Presentation on theme: "Course 6425A Module 9: Implementing an Active Directory Domain Services Maintenance Plan Presentation: 55 minutes Lab: 75 minutes This module helps students."— Presentation transcript:
1 Course 6425AModule 9: Implementing an Active Directory Domain Services Maintenance PlanPresentation: 55 minutesLab: 75 minutesThis module helps students implement an Active Directory® Domain Services (AD DS) maintenance plan.After completing this module, students will be able to:Maintain the AD DS domain controllersBack up Active Directory Domain ServicesRestore Active Directory Domain ServicesRequired materialsTo teach this module, you need the Microsoft® Office PowerPoint® file 6425A_09.ppt.Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly.Preparation tasksTo prepare for this module:Read all of the materials for this module.Complete the practices.This section contains information that will help you to teach this module.For some topics in this module, references to additional information appear in notes at the end of the topics. Read the additional information so that you can prepare to teach the module. During class, ensure that students are aware of the additional information.Module 9: Implementing an Active DirectoryM Domain Services Maintenance Plan
2 Module Overview Maintaining the AD DS Domain Controllers
Course 6425AModule OverviewModule 9: Implementing an Active Directory Domain Services Maintenance PlanMaintaining the AD DS Domain ControllersBacking Up Active Directory Domain ServicesRestoring Active Directory Domain Services
3 Lesson 1: Maintaining the AD DS Domain Controllers
Course 6425ALesson 1: Maintaining the AD DS Domain ControllersModule 9: Implementing an Active Directory Domain Services Maintenance PlanThe Active Directory Domain Services Database and Log FilesHow the AD DS Database Is ModifiedManaging the Active Directory Database Using NTDSUtil ToolWhat Is an AD DS Database Defragmentation?What Are Restartable Active Directory Domain Services?Demonstration: Performing AD DS Database Maintenance TasksLocking Down Services on a AD DS Domain Controller
4 The Active Directory Domain Services Database and Log Files
Course 6425AThe Active Directory Domain Services Database and Log FilesModule 9: Implementing an Active Directory Domain Services Maintenance PlanDescriptionNtds.ditEdb*.logEdb.chkFileIs the Active Directory database fileStores all Active Directory objects on the domain controllerUses the default location systemroot\NTDS folderIs a transaction log fileUses the default transaction log file Edb.logIs a checkpoint fileTracks data not yet written to Active Directory database fileebdres00001.jrs ebdres00002.jrsAre the reserved transaction log filesOpen Windows Explorer and browse to the c:\Windows\NTDS folder. Point out the files in the folder as you discuss each of the files. Stress that log files always will be exactly 10 megbytes (MB) in size.Discuss the role of the reserve log files. If students are familiar with previous Active Directory versions, mention that the edbres00001.jrs and edbres00002.jrs files were called res1.log and res2.log in previous versions.ReferenceHow the Data Store Works3fa9be mspx?mfr=true
5 How the AD DS Database Is Modified
Course 6425AHow the AD DS Database Is ModifiedModule 9: Implementing an Active Directory Domain Services Maintenance PlanEdb.chkWrite RequestUpdate the checkpointDescribe how the files that the slide lists are used when data is committed to the database. The basic data modification process consists of six steps:• The write request initiates a transaction.• Active Directory writes the transaction to the transaction buffer in memory.• Active Directory secures the transaction in the transaction log.• Active Directory writes the transaction from the buffer to the database.• Active Directory compares the database and log files to ensure that the transaction was committed to the database.• Active Directory updates the checkpoint file.QuestionWhat other Microsoft services use a transactional model for making database changes? How does the AD DS model compare to these other services?Answer: Both Microsoft Exchange Server and Microsoft SQL Server™ use the transaction model. The model is very similar in all cases, although some details, such as the size of the transaction logs, varies. For example, in Exchange Server 2007, the transaction logs are only 1 MB in size.ReferenceHow the Data store Works3fa9be mspx?mfr=trueCommit the transactionTransaction is initiatedWrite to the transaction bufferWrite to the database on diskWrite to the transaction log fileNtds.dit on DiskEDB.log
6 Managing the Active Directory Database Using NTDSUtil Tool
Course 6425AManaging the Active Directory Database Using NTDSUtil ToolModule 9: Implementing an Active Directory Domain Services Maintenance PlanNtdsutil.exe is a command-line tool used to manage some Active Directory componentsUse Ntdsutil.exe to:Perform Active Directory database maintenanceüManage and control single master operationsMove the Active Directory database filesRemove metadata left behind by domain controllers that were removed from the network without being properly uninstalledDescribe what NTDSUtil is and describe some of the scenarios where you can use it. Consider opening a command prompt and starting the NTDSUtil tool. Show how to access help and how to move between different contexts within NTDSUtil.Review the NTDSUtil commands.QuestionYou have forgotten the directory services restore-mode password for your domain controller. How can you recover the password?Answer: You cannot recover the password, but by using the Set DSRM password command in NTDSUtil, you can configure a new password for this account.ReferenceNTDSUtil HelpData Store Tools and Settings 6aa0420dacb51033.mspx?mfr=trueType HELP at any NTDSUtil prompt for context-sensitive help
7 What Is an AD DS Database Defragmentation?
Course 6425AWhat Is an AD DS Database Defragmentation?Module 9: Implementing an Active Directory Domain Services Maintenance PlanOffline defragmentation creates a new, compacted version of the database fileThe new file may be considerably smaller, depending on how fragmented the original database file wasüActive Directory performs online database defragmentation automatically every 12 hoursUse the NTDSUtil command-line tool to perform offline defragmentation on a dismounted databaseOnline defragmentation optimizes data storage in the database and reclaims space in the directory for new objects, but does not reduce the size of the database fileDescribe the difference between online and offline defragmentation. Highlight that online defragmentation happens automatically and does not disrupt normal access to Active Directory. Offline defragmentation requires that the administrator takes the database offline and runs the NTDSUtil tool.Mention that offline defragmentation does not need to be performed normally. The scenarios where students may choose to run an offline defragmentation include:After removing the global catalog from a serverAfter removing a large number of objects from the domainAfter converting from Active Directory-integrated Domain Name System (DNS) to standard DNSQuestionHow often will you need to perform an offline defragmentation of your AD DS databases in your environment?Answer: Most organizations will have to perform an offline defragmentation only when they need to optimize the database usage. In general, you will do this only when the amount of data that you are storing in the AD DS database on a domain controller decreases significantly.ReferenceData Store Tools and Settingsdca78c5471dd1033.mspx?mfr=true
8 What Are Restartable Active Directory Domain Services?
Course 6425AWhat Are Restartable Active Directory Domain Services?Module 9: Implementing an Active Directory Domain Services Maintenance PlanRestartable AD DS services allows administrators to stop the Active Directory Domain Services without stopping any other servicesThere are three possible states for a domain controller running Windows Server® 2008:• AD DS Started. In this state, AD DS is started. For clients and other services running on the server, a Windows Server “Longhorn” domain controller running in this state is the same as a domain controller running Windows 2000 Server or Windows Server 2003.• AD DS Stopped. In this state, AD DS is stopped. Although this mode is unique, the server has some characteristics of both a domain controller in Directory Services Restore Mode and a domain-joined member server.As with Directory Services Restore Mode, the Active Directory database (Ntds.dit) is offline. Also, you can use the Directory Services Restore Mode password to log on locally if another domain controller cannot be contacted.As with a member server, the server is joined to the domain. Also, users can log on interactively or over the network by using another domain controller for domain logon. However, a domain controller should not remain in this state for an extended time because in this state, it cannot service logon requests or replicate with other domain controllers.• Directory Services Restore Mode. This mode (or state) is unchanged from Windows Server 2003.ReferenceWindows Server 2008 Technical Library139e8bcc mspx?mfr=trueUse restartable AD DS services when:Applying updates that modify Active Directory service files on a domain controllerPerforming tasks such as offline defragmentation of the Active Directory databaseDirectory Services Restore Mode must be used to restore Active Directory database
9 Demonstration: Performing AD DS Database Maintenance Tasks
Course 6425ADemonstration: Performing AD DS Database Maintenance TasksModule 9: Implementing an Active Directory Domain Services Maintenance PlanIn this demonstration, you will see how to:Start and stop AD DS ServicesMove AD Database to a different drive using NTDSUtilUse NTDSUtil and AD DS Stopped mode for Offline DefragTo complete this demonstration, you must have the NYC-DC1 virtual machine running.Demonstration steps:To stop or start the AD DS Service:Click Start, click Admin Tools, and then click Services.Right-click Active Directory Domain Services and then select Stop from the context menu.In the Also stop the following Services dialogue, click Yes.To perform an Offline Defrag of the AD Database while in an AD DS Stopped state:Click Start, click Run, type CMD and then press ENTER.In the command window that appears, type ntdsutil and then press ENTER.At the ntdsutil: prompt, type Activate Instance NTDS and then press ENTER.At the ntdsutil: prompt, type files and then press ENTER.At the file maintenance: prompt, type compact to drive:\ LocalDirectoryPath (where drive:\ LocalDirectoryPath is the path to a location on the local computer) and then press ENTER.Once complete, copy the ntds.dit file in the compact directory to C:\Windows\NTDS\ntds.dit and delete the old log files by typing del C:\Windows\NTDS\*.log in a command window.In the File Maintenance command window, type integrity to check the integrity of the new compacted database.Once complete, if you want to specify a new location in which to store the database, such as a different spindle:In the File Maintenance command window, type move db to pathname and press ENTER. The ntds.dit file is moved to the new location and permissions are set accordingly.In the services mmc, right-click Active Directory Domain Services and then click Start.Questions:Why is it necessary to stop the AD DS before defragmenting?Answer: The database needs to be closed completely before it can be overwritten. An online database may have locked records that are being written to, preventing file modification.Why is it necessary to compact the database to a temporary directory first?Answer: Compacting the database actually creates a contiguous copy, which will be used to overwrite the fragmented original.Referencedca78c5471dd1033.mspx?mfr=true
10 Locking Down Services on AD DS Domain Controllers
Course 6425ALocking Down Services on AD DS Domain ControllersModule 9: Implementing an Active Directory Domain Services Maintenance PlanServices required for AD DS to function correctly:Distributed File SystemDNS ServerFile Replication ServiceKerberos Key Distribution CenterIntersite MessagingRemote Procedure Call (RPC) LocatorStress that one of the critical components when securing domain controllers is to minimize the number of services and applications running on the domain controller. One option for ensuring that only the required services are running is to use the Security Configuration Wizard (SCW). If students are not familiar with the SCW, spend some time explaining how it works. Consider starting the wizard and showing the Security Configuration Wizard configuration database, pointing out the services that the Active Directory Domain Services role requires.ReferenceMS HELP: Security Configuration DatabaseMinimize the number of server roles and applications installed on domain controllersüUse the Security Configuration Wizard to lock down the services on a domain controllerü
11 Lesson 2: Backing Up Active Directory Domain Services
Course 6425ALesson 2: Backing Up Active Directory Domain ServicesModule 9: Implementing an Active Directory Domain Services Maintenance PlanIntroduction to Backing Up AD DSWindows Backup FeaturesDemonstration: Backing Up AD DS
12 Introduction to Backing Up AD DS
Course 6425AIntroduction to Backing Up AD DSModule 9: Implementing an Active Directory Domain Services Maintenance PlanTo back up Active Directory, you must back up all critical volumesCritical volumes include:Mention that backing up Active Directory Domain Services in Windows Server 2008 is different than it was in previous Active Directory version, in which you could backup just the system state information. In Windows Server 2008, you must backup all of the files on the critical volumes.In Windows Server 2008, the system components that make up system state data depend on the server roles that are installed on the computer, and which volumes host the critical files that the operating system and the installed roles use. System state data includes at least the following, plus additional data depending on the server roles that are installed:RegistryCOM+ Class Registration databaseBoot files, as described earlier in this topicActive Directory Certificate Services databaseActive Directory Domain Services databaseSYSVOL directoryCluster service informationMicrosoft Internet Information Services (IIS) metadirectorySystem files that are under Windows Resource ProtectionMention that because you have to back up entire volumes to back up AD DS, it is a best practice to dedicate disk volumes to the critical volumes. For example, data should not be stored on the system volume as this will increase the backup’s size and increase the time it takes to restore the server.Question:What other process could you use to back up the system state data on a domain controller?Answer: You could do a full server backup.ReferenceActive Directory Domain Services Help: Help prepare for disaster recovery by performing routine backups of the Active Directory databaseStep-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recoveryd3d22c02eb2e1033.mspx?mfr=trueThe system volume: the volume that hosts the boot filesThe boot volume: the volume that hosts the Windows operating system and the RegistryThe volume that hosts the SYSVOL treeThe volume that hosts the Active Directory database (Ntds.dit)The volume that hosts the Active Directory database log filesAll of these files may be stored in a single volume or distributed across multiple volumes
13 Windows Backup Features
Course 6425AWindows Backup FeaturesModule 9: Implementing an Active Directory Domain Services Maintenance PlanWindows Server Backup is a Windows Server 2008 feature used to back up and recover the operating system and dataWith Windows Server Backup, you can:Recover the server without using third-party backup and recovery toolsüPerform manual or automatic backupsBackup an entire server or selected volumesRecover items or entire volumesUse DVDs or CDs as backup mediaWindows Server Backup does not support backing up individual files or directories, only entire volumesMention that Windows Server Backup is not installed by default. You must install it by using Add Features in Server Manager before you can use the Wbadmin.exe command-line tool or Backup in Administrative Tools.Windows Server 2008 supports the following backup types:• Manual backup. A member of the Administrators group or the Backup Operators group can initiate a manual backup at any time. If the target volume is not included in the backup set, you can make manual backups on a remote network share or on a volume on a local hard drive.• Scheduled backup. A member of the Administrators group can use the Windows Server Backup or the Wbadmin.exe command-line tool to schedule backups. The scheduled backups must be made on a local, physical drive that does not host any critical volumes. Because scheduled backups reformat the target drive that hosts the backup files, you should have a dedicated backup volume.Windows Server Backup supports DVDs or CDs as backup media. You cannot use magnetic tape cartridges, nor a a dynamic volume as a backup target.ReferenceWindows Technical Library139e8bcc mspx?mfr=true
14 Demonstration: Backing Up AD DS
Course 6425ADemonstration: Backing Up AD DSModule 9: Implementing an Active Directory Domain Services Maintenance PlanIn this demonstration, you will see how to back up AD DSTo complete this demonstration, you must have the NYC-DC1 virtual machine running.Demonstration steps:From the Start menu, select Admin Tools, and then select Backup.In the Backup console, under the actions pane, click Backup Schedule to create a scheduled backup.Follow the wizards prompts to specify the type (Full or Custom – by default the system volume is always backed up with scheduled backups), backup time (once per day or multiple times per day), target disk, view summary, and confirm.The backup once option beneath the actions pane offers manual backup capabilities. You can deselect the system volume from the Backup Items or specify you want to be able to perform a system recovery using this backup. The location type screen shows you can select local disks, DVD, or a remote shared folder (network backup). Select the location for backup, view the summary, and proceed with the backup.QuestionsWhy should backups be scheduled?Answer: To help automate tasks as much as possible.How often should a full backup be performed? How often should an incremental or differential backup be performed?Answer: Answers will vary. It depends on how much work an organization can afford to lose, though this must be balanced against the practical limits of trying to back up too often. Many organizations perform a full backup once a week, with either incremental or differential backups daily.Reference:Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recoveryd3d22c02eb2e1033.mspx?mfr=true
15 Lesson 3: Restoring Active Directory Domain Services
Course 6425ALesson 3: Restoring Active Directory Domain ServicesModule 9: Implementing an Active Directory Domain Services Maintenance PlanOverview of Restoring AD DSWhat Is a Nonauthoritative AD DS Restore?What Is an Authoritative AD DS Restore?What Is the Database Mounting Tool?Demonstration: Using the Database Mounting ToolReanimating Tombstoned AD DS Objects
16 Overview of Restoring AD DS
Course 6425AOverview of Restoring AD DSModule 9: Implementing an Active Directory Domain Services Maintenance PlanOptions for restoring Active Directory Domain Services include:Normal RestoreAuthoritative RestoreFull Server RestoreAlternate Location RestoreDiscuss the following options for restoring AD DS:Normal restore. Use this method to reinstate the Active Directory data to the state before the backup and then updates the data through the normal replication process. Perform a normal restore only when you want to restore a single domain controller to a previously known good state.Authoritative restore. Use this method in conjunction with a normal restore. An authoritative restore marks specific data as current and prevent the replication from overwriting that data. The authoritative data then is replicated throughout the domain.Perform an authoritative restore to restore individual objects in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup.Full Server Restore: Use this method to restore a failed domain controller. Full server restore performs a bare metal restoration of the system and data volumes to a point in time prior to failure. A full server recovery recovers every server volume. Backup reformats and repartitions all disks that are attached to the server. Use this scenario if you want to recover onto new hardware or if all other attempts to recover the server on the existing hardware have failed.Alternative Location Restore: Use this method to install new domain controllers. For more information about Alternate Location Restore, see 6429A: Configuring Windows Server 2008 Active Directory Domain Services, Module 1: Installing Active Directory® Domain Services.Reference:Step-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recoveryd3d22c02eb2e1033.mspx?mfr=true
17 What Is a Nonauthoritative AD DS Restore?
Course 6425AWhat Is a Nonauthoritative AD DS Restore?Module 9: Implementing an Active Directory Domain Services Maintenance PlanA nonauthoritative or normal AD DS restore returns the directory service to its state at the time that the backup was createdStress that the nonauthoritative restore does not restore deleted Active Directory information unless the domain controller is the one in the domain. When performing a nonauthoritative restore, AD DS replication replicates changes (including the deletion) to the domain controller when it reboots after the restore is complete.To restart the domain controller in disaster-recovery mode, you can:1. After the boot option menu appears, press F8, and then select the option for DSRM.-or-2. Open command prompt and type the command, and press ENTER:bcdedit /set safeboot dsrepairThen, type the following command and press ENTER:shutdown -t 0 -rTo restart the server normally after you perform the restore operation, type the following command and then press ENTER:bcdedit /deletevalue safeboot dsrepairAdministrative credentialsYou can log on to the domain controller that you are restoring by using the DSRM password, either locally or remotely. You specify the DSRM password when you install AD DS.QuestionWhat would happen if you did not enter the second bcdedit command after restoring the AD DS database?Answer: The domain controller would restart in DSRM again. You must remove this switch in order to boot into normal mode.ReferenceStep-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recoveryd3d22c02eb2e1033.mspx?mfr=trueAD DS replication updates the domain controller with changes that have occurred since the backup was createdüRestart the domain controller in Directory Services Restore Mode to perform a nonauthoritative restorePress F8 when restarting the server and choose Directory Services Restore Mode or type the command bcdedit /set safeboot dsrepair and restart the server1Provide the Directory Services Restore Mode password2
18 What Is an Authoritative AD DS Restore?
Course 6425AWhat Is an Authoritative AD DS Restore?Module 9: Implementing an Active Directory Domain Services Maintenance PlanAuthoritative restore provides a method to recover objects and containers that have been deleted from AD DSAuthoritative restore is a four-step process:Start the domain controller in DSRM1Use Ntdsutil.exe to mark desired objects, containers, or partitions as authoritative3Restart the domain in normal mode to replicate the changes4Restore the desired backup, which is typically the most recent backup2To perform an authoritative restore of Active Directory objects, you must first perform a Nonauthoritative restore. However, you must not restart the domain controller normally following the Nonauthoritative restore procedure.When an object is marked for authoritative restore, its version number is changed so that it is higher than the (deleted) object’s existing version number in the Active Directory replication system. This change ensures that any data that you restore authoritatively is replicated from the restored domain controller to other domain controllers in the forest.To mark a subtree or individual object authoritative:1. In Directory Services Restore Mode, click Start, click Run, type ntdsutil, and then press ENTER.2. At the ntdsutil: prompt, type authoritative restore, and then press ENTER.3. To restore a subtree or individual object, type one of the following commands, as appropriate, and then press ENTER:To restore a subtree (for example, an organizational unit and all child objects):restore subtree DistinguishedNameTo restore a single object:restore object DistinguishedName4. Click Yes in the message box to confirm the command.For example, if you want to restore a deleted organizational unit named Marketing NorthAm in the corp.contoso.com domain, type:restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com”(Always enclose the distinguished name in quotes when there is a space or other special characters within the distinguished name.)ReferenceStep-by-Step Guide for Windows Server 2008 Beta 3 Active Directory Domain Services Backup and Recovery d3d22c02eb2e1033.mspx?mfr=truePerforming an Authoritative Restore of Active Directory Objects 46f76c9c7c mspx?mfr=trueTo mark an object as authoritative, use a command like:restore subtree “OU=Marketing,DC=EMEA,DC=WoodgroveBank,DC=com
19 What Is the Database Mounting Tool?
Course 6425AWhat Is the Database Mounting Tool?Module 9: Implementing an Active Directory Domain Services Maintenance PlanThe Database Mounting Tool can be used to:Create and view snapshots of data that is stored in AD DSüDescribe a scenario where the Database Mounting Tool may be useful. For example, if a user account was deleted several weeks ago, but you are not sure which backup of Active Directory has the most recent information about it, you can view the snapshots of Active Directory to see when the account was last available in Active Directory. Then you can restore the backup of Active Directory from that date.In another example, if a Group Policy object is modified accidentally, you can use the Database Mounting Tool to examine the changes and help you better decide how to correct them if necessary.The Database Mounting Tool does not actually recover the deleted objects and containers. The administrator must perform data recovery as a subsequent step.You can use a Lightweight Directory Access Protocol (LDAP) tool such as Ldp.exe, which is a tool that is built into Windows Server 2008 to view the data that the snapshots expose. This data is read-only, and by default, only members of the Domain Admins and Enterprise Admins groups are allowed to view the snapshots because they contain sensitive AD DS data.To create a snapshot, you must be a member of the Enterprise Admins groups or the Domain Admins group or you must have been delegated the appropriate permissions.Mention that, as a best practice, administrators should schedule a task that regularly runs Ntdsutil.exe to take snapshots of the volume that contains the AD DS or AD LDS database.ReferenceAD DS: Database Mounting Tool9b8c25d428e81033.mspx?mfr=trueStep-by-Step Guide for Using the Active Directory Database Mounting Tool in Windows Server 2008 Beta 3:Improve recovery processes for your organizations by providing a means to compare data as it exists in snapshots that are taken at different timesüEliminate the need to restore multiple backups to compare the Active Directory data that they containüView, but not restore, deleted objects and containersü
Michael here again, and this time I would like to talk a little bit about Active Directory replication and Disaster Recovery sites.
Since the not so recent events (taking place on 9/11) many companies started to invest time and money in designing and implementing Disaster Recovery solutions which are located at a different physical location in order to provide the organization the option to seamlessly (saying seamlessly after a disaster strikes is kind of bad choice of words, but hey… don't shoot the messenger) failover to that site and keep the business and the organization working.
One of the aspects which needs to be considered is the oh so important but often overlooked feature of client logon. In the first part of this post we will discuss about how clients logging on to the network are affected by this.
In the second part of the post we'll review how to fail-over clients when we have multiple sites with Domain Controllers, and we want the client to failover to the best site possible, and in the third part we'll see the affect it may have on Domain Controller replication in the organization, and how to properly configure and test the failover scenarios.
Client logon scenario:
In our sample organization we have a hub site and a DR site both of which contain Domain Controllers. In addition we have several branch sites which don't contain any DCs and rely on the Automatic Site Coverage feature to provide the closest DC for authentication to clients. (More information on the Automatic Site Coverage can be found here - http://technet.microsoft.com/en-us/library/cc978016.aspx)
In this scenario the required behavior (and please note I say the required behavior and not expected behavior – that will be explained later) is for clients to authenticate to the Domain Controllers in the DR site in case the Domain Controllers in the Hub site have failed (or the site link from a specific Branch to the Hub site has failed).
So, we have clients located at a branch site relying on the Automatic Site Coverage feature of the Domain Controllers in order to find the closest DC.
In reality this would look similar to this:
Child-DC01 (located in the HUB site) is performing Automatic Site Coverage for Branch and Branch2 sites) while Child-DC02 which is located in the DR does not.
(Note: More information on the Automatic Site Coverage may be found here - http://technet.microsoft.com/en-us/library/cc978016.aspx)
Now comes the interesting part…
What happens when Child-DC01 fails?
So based on this http://support.microsoft.com/kb/314861 (and this http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx) the client would then fall-back to the generic list of all Domain Controllers in the domain:
So in our "simple" scenario (And I say simple cause there's more it in a second ) the client would failover to that list and will successfully find a Domain Controller in the domain. Now since the only option left available is the DC in the DR site - Child-DC02 we're good!
Now, you remember (well, it's just in the line above, if you don't then you have more serious things to worry about than this post… ) me saying there's more??
So here's more:
How do I make a domain controller failover to that DR site if I have a 3rd DC in another site?
So in this scenario we would have a Branch site, just as with the previous example – getting Auto site covered by the DC in the HUB site, but we also have a second Branch site, called Branch2 which does contain a DC (child-dc03) and the DRP site which contains child-dc02:
So in this scenario we need to consider costs. So considering BASL (Bridge All Site Links) is enabled – meaning all site links are transitive the following is the list of costs from the perspective of the branch site:
Branch –> Hub = 100
Branch –> DRP = 110 This is because the site links are transitive and we combine the cost of Branch-> Hub and Hub-> DRP(100 + 10).
Branch –> Branch2 = 200 (Branch-> Hub and Hub-> Branch2 = 100+100).
So obviously we would prefer to go where it's cheaper (which eventually translate to WAN link bandwidth, latency and other decisions affecting cost selection).
But, based on what we have experienced previously the client would get all DCs from the DNS query, including child-dc03 to which we don't want the client to go.
Looking at a netmon trace the DNS result would be similar to:
This is the default netlogon DC locator behavior. If the DC in my client site (and DCs which Auto Site Cover are considered to be in my site) fail then we fallback to query the generic list of DCs for the domain (_ldap._tcp.dc._msdcs.domain.name)
So in order to resolve this situation we have the long ago mentioned solutions:
As explained in the Branch Offices Guide (http://technet.microsoft.com/en-us/library/cc749944.aspx) we can prevent the domain controllers at the branch site from registering the generic SRV records.
The recommended configuration in a branch office deployment is as follows:
On all branch office domain controllers, add all entries that do not have "AtSite" as part of the mnemonic, to the value of the registry key, except the DsaCname.
On hub domain controllers, do not use the registry key. This allows the domain controller to register all records.
Creating the registry key on the branch DC (child-dc03) with the value of:
Would result in having only the Hub and DR DCs (child-dc01 and child-dc02) listed in the generic list of Domain Controllers for the domain:
Which leaves the client with only one option if the Hub site DCs fail… the DR site DCs.
That's it for Part 1. In Part 2 we'll talk about failover scenarios for client sites which DO contain Domain Controllers, but those have failed.
Part 2 - http://blogs.technet.com/b/isrpfeplat/archive/2011/12/04/disaster-recovery-site-and-active-directory-part-2-of-3.aspx