A lag site for your Active Directory Domain Services setup is an Active Directory site (logical or can even be physical) which consists into having at least one domain controller with a lagged replication. The purpose of having a lag site is to allow you to easily perform restore operations without the need of backups.

Below are a couple of scenarios about when it can be helpful to have lagged site:

  • You will be upgrading your AD DS to a higher version and you would like to quickly recover in case of failures without the need for a full restore of your AD DS environment from backups
  • You are performing changes on your schema or configuration and, in case of failures, you would like to quickly recover if your environment becomes unstable or human mistakes happen

The principal is that, whenever those events happen, you should be able to recover your objects, partitions or else from the domain controller(s) residing in your lag site.

How to prepare for it?

To prepare for a lagged site, you should consider the following:

  • Your domain controller(s) in the lag site will have a lagged replication. This means that they will not be replicated for a specific period of time (Recommendation: 1 week) but they will fully replicate in a specific date and time. You should make sure that the chosen date and time is aligned with your change management process as it is strongly recommended that no changes are happening on your AD DS environment when the replication happens. If changes will happen during the same date and time of the replication then it will defeat the purpose of having a lag site. As an example, you can consider the replication to happen on Sunday in the assumption that no changes will happen the same day.
  • If you have multiple domains in use then, in the assumption that you would like to have a lag site for all of them, you should have at least one domain controller per domain in your lag site
  • Creating a lag site is not difficult as your domain controller(s) in the site can be virtual machine(s) without considerable resources used given that the only activities are expected to be the replications.
  • You should create an AD DS site which is dedicated for your lag site as well as dedicated subnet(s). The domain controller(s) to use for your lag site should be assigned to this AD DS site.
  • You should adjust the AD DS replication for this site to happen only during the date and time you have chosen for the replication to happen.
  • Once the domain controller(s) of your lag site is/are setup then you should disable the outgoing replication on it/them by running repadmin /options <DC_Name> +DISABLE_OUTBOUND_REPL (<DC_Name> should be replaced with the name of each domain controller to use in your lag site).

How to test it?

You can simply proceed as follows:

  • To make sure that new changes are not replicated, except for the authorized date and time, you can create a new AD DS object and make sure that it is not replicated.
  • To make sure that new changes are replicated within the specified date and time, you can perform a new AD object before the replication is supposed to happen and make sure that it has been replicated during the selected date and time.
  • Of course, you can always use dcdiag and repadmin commands to verify the health of the domain controllers and the replication state.

How to use it for recovery?

When a recovery is required (Example: Rolling back a schema change) then you can proceed as follows:

  • Mark the partition, objects or else for authoritative restore on one of the domain controllers in the lag site
  • Re-enable the outgoing replication on the selected domain controller by using repadmin /options <DC_Name> -DISABLE_OUTBOUND_REPL (<DC_Name> should be replaced with the name of the selected domain controller for the recovery)
  • Wait for the replication to happen then disable the outgoing replication on the selected domain controller by using repadmin /options <DC_Name> +DISABLE_OUTBOUND_REPL (<DC_Name> should be replaced with the name of the selected domain controller for the recovery)