Ad controllers in dr

  • 170 Views
  • Last Post 10 November 2016
kebabfest posted this 03 November 2016

I am setting up site recovery in azure with a dc always on there even if the links between production azure and Dr azure will be disabled until Dr is invoked.
My question is after I fail my servers over and update their ip addresses, how can I make sure that the Dr ad server never replicates information back to production.
An rodc will be no good (or will it?) as I may have to re-add the failed over servers to the domain again after their ip change.
I am not using a stretched vlan or the same ip addressing due to network requirements.
The Dr ad has it's own site and only replicates to production azure and not on premises.
Anybody else used the site recovery module in azure ? Any horror stories?
Cheers,
Eoin

Order By: Standard | Newest | Votes
daemonr00t posted this 08 November 2016

Hi!
Just to make things clear, having your Domain Controllers on Azure or any other cloud solutions makes no difference for Active Directory, that is just another site.
Now if you have a PRimary site and a Disaster Recovery site there must be a way you replicate stuff from one place to the other, this must be the native AD replication engine. I’ve seen scenarios using third party tools which I must admit in some cases work but are not supported by Microsoft.
Here you might want to explore stuff like Change Notification on your topology, it’s common to find that among the PR and DR sites.
Now my question is.. why you don’t want to replicate stuff from DR to PR site? An outage could go for an extended period of time, during that time sensitive stuff like user and machines password and/or Trust secrets could change… on top of that you mention you have a determined IP assignment on the cloud site, that makes me assume you also have DDNS in place.
The DDNS part kills the RODC, besides that you need to consider other AD aware products like Exchange, Skype, etcetera… how do they interact with AD?
I guess you should look at how other things are being replicated, what their fail-over / resiliency mechanisms are.
Cheers,
~danny
Sent from Windows Mail

show

eccoleman posted this 09 November 2016

We are doing a similar model to this, but without the “DR” philosophy. We use site boundaries to create separation, and some network access controls with our

cloud subnets.  We’re also doing this in AWS, not Azure but the concepts are parallel.  Initially, we are making our cloud instances available only for raw LDAP (389/636) or Kerberos (88) access, and not open the traditional Windows RPC ports.  How has anyone

dealt with the fact that a Windows-joined machine prefers to be able to talk to all DCs in the domain?  It would seem that a cloud VM joined to this hybrid AD would essentially require a backchannel access back to our premises in order to reach other DCs (such

as the FSMO role holders, etc.)

 

--

Erik Coleman

University of Illinois at Urbana-Champaign

 

 

show

kebabfest posted this 09 November 2016

Hi Eric,
Thanks for this. It will be interesting to hear what people say about the back channel communication. I had assumed after the initial dc promotion where it needs to talk specifically to the rid master that having it setup on a different site to another azure site and dc that it would simply only need to talk to  the dc which I make it a replication partner. I will follow your example and only open the 3 ports and rdp ( i need this for this particular environment) on the peer to peer link and see how that goes.
I am still not sure if I implement a full Dr test should I disable outbound replication on the dc in Dr as is there a potential that the production server (off in a full Dr test) will get its ad record screwed up when I fail back the servers in Dr.
Definitely a better way of going then trying to fail over a domain controller. You always here issues about usn and replication problems when this happens
Overall though I have to say site recovery in azure looks good.

show

kebabfest posted this 09 November 2016

Does the Donald use azure or aws ?




show

eccoleman posted this 10 November 2016

















Apparently neither, he uses Windows Server 2003:




http://fortune.com/2016/10/18/donald-trump-email-server-security/




But I digress. . .




----- Reply message -----


show

eccoleman posted this 10 November 2016

















You may also want to consider manually configuring your replication topology using a site bridge head. That lowers the resiliency of replication by relying on a single replication path and not letting the KCC decide the topology, but you achieve

some control.  




Our choice of AWS over Azure came down to feature maturity and our procurement process. I think we will add Azure down the line too, but we have already adopted Azure AD for basic authN/authZ needs so far. 




-Erik




----- Reply message -----


show

kebabfest posted this 10 November 2016

Thanks Eric. I manually configured a site  Bridgehead as I the automatic topology wanted to replicate direct to on premises.
I must have a look and setup aws , so I can compare the 2 properly.

show

Close