Active Directory recovery using a secondary offsite DC

 in Networking / Windows Server by

The basics of this require that we setup a second CPU to take offsite. This system would have AD loaded, GC set, DNS, and all that stuff needed to run AD separately from the network. Here’s the catch, though. We can’t run this and be current. In a disaster, it would work great to be up and running, but it wouldn’t stay current.

So what do we do? We use a cheap PC, do all that DC stuff on it, and make sure it’s syncing good and working on the network (with the GC, DNS, WINS and stuff). IT SHOULD NOT have any FSMO roles. It’s purely a secondary.

BEFORE running DCpromo on that system, Make an image. And make sure we can recover it quickly. Save that image of the server in “stand alone server” install mode (not a DC or even member server yet), because this is what we’ll use to run this process over and over quickly.

AFTER we run the DCpromo and setup all the DC stuff, make another image. We’ll use this to drop back onto the system for offsite recovery of AD.

Here’s the steps to setup. (in general)

  1. Setup a stand-alone server, not member of domain. (include all needed SP’s and patches)
  2. Make an image. (PRELOAD image, save this!)
  3. Dcpromo and setup all needed AD and make sure NTFrs and syncing work perfectly.
  4. Make an image. (OFFSITE-DC image, save this!)
  5. Demote the server to a member server again and then remove from domain. (this is to remove it from AD as a DC, make AD cleaner and no NTfrs errors)
  6. Add OFFSITE-DC image to system again, BUT DO NOT CONNECT TO NETWORK.

Here’s the steps to run regularly to keep up to date.

  1. Take that offsite pc, image over it with the PRELOAD.
  2. Join this to the domain and do the DC stuff.
  3. Make your OFFSITE-DC image again.
  4. Demote the server, remove from domain.
  5. Load OFFSITE-DC image on again, BUT DO NOT CONNECT TO NETWORK.
  6. Take it offsite, seize the FSMO roles. You now have a DC ready to run in an emergency.

This process might take a day with all the imaging, but if you keep the drive loaded with ONLY the DC, it should be pretty quick. And consider that you won’t sit and watch it, you really should only spend like 2 or 3 hours running the process. Also consider that if you run this every month, or even every couple weeks, you’d get real fast at it. And this is what we want in a disaster recovery situation, fast recovery!

Why do all this? Couldn’t we just do an NTBackup recovery? Well, first of all, last I saw on a Microsoft KB article, recovering to alternative hardware on a DC was not supported. So, there’s one obstacle. Though, they do provide a good “how to” KB article, they say it’s not supported. (now I need to find that article again.) Second of all, I tried doing all of the Microsoft suggestions, and I was never able to recover my DC, whether it was the PDC or a backup, to alternative hardware. Of course, I was using Windows 2000, and recovering to 5 years newer hardware, maybe that might have something to do with it. But you know what, I have a lot of clients that would be in that boat. I’ll have more to say on this later.