tbs_mnp
asked on
AD Sites/AD Replication
Question, I have Site A (Master) and Site B (Affiliate) linked via a T1 line. Site A has two domain controllers. Site B only has DNS/DHCP- so it was no wonder when the line went down for two days. Users at site B Could log into their computers but NOT access data on the servers.
My question is this. While the line was down between Site A and Site B; what would be the issue in creating an additional DC at site A, shutting it down and bringing it to Site B. Turning it on, changing the IP to its respective subnet and moving the server to its respective site in AD on that same machine? Wouldnt this server pick up as a DC in this site without the connection to site A? I know the replication link for WAN sites is around 3 hours. Wouldn't this newly created additional DC take over at this site on this subnet one plugged in, given an IP and moved to the correct site?
Users would then be able to authenticate. Once the line between the buildings came back up, the DC's at site A would replicate to the changes I made with this new DC at site B.
Does that make sense?
My question is this. While the line was down between Site A and Site B; what would be the issue in creating an additional DC at site A, shutting it down and bringing it to Site B. Turning it on, changing the IP to its respective subnet and moving the server to its respective site in AD on that same machine? Wouldnt this server pick up as a DC in this site without the connection to site A? I know the replication link for WAN sites is around 3 hours. Wouldn't this newly created additional DC take over at this site on this subnet one plugged in, given an IP and moved to the correct site?
Users would then be able to authenticate. Once the line between the buildings came back up, the DC's at site A would replicate to the changes I made with this new DC at site B.
Does that make sense?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Another quick question. Our Forest level is Windows Server 2012 functionality level. Is there an easy way to downgrade the functionality level so we could add a 2008 server as a domain controller?
ASKER
Cliff, if we were able to establish a wide open VPN connection back home to our two other DC's; and it could communicate with these DC's over the VPN connection- would it check in with the others and start working?
If your site to site VPN is configured and routing traffic properly, yes.
you can do that from 2012 to 2008 R2
https://social.technet.microsoft.com/wiki/contents/articles/26377.downgrade-domain-functional-level-from-2012-r22012-to-2008r22008.aspx
The approach you are thinking would not work 1st time to connect to relocated DC
however once link is established, relocated DC will sync its new IP, site etc to other DC's and next time it will be ready for servicing
after changing IP and post link comes online, you need to boot DC once and it should take care
The issue happens only 1st time, hence your approach would work, however when there is straight forward way is available, hence no need to take your route
Mahesh.
https://social.technet.microsoft.com/wiki/contents/articles/26377.downgrade-domain-functional-level-from-2012-r22012-to-2008r22008.aspx
The approach you are thinking would not work 1st time to connect to relocated DC
however once link is established, relocated DC will sync its new IP, site etc to other DC's and next time it will be ready for servicing
after changing IP and post link comes online, you need to boot DC once and it should take care
The issue happens only 1st time, hence your approach would work, however when there is straight forward way is available, hence no need to take your route
Mahesh.
ASKER
Also Cliff, what would happen in this scenerio. we establish a link from one DC to another DC and AD syncs. We shut off the DC, move it and turn it on in a place that cannot communicate with another DC.
Authentication would still fail in this scenario? Even if this was setup as a Global Catalog server and all roles etc.
Authentication would still fail in this scenario? Even if this was setup as a Global Catalog server and all roles etc.
Cached credentials on local machines would work, just as they did in your last situation. But the relocated DC would not issue Kerberos tickets so network resources would largely be unavailable until it could report as healthy.
ASKER
Cliff you don't think that even though the DC had all objects/credentials on the machine that It would allow clients to authenticate? Just because of the health check not communicating with another DC?
We once had another site with a DC on-site go down, and at the time it happened the line between our main location and the affiliate location was down as well. We did not see any authentication issues when the DC came back up even though the line to see another DC was down.
We once had another site with a DC on-site go down, and at the time it happened the line between our main location and the affiliate location was down as well. We did not see any authentication issues when the DC came back up even though the line to see another DC was down.
It will work for a little while. DCs aren't meant to be permanently incommunicado. A lot of AD functionality can only be provided by the PDC Emulator role (lockout verification, password expiration checks, etc), and only one PDC Emulator can exist in a domain, so having two DCs in two sites that don't communicate with one another is a recipe for huge headaches.
If your secondary site is not likely to be in communication with the primary site for long periods of time, you'd be better of setting up a new domain and establishing a trust between the domains for when the two sites can talk to one another.
If your secondary site is not likely to be in communication with the primary site for long periods of time, you'd be better of setting up a new domain and establishing a trust between the domains for when the two sites can talk to one another.
So the specific order of things you proposed would fail. You'd want a DC in place before the link failed. Not try to move one there and wait for the link to come up.