Link to home
Start Free TrialLog in
Avatar of Laszlo Denes
Laszlo DenesFlag for Canada

asked on

2008 R2 Domain Controllers Not Connected for a few hours due to move

Need some help understanding the risks (if any) for doing the following.
We have an AD Forest/Domain (2008 R2 both) with about 30 servers (about 50% physical and virtual VMware 6.0 on 3 ESXi hosts) and 150 desktops/laptops. The two Domain Controllers (both 2008 R2) are physical systems in an off-site Data Centre.
We currently have a main office and a Data Centre (link direct to it for current office) off-site, but will be moving to a new office location and we will move the Data Centre from the off-site to the new office (in-house)  which means both offices have to be functional for a day or so while we transition. There is no metro LAN extension possible so that it becomes one giant network between the 3 locations which would be the easy way to do this of course. We will move all servers the same day from the Data Centre to the new office, but as some are more critical than others so thought we could move one domain controller (secondary as it contains DHCP for a specific subnet that we will need to service certain desktops) early in the morning with 1 physical application server (critical for charting information)  that relies on AD being up and get that running. Then about 5-6 hours later we would move over the other domain controller (the primary) and it would then join the other one. Of course I will move all FSMO roles (they are split right now) to Domain Controller 2 as it is the one being moved over to run AD alone for a few hours. Clearly a few hours will not cause any tombstone issues for the servers.
Replication will be affected as Domain Controller 2 will be live and Domain Controller 1 will be off for about 6 hours, but will it break anything or will it merely catch up?
Domain Controller 1 is the NTP server, will that be an issue when the two Domain Controllers see each other again or will it merely adjust?
Of course nothing new (accounts, systems) will be added to AD during this time and the only functional purpose of Domain Controller 2 will be to authenticate W7 clients so they can log into a few desktops and then use the application client software to connect to the charting server.
if we could have extended the LAN to cover all 3 sites then we would have done it already, but it was not possible for various technical and $ reasons.
Thoughts? Please and thank you very much in advance.
SOLUTION
Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Laszlo Denes

ASKER

Thanks to both of you for your feedback. Greatly appreciated!
so just to re-iterate... the two dc's can exist on their own (without connection to each other for a few hours 6-12 or so and it should be okay...
Yes, they can. 6-12 hours is an acceptable no-communication window, and back in the days before broadband, it wasn't uncommon for DCs in AD to only sync once every 6-12 hours.
Thanks appreciate confirming that... do I even have to move all the FSMO roles to 1 server... because both will provide some AD logon ability to a few localized users and servers at either site (the two offices that won't have connectivity)... so they can keep doing what they do... both domain controllers will need to be able to authenticate limited users... kind of like two field offices with 1 DC each...