Hi all-
I have a production site (192.168.10.0/24) with 2 DCs and a DR site (102.168.20.0/24) with a RODC (server 2012). The replication job has re-ip configured and working.
The RODC has its first DNS server set to its own IP, and I have also tried 127.0.0.1 as the first DNS Server
When I take the VPN down between the sites, it immediately becomes impossible to logon to the RODC (no logon servers available), much less any of the replicated VMs. I thought the point of a RODC was precisely to service such requests? I have Googled MSFT resources and found a few posts indicating to enable Group Membership Caching, but that has been done to no effect.
Can a RODC serve as a standalone logon server during DR testing and/or actual disasters, and if so how?
What is a more elegant solution for dealing with replicated DC's - or is manual exit from safe mode (https://www.veeam.com/kb1277) the only way?
THX
John Borhek, Solutions Architect
https://vmsources.com
yeah but once you log in (which you were saying you couldnt from the post) - you need to run the cmd in the KB to take the DC out of safe mode. is that not working?
The point is NOT using replicated Domain Controllers and using a RODC to prevent having to logon as.\administrator and exiting Safe Mode - besides the RODC is not is safe mode in the first place.
I am trying to deploy AD in a more elegant fasion that will speed-up failover and DR testing, therefore I have placed a RODC at the DR site. The problem is that the RODC stops authenticating users as soon as the VPN is down!
John Borhek, Solutions Architect
https://vmsources.com
The RODC can cache passwords, but the users must be in the "Allowed RODC Password Replication Group" and you must have authenticated to the RODC at least once for the password to get cached. RODCs are intended for either branch offices that are actively used, or in Perimeter/DMZ networks. RODCs aren't appropriate for a DR Site. You should have a full DC live and running in your DR Site.
you can also add computer objects to be replicated as well through the policy, and i agree on having a fully functioning domain controller at the DR site as well, that's how our environment is designed.
bdufour says: "you can also add computer objects to be replicated as well through the policy"
exactly, so I am trying to get the policies just right
My current challenge is, after adding the "Allowed RODC Password Replication Group," can I automatically prepopulate the users, or do I have to do it manually through the advanced settings dialog?
John Borhek, Solutions Architect
https://vmsources.com
After adding users and computers to that group, that only allows the password to be cached, but it won't pre-populate the cache. You still have to manually pre-populate accounts. You can do it through powershell https://blogs.technet.microsoft.com/pos ... owershell/
Keep in mind though, as new users and computers are created, they won't be in the cache unless you re-run the prepopulate script.
That Veeam blog is talking about branch offices, not a dedicated DR site. An RODC wouldn't be a best practice in a DR site. You might be able to get it to work for short-term testing but you can't rely on the RODC long term in a DR situation.
keep in mind, you wont be able to join machines to a RODC. in a long term situation that will not be very good. there may be some work around, but it will be a giant PIA.
nmdange- appreciate the link to powershell script.
bdufour - good point about joining machines
Sometimes we are forced to work with more complicated solutions for security reasons. I am convinced this can work elegantly and be a stop-gap until the replicated DCs can be brought out of 'Safe Mode'.
One of the reasons I started down this path was to speed the process. Even when you run the commands to boot replicated DCs out of 'Safe Mode,' there's still 20-30 minutes until GC starts.
If I can make RODC work, servers will be live immediately for users with cached credentials.
John Borhek, Solutions Architect
https://vmsources.com