make ADDC1 inaccessible
This way only this system is impacted. Then logout/login and ..........
LVL 26

Expert Comment

by:Leon Fester
ID: 40356527
My plan is to shutdown the data center ADDC1 server, after few min AD requests automatically redirect the AD requests to DR ADDC2 server
.  -  This is the correct way to simulate a disaster. The most important part of DR exercises is the planning for the DR event and most especially your rollback plan for restoring services when you're done with your exercise.

Remember; everything you do to simulate DR needs to be undone in the same order.
This could include: isolating network traffic/switching off multiple systems/restoring AD integrated applications.
In some instances the best recovery of your DR site DC is to rebuild it after the DR exercise.
Note: I didn't say restore, as I prefer to rebuild a DC if these is already an existing DC. Restores can give more headaches than rebuilds. However, if you are the kind of Engineer who wants to be able to troubleshoot lost DC's then go for it and restore a DC. You'll learn about all the AD Tools and authoritative and non-authoritative restores.

- Need help to perform the DR exercise in better way.
What you've achieved thus far is the DR simulation. i.e. I lost my main site!
While authentication requests can be serviced by the next available DC you still need to do the recovery of Server Roles to the new DC or your AD will be running in 'limp mode'.

It also depends how far you're going with your DR scenario.
In a full DR scenario you would seize roles on the new DC and delete the 'dead' DC from AD.
Also consider how you're going to restore the site after your DR exercise; if you have seized the roles and bring the other server back online again you'd have to re-seize the roles.

 - How can I validate that fail over is happened after shutdown the server ADDC1
The easiest way to check this from the workstation is to check the environment variable named "logonserver".
Use 'set' in a command prompt and check the value. It reports the name of the DC that authenticated the user session.

You can also check the security logs of your DR DC for authentication requests.

 - Is there any logs where I can get the details or any commands.
See above
LVL 25

Author Comment

by:Sekar Chinnakannu
ID: 40356539
@ Leon, We are going to perform only AD DR exercise no other devices going to involve.When I am done with the DR exercise I am planning to power on the ADDC1 to restore the connection.  Why you mentioning to rebuild the server in DR site? we are going to keep the same for long term for fail over.
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

LVL 26

Expert Comment

by:Leon Fester
ID: 40356598
If that is all you're doing then the power-off/power-on scenario will work.
The rebuild of server at DR is only required if you're doing the role transfer and testing for an extended period.

In my Company we do annual DR testing in a few scenario's:
1. Full DR simulation with HO failing over to DR including full server recovery and remote sites logins to DR.
In this case we typically rebuild the DR server after the exercise.
2. Simulated DR: were our HO in another Country fails to their DR site and then connects to HO Prod servers.
In this case we simulate all the tasks so that we can roll-back the forced changes through manual tasks.

Quick question: Do you currently have more than 1 DC at your IND SITE?
If yes, then you've probably perform this failover exercise every time you do patching or server restarts as you'd be powering down one of the DC's during each operation.

NB. It is recommended that you have at a least 2x DC's per site.
LVL 25

Author Comment

by:Sekar Chinnakannu
ID: 40356668
We have only one DC in data center and one in dr data center and both are in IND AD site for failover. Also we have few other AD sites which is near to IND site they are all in different AD sites.
LVL 26

Accepted Solution

Leon Fester earned 500 total points
ID: 40356751
In that configuration then you be simulating this failover process each time you patch your DC in the data center.

But yeah, do the exercise as you've suggested with the power down of the main DC and the restore it later.

Have a read through the following links to get a better understanding of how a Domain Controller is found (DC locator process) and how DNS affects AD.

It will be helpful in increasing your understanding of the impact of the main DC going down and how windows manages to find another DC. So when somebody asks you if you're sure you can point them to the Microsoft answer. :)

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question