Hey techies.
Let me describe our scenerio, and see if my fears are solid.
Toyota Canada connects to Toyota North America, which is in the states, and is the root of our forest. We connect via a T1, purely for AD replication.
We've opted to add a hot DR site about an hour from our HO, and though I'm the network engineer, I also hold an MCSE 2000, so I'm not unfamiliar with the AD side of the equation. The DR site has been added to our MPLS network for connectivity and replication.
We've added a DC at DR, and via MPLS, it plays nice with our DC's at HO. We also have a backup T1 at DR to allow the DR-DC to connect to the root in the event of a true disaster at HO.
We are largely a virtual shop, and the plan is to take snapshots of our web/app servers at HO and recreate our environment at DR, in a perfect mirror fasion... same subnets and vlans as at HO. Currently, an ASA prevents the two identical subnets from seeing each other.
So, here's the deal. In the event of a real disaster, HO disappears, the T1 to the root is brought up, we steal the FSMO roles for the DR-DC, and we start bringing up servers. Done.
We need to test this in a couple weeks, and here's the uncertainty. Let's assume I unplug the mpls, so DR and HO cannot see each other. I bring up the T1, and the DR-DC can now authenticate itself to the root.
WHAT'S THE ROOT'S RESPONSE TO SEEING OUR CHILD DOMAIN POLLING FROM TWO DIFFERENT PATHS?
I can't find documentation on this anywhere. Will the root allow multiple paths to a child domain to exist? Will the root authenticate a member DC that doesn't hold any roles? Do I run the risk of alienating our three DC's at HO by using the DR-DC to authenticate servers/users at DR?
One more concern... let's assume the root can tolerate the DR-DC polling from a different path. The next step is to restore servers that are exact duplicates of servers at HO... I mean, same name and same IP. The DR-DC should have no issue with this, as it will have had the computer accounts replicated to it. However, back to the root. Let's say our server subnet is in vlan 200 (10.10.200.0). That means that from the root's perspective, vlan 200 has become discontiguous, and worse, the same server accounts are appearing again from another path.
Am I overreacting? Is AD smart enough to allow the above? Might the root trust our child domain to do all of this without breaking authentication to our DC's? I would sure appreciate any links that might support any theories.
Mike
Let me describe our scenerio, and see if my fears are solid.
Toyota Canada connects to Toyota North America, which is in the states, and is the root of our forest. We connect via a T1, purely for AD replication.
We've opted to add a hot DR site about an hour from our HO, and though I'm the network engineer, I also hold an MCSE 2000, so I'm not unfamiliar with the AD side of the equation. The DR site has been added to our MPLS network for connectivity and replication.
We've added a DC at DR, and via MPLS, it plays nice with our DC's at HO. We also have a backup T1 at DR to allow the DR-DC to connect to the root in the event of a true disaster at HO.
We are largely a virtual shop, and the plan is to take snapshots of our web/app servers at HO and recreate our environment at DR, in a perfect mirror fasion... same subnets and vlans as at HO. Currently, an ASA prevents the two identical subnets from seeing each other.
So, here's the deal. In the event of a real disaster, HO disappears, the T1 to the root is brought up, we steal the FSMO roles for the DR-DC, and we start bringing up servers. Done.
We need to test this in a couple weeks, and here's the uncertainty. Let's assume I unplug the mpls, so DR and HO cannot see each other. I bring up the T1, and the DR-DC can now authenticate itself to the root.
WHAT'S THE ROOT'S RESPONSE TO SEEING OUR CHILD DOMAIN POLLING FROM TWO DIFFERENT PATHS?
I can't find documentation on this anywhere. Will the root allow multiple paths to a child domain to exist? Will the root authenticate a member DC that doesn't hold any roles? Do I run the risk of alienating our three DC's at HO by using the DR-DC to authenticate servers/users at DR?
One more concern... let's assume the root can tolerate the DR-DC polling from a different path. The next step is to restore servers that are exact duplicates of servers at HO... I mean, same name and same IP. The DR-DC should have no issue with this, as it will have had the computer accounts replicated to it. However, back to the root. Let's say our server subnet is in vlan 200 (10.10.200.0). That means that from the root's perspective, vlan 200 has become discontiguous, and worse, the same server accounts are appearing again from another path.
Am I overreacting? Is AD smart enough to allow the above? Might the root trust our child domain to do all of this without breaking authentication to our DC's? I would sure appreciate any links that might support any theories.
Mike
