none
Child Domain Offline and Restore

    Question

  • We run a company that produces custom software that we sell to customers. As part of the sold software, we also sell them the servers on which it runs and provide helpdesk support for when things go wrong.

    Currently, all customer owned servers are on a workgroup (so we connect using local accounts). We're thinking of creating a domain for each customer which would be a child domain of our on-prem domain.

    The main reasons behind this are user administration and policies. Because of the incredibly small footprint on the customer side (about 4 servers and 20 workstations where no one logs into), it makes no sense to have more than a single DC (unless you start talking about redundancy and disaster recovery - something we're not all that concerned about right now).

    The question I have is: bearing in mind the servers are customer owned and not within our direct control, what would happen if, say, the child DC happened to be offline for 6 months (unfortunately a totally feasible scenario with our customers)?

    The main downsides to this are quite obvious: NTP for the clients would stop working so time would start drifting, DNS would not be available, we don't use DHCP so that would not be an issue, user authentication would fail after a period of time (when cached credentials expire), no connection to parent domain.

    However, most of those things don't really impact us:

    - until we get all the kinks of using domains out our applications would continue to use local accounts, so user authentication would be unaffected (this could take as long as 2-3 years after the introduction of DCs)

    - currently we have no DNS and applications are configured using actual IP addresses so even though with a domain we'd have access to a DNS server we'd again opt to configure the apps to use the an ip address for another 2-3 years...

    - connection to parent would also be unaffected since all applications run as local accounts

    - NTP is ever so slightly trickier: our applications are not affected by time drifts in the least, but if the domain happened to come back online after a particular client has drifted more than 5m (default allowed Kerberos max drift) then user authentication would fail until the clock is back in sync (which again is not that much of an issue in itself for us).

    Still, there are a couple of things I'm not entirely sure about:

    - If a child domains' DC is offline for say 6 months and then comes back online, I assume the trust between the child and the parent would be lost. Bearing in mind we're talking about a child with a single DC, what would the recovery steps require? How would that affect the devices joined to the child domain?

    - In the case that a DC comes back online after a period of time and one of its client's clock has drifted by more than 5m, what happens in this case? If I recall correctly, authentication will fail until the clock is within the allowed drift but as soon as that happens authentication works again, which in other words is the same as saying that nothing needs to be done, it just fixes itself. Is this correct?

    Would welcome some advice for this particular scenario and let me know if I've forgotten any potential issue with the configuration we're planning to implement.


    Tuesday, March 28, 2017 3:37 PM

All replies

  • Hi,

    >>Bearing in mind we're talking about a child with a single DC, what would the recovery steps require? How would that affect the devices joined to the child domain?

    You could confirm or reset the trust relationship by the following illustration;

    "For example, if a user account is authenticated by the parent domain, the user has access to resources in the grandchild domain. Similarly, if the user is authenticated by a child domain, the user has access to resources in the parent domain, as well as in the grandparent domain."

    see link below:

    https://technet.microsoft.com/en-us/library/cc977993.aspx?f=255&MSPPError=-2147217396

    >>but as soon as that happens authentication works again, which in other words is the same as saying that nothing needs to be done, it just fixes itself. Is this correct?

    This kerberos authentication default time is 5 mins via GPO settings, but it could be modified via GPO.

    And, i suppose if your child domain could sync with parent dc, the time sync is not a issue if your clients has the same time zone with the dc. w32tm.exe is also a good cmd tool for sync time.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 29, 2017 6:14 AM
    Moderator
  • Hi Andy,

    Thank you for the answer. The question is if the sole DC of a child domain happens to be offline for a long period of time - say 6 months or so.

    In this instance, the clients connected to the child DC have no way to contact the parent DC on their own. DNS etc is all configured to go through that sole DC that would be offline in this scenario.

    The same is true for time sync (i.e., if child domain single DC is offline for 6 months clients have no where else to sync time from).

    Again as far as our applications are concerned this will not cause a problem as initially they will still be running using local accounts and care not for time sync.

    The question is what "breaks" when that sole DC then comes online after having been offline for such a long time and what steps are needed to fix it - both on the DC side and the clients' side.

    Wednesday, March 29, 2017 9:04 AM