Recover Orphaned DC at DR
mikearama
Member Posts: 749
Hey techies.
Got a good one for ya... hoping some of you AD uber-geeks have come across this before. By the way, I'm the network admin, not the AD admin, though I do have my MCSE 2000, so I'm not totally unfamiliar with what I describe. The AD admin and I are a little at odds as to the outcome of this scenerio.
We are trying to set up a hot DR site, and have added a DC there which can communicate across an MPLS connection with us here at HO. At DR, we have set up exact duplicate subnets and vlans as here at HO. By the way, as we are an affiliate of a much larger organization, we are not the AD root... we connect to the root via a T1 connection to corporate head office in Kentucky. We have also set up a mirror T1 at DR so that the DR-DC will be able to see the root in the event of a disaster. So, here's the delemna:
If, whether via test or an actual disaster, the link between us and the DR site is severed, I can manually bring up the vpn tunnel over the T1 backup link. This will allow the now orphaned DC to connect to corporate and see the AD root. I suppose at that point, in the case of a real disaster, the DC could operate for a while solo, and if necessary, assume the FSMO roles.
Now, the obvious tricky one... a DR test. Picture this: I manually sever the link to HO. At DR, I bring up the T1 so the DC can be pointed to the root. The root now sees HO across the prime T1, and the orphaned DC at DR. Even worse, part of the test will be to snapshot recover a mess of servers into a vlan/subnet that is the mirror of the one here at HO. Is it possible that since the DC cannot see the domain master here at HO, it will allow domain accounts to login from the servers and Bob's your uncle?
Or, since the root can still see the HO networks and knows that the server subnet is alive and kicking back here at HO, will the root cause the orphaned DC to not authenticate the rebuilt servers and domain accounts?
Any insights and/or links greatly appreciated.
Mike
Got a good one for ya... hoping some of you AD uber-geeks have come across this before. By the way, I'm the network admin, not the AD admin, though I do have my MCSE 2000, so I'm not totally unfamiliar with what I describe. The AD admin and I are a little at odds as to the outcome of this scenerio.
We are trying to set up a hot DR site, and have added a DC there which can communicate across an MPLS connection with us here at HO. At DR, we have set up exact duplicate subnets and vlans as here at HO. By the way, as we are an affiliate of a much larger organization, we are not the AD root... we connect to the root via a T1 connection to corporate head office in Kentucky. We have also set up a mirror T1 at DR so that the DR-DC will be able to see the root in the event of a disaster. So, here's the delemna:
If, whether via test or an actual disaster, the link between us and the DR site is severed, I can manually bring up the vpn tunnel over the T1 backup link. This will allow the now orphaned DC to connect to corporate and see the AD root. I suppose at that point, in the case of a real disaster, the DC could operate for a while solo, and if necessary, assume the FSMO roles.
Now, the obvious tricky one... a DR test. Picture this: I manually sever the link to HO. At DR, I bring up the T1 so the DC can be pointed to the root. The root now sees HO across the prime T1, and the orphaned DC at DR. Even worse, part of the test will be to snapshot recover a mess of servers into a vlan/subnet that is the mirror of the one here at HO. Is it possible that since the DC cannot see the domain master here at HO, it will allow domain accounts to login from the servers and Bob's your uncle?
Or, since the root can still see the HO networks and knows that the server subnet is alive and kicking back here at HO, will the root cause the orphaned DC to not authenticate the rebuilt servers and domain accounts?
Any insights and/or links greatly appreciated.
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
-
Hyper-Me
Banned Posts: 2,059
is it a subdomain or in the root domain?
If its a subdomain then authentication would be done via the DCs for that domain, not another parent domain.
The problem I think you will have is suddenly 2 of everything phoning home. Id imagine at replication implosion or something of the sorts. -
mikearama
Member Posts: 749
is it a subdomain or in the root domain?
We control our domain, which is a child domain in the forest. At HO, we have three DC's, and DC2 is our master... it takes the lead in communicating with the root. The DR-DC is the fourth domain controller.
Yeah, I think you're right... the root would see HO up, except that it will generate an alert when it fails to reach the DR-DC. Then, when the DR-DC manages to find the root via the backup T1, it will have two entrances into our child domain. So yes, when servers start coming up with identical names and IP's, all hell could break loose.
That is the question, though. Perhaps AD is smarter than I think and it'll leave it to the local DC is authenticate local servers/accounts. This is what I need verified.
Someone's got to have run into this before.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
Hyper-Me
Banned Posts: 2,059
Unless the local machines will route to the other location via some sort of vpn then you should be ok.
-
mikearama
Member Posts: 749
Once I yank the plug connecting the MPLS routers, there will be no direct connectivity between HO and DR. So I don't fear bringing up mirror subnets and vlans at DR... there won't be any overlap.
It's just the root that I fear. I just can't find any documentation on what to expect the root to do when it sees our child domain polling from two different paths. Hmmmm....There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.