none
Multiple Domain Controllers, one fails what should happen?

    Question

  • Hi,

    I have a data centre envrionment where we have two sites, two DC's in each site. Site A has the DNS entries of the two DCs in site A on their NICS, and site B has the DNS entries for their two DC's.

    we have recently had a problem with site A domain controllers, we are not 100% sure if it's the DNS or the ADDS causing a problem but we do see the lsass.exe process crashing and from then on it's all down hill for an hour.

    so we are building two new DCs to replace the two older DCs, but i wanted to verify what "should" happen in a multi-DC environment when one or more DCs crash.

    It is my understanding and experience in smaller environments that when there are more than one DC if one goes down (whether or not its the FSMO role holder) all services and clients should re-authenticate and do name resolution against the surviving DC. I have been able to reboot DCs during business hours for patching for example with no side affects. can someone verify or provide some more information around this? I can't imagine that it would bring down services if one failed, Azure is massive and they use domain controllers as part of their directory services as i understand it, they must have DC failures from time to time.

    just a side question also, given i have two sites, should i list my opposite site's DNS servers later in the NICs DNS entries or should i only have the local site's DNS entries. I would assume i should list the local site first, then add the second site later just in case something happened to those two DCs at the same time?

    thanks for any info

    Steve

    Sunday, January 29, 2017 2:12 PM

Answers


  • so we are building two new DCs to replace the two older DCs, but i wanted to verify what "should" happen in a multi-DC environment when one or more DCs crash.

    They should work with no problem as long as you have one healthy DC in their site. Just one think I can mention is if they are using DHCP for assigning IP address, it would be good if you could change the order of their DNS in scope options so clients wont point to the faulty DC first. Other than that there should be no problem in regard with authentication and GPO.

    Also it is not good to have a single DC in their site if that site serving so many requests and load. Best is to bring back the faulty DC and re-promote ASAP. I personally do not go for adding DNS servers of a remote site in NIC of local site because the first of all, if your only DC goes down, your clients still wont be able to query the remote DNS because they dont have the remote site in their NIC properties and secondly because the amount of time it takes to bring back the new DC's should be low, I think it does not worth it. That is just my opinion. If there was a root server above, that would be a different story, but here since there is a single domain I suppose, I do not apply that.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    • Marked as answer by Milkientia Monday, January 30, 2017 6:44 PM
    Sunday, January 29, 2017 3:34 PM
    Moderator

All replies


  • so we are building two new DCs to replace the two older DCs, but i wanted to verify what "should" happen in a multi-DC environment when one or more DCs crash.

    They should work with no problem as long as you have one healthy DC in their site. Just one think I can mention is if they are using DHCP for assigning IP address, it would be good if you could change the order of their DNS in scope options so clients wont point to the faulty DC first. Other than that there should be no problem in regard with authentication and GPO.

    Also it is not good to have a single DC in their site if that site serving so many requests and load. Best is to bring back the faulty DC and re-promote ASAP. I personally do not go for adding DNS servers of a remote site in NIC of local site because the first of all, if your only DC goes down, your clients still wont be able to query the remote DNS because they dont have the remote site in their NIC properties and secondly because the amount of time it takes to bring back the new DC's should be low, I think it does not worth it. That is just my opinion. If there was a root server above, that would be a different story, but here since there is a single domain I suppose, I do not apply that.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    • Marked as answer by Milkientia Monday, January 30, 2017 6:44 PM
    Sunday, January 29, 2017 3:34 PM
    Moderator
  • Hi thanks for the response.

    we don't use DHCP in the data centre, we assign all IP's statically, we have a powershell script that can go through all the NICs and change the DNS IP.

    We didnt think about demoting and re-promoting the faulty DC, that could have been an option but they are running 2008 32 bit anyway so we're looking at bringing 2012 R2 in to replace them.

    I am a little confused over your last paragraph though about the remote site, why wouldnt our clients be able to query the remote site's domain controllers and DNS if we added the remote site DNS to their NICs? each site has its own subnet and are configured in sites and services. let's assume there is a router to route all traffic between each site.

    as a side note im sure if we lost both DCs in the local site we probably have more to worry about, but it's more of a technical question about resiliency and best practice.

    thanks

    Sunday, January 29, 2017 4:28 PM

  • I am a little confused over your last paragraph though about the remote site, why wouldnt our clients be able to query the remote site's domain controllers and DNS if we added the remote site DNS to their NICs? 

    If you can change the DNS setting on all clients there would be no problem. 

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Monday, January 30, 2017 4:33 AM
    Moderator