none
Domain controller failure

    Question

  • All,

    In deploying domains/servers over the last few years I've been following the guidelines and always building out at least two domain controllers. My environments are usually of the SOBO variety and rarely have Internet/WAN connections to larger setups so complete stand alone ability is essential.

    Lately I've been asked exactly what would happen if only one domain controller was built and it died for whatever reason. I've been digging around the usual online sources but I've yet to see a definitive list of likely failures when the domain controller feature fails entirely.

    Does such a list exist?

    Thanks for reading.

    Monday, November 28, 2016 5:54 PM

Answers

  • Hi

     With a single domain controller means,all fsmo roles holds on a dc so check these article for effects;

    https://jorgequestforknowledge.wordpress.com/2011/07/11/the-impact-of-fsmo-roles-not-being-available/

    http://rickardnobel.se/all-pdc-emulator-functions/

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/8910af3d-fc10-48d2-8505-a4d415f99494/impact-if-pdc-server-is-down-in-windows-2003-and-windows-2008?forum=winserverDS

    Plus these all service,roles Needing to work with GC role also become unavaible,ex exchange,lync,etc..Also other services works with AD authentication will not work,like sql,db's,applications,etc..

    That's why always there is least 2 domain controller recommended on domain environment.(with DS,DNS,GC role)


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by mlwest Wednesday, November 30, 2016 6:15 PM
    Monday, November 28, 2016 7:35 PM
  • Hi,
    In general, you would lose:
    1. Logins. Cached credentials would work, if the user had logged on before, but new domain logins would fail.
    2. Network shares. Your Kerberos ticket duration and enforcement are set by domain policy, but accessing network shares would begin to fail across your network.
    3. DNS. You and/or your service desk would begin to receive "no internet" calls. They'd still have connectivity, but they won't be able to resolve things, inside or out. This could also have the effect of people calling you and/or your service desk to tell you your various servers are down.
    4. Your VPN, if any, if it uses AD credentials
    5. Any other service that uses AD credentials (Network Access Control, websites with integrated security, etc.).
    This is amongst the reasons that we don’t suggest to have a single DC in any AD domain.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by mlwest Wednesday, November 30, 2016 6:15 PM
    Wednesday, November 30, 2016 6:11 AM
    Moderator

All replies

  • Hi

     With a single domain controller means,all fsmo roles holds on a dc so check these article for effects;

    https://jorgequestforknowledge.wordpress.com/2011/07/11/the-impact-of-fsmo-roles-not-being-available/

    http://rickardnobel.se/all-pdc-emulator-functions/

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/8910af3d-fc10-48d2-8505-a4d415f99494/impact-if-pdc-server-is-down-in-windows-2003-and-windows-2008?forum=winserverDS

    Plus these all service,roles Needing to work with GC role also become unavaible,ex exchange,lync,etc..Also other services works with AD authentication will not work,like sql,db's,applications,etc..

    That's why always there is least 2 domain controller recommended on domain environment.(with DS,DNS,GC role)


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by mlwest Wednesday, November 30, 2016 6:15 PM
    Monday, November 28, 2016 7:35 PM
  • Hi,
    In general, you would lose:
    1. Logins. Cached credentials would work, if the user had logged on before, but new domain logins would fail.
    2. Network shares. Your Kerberos ticket duration and enforcement are set by domain policy, but accessing network shares would begin to fail across your network.
    3. DNS. You and/or your service desk would begin to receive "no internet" calls. They'd still have connectivity, but they won't be able to resolve things, inside or out. This could also have the effect of people calling you and/or your service desk to tell you your various servers are down.
    4. Your VPN, if any, if it uses AD credentials
    5. Any other service that uses AD credentials (Network Access Control, websites with integrated security, etc.).
    This is amongst the reasons that we don’t suggest to have a single DC in any AD domain.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by mlwest Wednesday, November 30, 2016 6:15 PM
    Wednesday, November 30, 2016 6:11 AM
    Moderator
  • Thanks Burak and Wendy for your replies.

    I was hoping there was an exhaustive list somewhere but it appears there are so many dependencies and individual circumstances that drive the likely symptoms of complete DC failure that there is no simple list of failures that all environments would see.

    On top of that I'm forced to work with software technologies that have yet to update their internals to use AD or other more modern approaches which makes it even more difficult to nail down a specific list of issues that would occur if a complete DC failure were to occur.

    I'll just keep building out at least two DCs and call it good.

    Wednesday, November 30, 2016 6:31 PM
  • Hi,
    Great choice and appreciate you for marking the answers. If you have any questions later, please feel free to contact us or post the problem in the TechNet forum.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 1, 2016 1:50 AM
    Moderator