Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Active Directory DR Failover help

Posted on 2014-10-01
Medium Priority
Last Modified: 2014-10-02
I am working on performing DR exercise for Active Directory server. We have multiple sites globally, but I am working on performing the fail over exercise for specific site due to data center move.

I have 2 AD servers in IND SITE, One server ADDC1 in data center and another ADDC2 server in DR. Both the servers are in different location but its in same AD SITE GROUP and IP address is different.

My plan is to shutdown the data center ADDC1 server, after few min AD requests automatically redirect the AD requests to DR ADDC2 server.

- Need help to perform the DR exercise in better way.
- How can I validate that fail over is happened after shutdown the server ADDC1
- Is there any logs where I can get the details or any commands.

FYI - We manage DNS\DHCP using third party tools, AD servers handling only AD related task.
Question by:Sekar Chinnakannu
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 79

Expert Comment

ID: 40356193
The security event log on each DC records the requests it receives.

What DNS a setup is on the site where the DCs are not present.

Your Failover will be two fold if your DCs are the only DNS servers and presumably, both DCs are vonfigured as GCs.

Each system initially uses DNS a to locate a DC, the DNS timeout will need to be reached before the request is sent to the DNS a server at the DR location.
The traffic and available bandwidth will dictate how much delay you might experience.

Often, DR planing that reduce overhead use TS/Remote desktop servers at the DR that the local users will be connecting to.

Enabling auditing workstation/systems to include login/logout events will record those events in the local security log which also reflects which system authenticated the user.

One option you can use. Ip routing on a local system to make ADDC1 inaccessible
This way only this system is impacted. Then logout/login and ..........
LVL 26

Expert Comment

by:Leon Fester
ID: 40356527
My plan is to shutdown the data center ADDC1 server, after few min AD requests automatically redirect the AD requests to DR ADDC2 server
.  -  This is the correct way to simulate a disaster. The most important part of DR exercises is the planning for the DR event and most especially your rollback plan for restoring services when you're done with your exercise.

Remember; everything you do to simulate DR needs to be undone in the same order.
This could include: isolating network traffic/switching off multiple systems/restoring AD integrated applications.
In some instances the best recovery of your DR site DC is to rebuild it after the DR exercise.
Note: I didn't say restore, as I prefer to rebuild a DC if these is already an existing DC. Restores can give more headaches than rebuilds. However, if you are the kind of Engineer who wants to be able to troubleshoot lost DC's then go for it and restore a DC. You'll learn about all the AD Tools and authoritative and non-authoritative restores.

- Need help to perform the DR exercise in better way.
What you've achieved thus far is the DR simulation. i.e. I lost my main site!
While authentication requests can be serviced by the next available DC you still need to do the recovery of Server Roles to the new DC or your AD will be running in 'limp mode'.

It also depends how far you're going with your DR scenario.
In a full DR scenario you would seize roles on the new DC and delete the 'dead' DC from AD.
Also consider how you're going to restore the site after your DR exercise; if you have seized the roles and bring the other server back online again you'd have to re-seize the roles.

 - How can I validate that fail over is happened after shutdown the server ADDC1
The easiest way to check this from the workstation is to check the environment variable named "logonserver".
Use 'set' in a command prompt and check the value. It reports the name of the DC that authenticated the user session.

You can also check the security logs of your DR DC for authentication requests.

 - Is there any logs where I can get the details or any commands.
See above
LVL 25

Author Comment

by:Sekar Chinnakannu
ID: 40356539
@ Leon, We are going to perform only AD DR exercise no other devices going to involve.When I am done with the DR exercise I am planning to power on the ADDC1 to restore the connection.  Why you mentioning to rebuild the server in DR site? we are going to keep the same for long term for fail over.
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

LVL 26

Expert Comment

by:Leon Fester
ID: 40356598
If that is all you're doing then the power-off/power-on scenario will work.
The rebuild of server at DR is only required if you're doing the role transfer and testing for an extended period.

In my Company we do annual DR testing in a few scenario's:
1. Full DR simulation with HO failing over to DR including full server recovery and remote sites logins to DR.
In this case we typically rebuild the DR server after the exercise.
2. Simulated DR: were our HO in another Country fails to their DR site and then connects to HO Prod servers.
In this case we simulate all the tasks so that we can roll-back the forced changes through manual tasks.

Quick question: Do you currently have more than 1 DC at your IND SITE?
If yes, then you've probably perform this failover exercise every time you do patching or server restarts as you'd be powering down one of the DC's during each operation.

NB. It is recommended that you have at a least 2x DC's per site.
LVL 25

Author Comment

by:Sekar Chinnakannu
ID: 40356668
We have only one DC in data center and one in dr data center and both are in IND AD site for failover. Also we have few other AD sites which is near to IND site they are all in different AD sites.
LVL 26

Accepted Solution

Leon Fester earned 2000 total points
ID: 40356751
In that configuration then you be simulating this failover process each time you patch your DC in the data center.

But yeah, do the exercise as you've suggested with the power down of the main DC and the restore it later.

Have a read through the following links to get a better understanding of how a Domain Controller is found (DC locator process) and how DNS affects AD.

It will be helpful in increasing your understanding of the impact of the main DC going down and how windows manages to find another DC. So when somebody asks you if you're sure you can point them to the Microsoft answer. :)

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question