DR Domain Controller

[acl03]

I was thinking of adding a DC to our domain that only syncronizes once every few weeks, so if someone accidentally deletes an OU, we could restore it from the DR one (because hopefully the delete hasnt replicated to that server yet).

2 questions:

1) is this a good idea?

2) what if a new user is created, and it is not yet replicated to the new dc. If that user tries to log in, and hits the DR DC for authentication, will it prevent him/her from logging in because the account does not exist yet on that DC, or will it look on another DC for the account?



Thanks,
Andrew

 

[Roadki11]

I dont think its a good idea, even if you could get it to work as you are thinking which i dont think you can it will cause more problems than it will solve. The 2nd DC with a 3 or 4 week old replica is going to have old user passwords if any have changed and old computer passwords if any have changed which they will at some point. you could end up spending a lot of time resetting user and computer accounts. Not to mention any changes to GP, DNS, and what ever else im not thinking of.

RoadKi11

 

[acl03]

is there any way to add this DR Domain Controller and prevent users from authenticating to it?



Thanks,
Andrew

 

[Roadki11]

i guess you could put the 2nd DC in a 2nd site and setup a subnet pointing to the 1st DC. That should make everyone look to the 1st DC to authenticate but if the 1st DC fails to answer for what ever reason they would look for the 2nd DC for authentication.

RoadKi11