Active Directory "lazy domain controller", backup, DRS etc
- From: "David Chadwick" <david@xxxxxxxxxxxxxxx>
- Date: Fri, 21 Jul 2006 17:32:37 +1000
Hi,
My company has a "lazy domain controller" setup and there has recently been
some lively debate about it. I don't have a strong opinion myself but
instead have attempted to search Microsoft documentation on the subject and
see if I can find a best practice. I haven't been able to find much.
We have a domain controller in it's own AD site. This site has no subnets
assigned to it, and therefore no client should use this DC directly. The
replication schedule for the site link between this site and our main site
is set so that it only happens for two hours on a Saturday night.
This is all fine and pretty normal I think. It seems to work.
Our AD enterprise architect believes that this DC should have one-way
replication FROM our DCs, but the connection object that replicates the lazy
DCs changes BACK to our normal DCs should be deleted. He also wants to run
"repadmin /options -DISABLE_OUTBOUND_REPL" on that DC so that the KCC
doesn't recreate an outbound connection object for it.
I have searched for references to other people doing this on the internet
and can't find anything. I can find a few things on creating lazy domain
controllers, but none of them mention disabling outbound replication. They
refer to having a delayed replication schedule, but not a one-way
replication path only.
I am asking this question to find out what other people do. Is it "ok" or
valid to disable outbound replication on a domain controller? The only
references I can find for doing this are in situations where you disable
outbound replication on the schema master before making a schema update in
case something goes wrong. Once the update has succeeded outbound
replication is enabled again. I can't find any references to disabling
outbound replication on a DC permanently. This would essentially "hack" it
into being a read-only DC (but not really, as the DC would still accept
changes if they were done on it directly, it just wouldn't be able to
replicate these changes back).
Is it valid to do this? Supported? Ok? What would happen if something did
get updated on that DC (for example, an administrator could connect to this
DC directly from AD Users and Computers and make changes accidentally).
These would never be replicated back, but I suspect they would sit there
waiting to be replicated forever? If we then ever had a disaster situation
where we did use the lazy DC (to restore an accidentally deleted OU, for
example), then I suspect all these "queued" changes would come back at that
time. These queued changes which could be years old may be more damaging
than the accidentally deleted OU in the first place.
I worry that the act of permanently disabling outbound replication from the
lazy DC may invalidate it as a DC that we can use in an emergency anyway.
Am I right to be concerned?
Any thoughts and ideas would be greatly appreciated!
Regards,
David
.
- Follow-Ups:
- Re: Active Directory "lazy domain controller", backup, DRS etc
- From: Jorge de Almeida Pinto [MVP]
- Re: Active Directory "lazy domain controller", backup, DRS etc
- Prev by Date: Re: ADAM Authentication
- Next by Date: Re: trust between two domain on separate networks
- Previous by thread: 12293 Event Log error with SAM Database (Duplicate Account Deleted
- Next by thread: Re: Active Directory "lazy domain controller", backup, DRS etc
- Index(es):
Relevant Pages
|
