The lack of a seamless cutover is within our SLA, but I agree that’s one of the reasons it’s a bad idea. I certainly will bring this up as a point. They may tell me that when AWS is ready to be an official DR solution, the firewall can be set to allow the connections.
I would love to be able to tell you why the director wants nothing to talk to AWS ever, outside of a real disaster, but I’m basically being told “that’s just the way it is” by the people that report to him directly. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Kennedy, Jim *Sent:* Tuesday, February 7, 2017 12:51 PM *To:* [email protected] *Subject:* RE: [NTSysADM] Blocking AD Client Traffic to a Certain Site It seems like a bad idea because in the event of a disaster you won’t have a seamless cut over. Gotta find the firewall guy and they are usually hard to find in my experience, get the firewall modified…then notify lots of people to reboot and retry….. I would want to know more about why the director thinks a one in a million cross site connection is so bad. Maybe I am missing something. *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Charles F Sullivan *Sent:* Tuesday, February 7, 2017 11:46 AM *To:* [email protected] *Subject:* [NTSysADM] Blocking AD Client Traffic to a Certain Site I’d like to get some ideas and opinions regarding this, especially if anyone has had a similar need….. Our AD topology to this point has been as simple as can be. Since just about everything on our extended network is connected at high speeds, we have never had to have more than one AD site. We are about to put a couple of DCs at AWS, which of course will require a second site to be defined. This will still be pretty straightforward. Everything but AWS will be on the one existing site and a second site will be added for the one subnet at AWS. I know that even with the two sites defined, some clients may at times use the remote site. This is what I have seen in testing, for whatever reason, but I don’t consider it to be a real problem because I assume it would not happen often. The problem is that our director wants absolutely no cross-site traffic except in the case of a disaster. It is being proposed that the firewall between the sites allow only AD traffic between the DCs themselves. AD clients would be stopped at the firewall. I’m not comfortable with that as a solution because I’m concerned that when clients do try to use DCs at the remote site, it will cause slowness if not failure. Does this seem like a bad idea for that or any other reason? I was thinking that maybe I could use weight and priority within SRV records so that the DCs at AWS would be weight=0 and priority=65535. If I did that, would the clients at AWS honor the site rules over the SRV records weight and priority? I’m guess that would be unpredictable, thus also not a good solution. Thanks in advance for any help. Charlie Sullivan Sr. Windows Systems Administrator
