Relocating branch office, replication question

  • 238 Views
  • Last Post 07 June 2017
Syberchip posted this 14 March 2017

Need some advice.  I have a situation come up that I haven’t run into before.  We have an office in Canada (our headquarters is in the U.S.) and due to unforeseen circumstances that office may have to relocate rather quickly.  The offices are currently connected by a MPLS private line.  Our DCs (2) over there are 2008R2, still on 2003 functional level (I know, not great).   My question is, after they move, would it be best for them to not turn on the DCs until connectivity has been established to headquarters?  Or will it be okay? (My mind wants to say it will be fine?)  It may take a bit to move the private line (may be over a month), so I’m thinking we may be forced into a site-to-site VPN temporarily.  I know it’s not good to not have replication for over a month.  Usually we have time to plan these things better, this just came up all of a sudden.   Usually when we have a branch office outage it’s not for an extended period of time, or there’s no power so the DCs are down anyway.  Not used to deliberately using DCs with replication not being able to function due to no connectivity, or having an office relocate so quickly.

  Suggestions?   -Marcus

Order By: Standard | Newest | Votes
bdesmond posted this 14 March 2017

Marcus-

 

There’s no harm really in having the DCs be up while the WAN is down (they’re designed to be able to do this). Just keep in mind if the outage lasts longer than your tombstone

lifetime, you’re going to have to force demote those DCs and re-promote them. That will mean you’ll lose all the changes they’ve processed (namely user and computer account password changes) which probably means you’ll have a bunch of broken machine account

trusts, etc. If your tombstone lifetime is set to 60 days, you may want to proactively bump this to 180 which is the default for newer forests so you have some wiggle room.



 

Thanks,

Brian

 

 

 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

Syberchip posted this 14 March 2017

That’s what I thought, but it’s good to hear it from others, thanks.  Our tombstone lifetime is set to 180 days already so we’re good there.

 

-Marcus

 

show

Syberchip posted this 11 May 2017

Remember my post before on this?  We’re going on over a month now not being connected, but we’re ok as tombstone was 180 days.  However, I’m now being told they

probably won’t be reconnecting the offices and that the branch office will be an entirely separate entity.  Which means, not integrated at all with us, and they start over with a new AD setup. (Probably will suggest they export their accounts to a .csv so

at least they have that).

 

They are currently on very bad DSL for Internet connectivity, but should be up on fiber in the next few weeks.

 

I now have a decision to make.  Do I wait until they get fiber and setup a point to point VPN so I can demote both DC’s there, or should I not bother and just remove

both DCs manually from our AD?

 



-Marcus



 

show

bdesmond posted this 11 May 2017

I’d just wait. You want to make sure that DC gets demoted or wiped so the DIT isn’t left behind.



 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

Syberchip posted this 11 May 2017

That’s ideal, though I know the admin fairly well there so I’m not worried about that.  I’d have him force demote if I have to, and them have him wipe them.

 

I’ll wait a bit, but is there any harm in manually removing those DCs (if we can’t get them reconnected)?  They don’t hold any master records or anything.

 



-M



 

show

bdesmond posted this 11 May 2017

There’s no harm as long as the DC is wiped (ideally first) as well.



 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

Syberchip posted this 11 May 2017

Thanks, much appreciated!

 

-Marcus

 

show

Syberchip posted this 18 May 2017

With regards to having DC’s separated temporarily, our admin at the other office wants to create two new users.  We recently had to create those users on our end

for Office 365 account sync, no choice in the matter.  So what happens if he creates the same account on his end, and we bring replication back up down the road?  I would think there’d be a conflict and we’d run into issues?  Sorry for all the questions but

this is a rather odd situation (of which I’ve never been in before).  Thanks for all your help!

 



-Marcus



 

show

bdesmond posted this 18 May 2017

You’ll end up with conflict objects (assuming the RDNs match in the same OU), and the O365 identity will be separate from the on-prem one. You can fix the latter with a

bit of extra work but ultimately they’ll have two IDs, two SIDs, etc.

 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

GuyTe posted this 18 May 2017

To add to the below, AD resolves collisions using a simple “last writer wins” rule. More on the conflict resolution logic here:

https://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx

 

 

 

show

Syberchip posted this 07 June 2017

So we’re looking at reconnecting offices soon via VPN (fiber at both sites).  It’s been just over two months of having this location isolated from our main office. 

As I’ve stated before, tombstone time is 180 days so we are OK there.  I checked the time sync and it looks good, only seconds off.  I’m worried about DNS scavenging though?  I’m assuming that should work itself out when the sites are reconnected?  Thankfully

the admin there hasn’t made hardly any changes to A.D. on his end.

 

Thanks,



 



-Marcus



 

show

Close