USN rollback is a real issue. Both Brian and myself can verify that for you. He even more authoritatively than I – he wrote The Book on AD.
Why don’t you just stand up another DC in the remote site? You are going through a hassle that isn’t necessary. From: [email protected] [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Friday, February 5, 2016 3:00 PM To: [email protected] Subject: RE: [NTSysADM] Replicating AD VMs I’ve tested recovering AD for DR many times. For testing I have a clone of one DC in the other site, in a closed-off subnet. On it I have to seize roles, get DNS cleaned up, clean up metadata, etc. I have it scripted and it takes about 45 minutes, which isn’t bad, but I’m afraid of what that one DC handling everything would be like until I can stand up additional DCs. I also know from experience that I have to perform an authoritative synchronization of SYSVOL after adding other DCs, which takes even more time, besides the (relatively small) amount of time it takes to stand up the additional DCs. It seems to me that my proposed plan can’t be more dangerous than this, but again if someone has something concrete to show that it’s a bad idea I want to hear it, especially if someone has experienced it. Thanks. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Brian Desmond Sent: Friday, February 5, 2016 2:19 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Replicating AD VMs Essentially you’re circumventing AD’s replication engine with something that isn’t going to enforce consistency which has the potential to turn out very poorly. Newer (Windows Server 2012++) DCs, on uplevel versions of vmWare should realize they come up on a new host and handle many (but not all) possible scenarios where this could break AD replication. My suggestion is not to replicate any of your DCs with vmWare and just stand up additional VMs in the remote site. Thanks, Brian Desmond w – 312.625.1438 | c – 312.731.3132 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Friday, February 5, 2016 12:42 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Replicating AD VMs Is there any reason I should be afraid to use VMware replication to make copies of our DCs in the event of a data center-wide disaster? We have 5 DCs, all VMs, in a Windows 2012 R2 Forest/Domain functional AD. We have one forest, one domain. One of these DCs is running at a backup site about a mile away. I would like to use VMware Replication to keep copies of the other four DCs at the same location. The replication would be set with an RPO of 15 minutes. In a disaster scenario for our data center, the DC at the other site would be the only one standing, but I would bring up the replicated DCs, one at a time, starting with the PDCe. The only other thing I would need would be to confirm that the IP configuration holds or set it correctly if needed. Everything else is taken care of, such as physical network, DNS, etc. We already know we can recovery services such as this at the other site because we have tested it. Also, VMware replication would not be used as a replacement for backups, and we have other AD DR plans which have been tested using conventional backups. I simply want to know, from an AD perspective if this is a bad idea. The platform is irrelevant. We could just as well be using Hyper-V, but I will also check on the VMware Forums in case there’s something I should know related to VMware’s solution. Thanks in advance for any feedback.
