Disastery recovery of DCs

[frigomiam]

Hi all,

I wonder what folks do today regarding DR of domain controllers.

For example I have a DRSite where Veeam B&R9.5 replicates prod VMs and it has 2 running DCs, and for real DR scenario ( whole prod site is off ) I seize the roles manually on one of the DC. So this operation is quite manual, and last time required to restart both DCs after seizing and cleanup metadata ( DFS service wouldn't work ).
I also use surebackup ( with authoritative restore) after each replication to DR that works great every day consistently.

Is there a way to automate DR scenario like surebackup do ? can I script or is to not supported by microsoft ?
I wonder what people in general for their DR regarding the failover of their DCs ?

many thanks
frigo

[wishr]

Hi Frigo,

I'd recommend taking a look at Veeam Availability Orchestrator.

Thanks

[Vitaliy S.]

I wonder what people in general for their DR regarding the failover of their DCs ?

To the best of my knowledge, most of the customers either have a secondary DC in the DR site (seems like you have that too?) or recover it manually. Here is an existing topic that can be useful.

[frigomiam]

thanks Vitaly,
Yes I have 2 DCs running in DR. Right so it looks as if everybody has to go the manual way. I still wonder why that's the case in a world of automation.
Maybe I have to look at scripting it myself. I wonder what the best it, script the seizure of roles but it sounds not easy, or script a non authoritative restore with a replica like surebackup does. I wonder why Microsoft doesn't support both scenarios ?

[veremin]

DC is restored in non-authoritative mode by default, so, you don't have to script anything in this case.

It's authoritative mode that requires coding or manual work. Check this blog post for more information. Thanks!

[frigomiam]

Veremin thank you, why doesn't veeam support an authoritative mode failover for DCs ?

[frigomiam]

I meant, why doesn't it have a feature to failover a DC replica in authoritative mode ( like what Surebackup do ) ?

[frigomiam]

I'm trying to answer my own question. I suppose microsoft doesn't support it ?
And the preferred solution is to have a running DC in DR that would have the latest sysvol replicated compared to an offline replica. But then it takes ages to seize the roles. I guess I have to look at how to automate seizing of roles
It would still be nice to have the feature..

[mcz]

To be honest I also do not really understand why veeam doesn't provide the functionality of using authoritative restore when SureBackup already does... The original request has been created some time ago: veeam-backup-replication-f2/feature-req ... ve#p339438

[YouGotServered]

I am a huge proponent of this. I posted on the feature request linked above nearly two years ago now. I'm clearly not a software developer (for good reason I'm sure), but compared to the other things Veeam has accomplished, this seems like a relatively easy thing to port over from SureBackup to actual restores.

[wishr]

Hi guys,

Thank you for the feedback - appreciate it.

To clarify, there is a procedure for performing an authoritative DC restore in the aforementioned blog post.

How regularly do you need to perform a restore in authoritative mode?
What kind of foolproof protection you think could be implemented to prevent occasional authoritative restores? We know the aftermath, right?

Thanks

[YouGotServered]

Pretty often actually if you're dealing with a lot of mom and pop shops that have one DC and an ESXi host from 2007 I'm exaggerating a little bit, but still, it can be frequently if you're the backup admin to a crappy sysadmin. As far as foolproof protection, lots and lots of big, bolded, warning boxes that detail the consequences. You guys have warnings in place about IP conflicts when restoring a server and telling Veeam to power it on, I don't know why something similar, but a bit louder, wouldn't be appropriate. Make the default option non-authoritative as well. Make people actually have to intentionally select Authoritative and spell out the consequences in a dialog box with a box they have to check saying that they understand the risks.

If they screw it up after that, I don't think Veeam is to blame.