Article number
000004307
Affected Versions
All
Source Hypervisor
All
Target Hypervisor
All

Best practices for Active Directory Domain Controller availability

Viewed 1075 times

Summary

In some topologies there is no domain available on the DR isolated network to authenticate all the replicated VMs after booting.
And in case there is no additional local admin account within the protected VM OS - it may be necessary to have an AD DC connected at the DR site, for these VMs to authenticate to AD. It is not possible to login to the VMs after a Test Failover or Live Failover.

Steps

From Zerto replication perspective the Domain Controller machine can be replicated like any other machine, it's not a common action to perform a failover to a Domain Controllers and we have seen past cases where there were issues with replication of Domain Controllers.
(Not Zerto related issues, rather Microsoft issues that are derived from cloning a Domain Controller machine).

The SID (Security Identifier) is retained when performing a failover, therefore, can cause some issue or even overlap the source AD. 
Please note that Zerto can protect a Microsoft Active Directory machine, however, Microsoft does not recommend replicating or restoring an AD domain controller as is described within the following Microsoft article: 
http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv

Things to consider if failing over an active directory domain controller, and why Zerto does not recommend failing over Domain Controllers for the following reasons:
- An AD DC that has been created after a failover task would still need a PDC to validate against for the domain controller safe restore process to complete successfully.
- If a DR event occurs, and the primary site is unavailable, then the PDC will not be available.
- AD DC's can take some time to boot up and become available.
- If VMs created at a recovery site need to authenticate against an AD DC, and are waiting for an DC to become available, this process will drive up your Recovery Time Objective (RTO) 

To overcome the above environmental limitations of the window:
Usually, sites will have a Domain Controller at their recovery site and if directory's need to be shared between sites then trust can be set up.
Customers can create a Forest Trust Domain, or a Dedicated domain will be available on the DR recovery site.
For more see the below link:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770907(v=ws.11)

To summarize the two available options:
Replicate a domain to the test failover network and deal with the mentioned Microsoft limitations is not recommended,
Instead the best practice is Having additional dedicated domain available on the DR site network before doing a Test Failover / Live Failover.