DR for AD

Hi folks,

I work for a huge company and just curious and would like to ask for some advise, how do you all effectively manage/create your disaster recovery management for Active Directory? I just wanted to know what is the best/effective way other than relying on a third party tool such as recovery manager from Dell.
IT_Admin XXXXAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Peter HutchisonSenior Network Systems SpecialistCommented:
There are two ways:
1. Have multiple Domain Controllers, preferably some in different locations.
2. Have regular backups of the DCs so you can restore to revert back in certain situations.
3. Also, enable the Recycle bin feature, so that you can easily undelete objects in AD.
0
Will SzymkowskiSenior Solution ArchitectCommented:
This is kind of a loaded question to be completely honest.

There are several types of failures that can take place in Active Directory. You need to have the proper knowledge/tools/backups available if this happens...
- DC failure at a single site
- NTDS.dit database corrupt
- Delete Objects from Active Directory
- Failed DNS
- Corrupt Sysvol Share
- Corrupt GPO's (individual ones)

You also have to look at your infrastructure as well and place DC's according to where applications require authentication.

For something like Exchange hosted in a site you require a DC/GC/DNS in order for this to operate properly. So in the event that you lose a DC in a site where you host Exchange you will not be able to leverage another sites DC to keep Exchange online. It requires at least one read/write DC/GC in a site.

So something like this where you have Exchange should have n+1 (2 or more) DC/GC's in the site.

For a small site that does not have many users or any dependent application for authentication you can simple point these users to multiple DC/DNS servers in different sites that are geographically close.

As for Sites that have multiple DC's what i like to do is if you have a site that has 2 DC's I configure all of my clients and severs to point to these 2 DC's (primary and secondary DNS). I then add a 3rd DNS server (advance settings on the NIC properties DNS Tab) from another Site. So that in the event that both DC's are un responsive users will still be able to authenticate and query DNS from another geographically close site.

You have to also be Cognizant of where you FSMO role holder is placed and what site. Typically for best practices i like to put the FSMO role holder in the Site that is MOST geographically central to all other AD sites. I also make sure that this DC has the most resources as well, to ensure that it can handle all of the extra processing that is required.

Best practices for recovering Domain Controllers are below...
Always keep up-to-date System State Backups of ALL Dc's
Only Restore From a System State Backup if all DC's are compromised (authoritative restore)
If you have a single failure DC, do not try and restore from System State it is better to remove gracefully if you can, then perform metadata cleanup
If you have more than 2 DC's in a Site make sure that you have a 3rd DNS server in the NIC properties as 3rd in the list, this will allow clients to authenticate if both DC's in the same site fail
Always allow Sites and Services to create Automatic Connections (this will allow automatic re-creation of new site connections)
If you have deleted objects from Active Directory YOU DO NOT HAVE TO use the recycle bin feature or restore from backup, you can use LDP.exe to recover deleted objects from the 'IsDeleted" hidden folder
Another good Idea is to have a "DR" type site where you have a DC present that had a longer (inter-site) replicaiton period, I say this because if you ever delete something from AD or your entire domain gets compromized you have a DR DC that has not had these changes replicated yet so it is still in a health state, I have used this approch before and it is save me HOURS of rebuilding an entire domain

Another note is make sure that you have redundant networks in place as well. Active Directory redundancy is usless if you do not have redundant networks.

Will.
0
IT_Admin XXXXAuthor Commented:
Hi Will, Thank you for the input! Appreciate all the info. Just curious....the "DR" type site you have, how often that is updated/managed as far as the AD/DCs part.

I am just curious how that "DR" type scenario will best work for an environment like we have (we have close to 300 DCs that is placed globally).
0
Will SzymkowskiSenior Solution ArchitectCommented:
The DR site is a site on its own and is not used for day to day authentication. It is strictly there as a DR backup server. I leave replication to this server 1 day out (1440 minutes). You can set it to whatever you want but making sure that the interval is something higher then the normal replication interval.

300 DC's seems like a lot of management. Do you really need that many? can't you have hub sites?

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT_Admin XXXXAuthor Commented:
Yep we have 300 DCs situated all over the world. And yes, it is alot of management. We are currently dependent on Forest Recovery for DR but just wondering what is the best approach for DR just in case the product becomes faulty (which had happened when we did some exercises in lower environments).
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.