Off line DC.

jrs

Distinguished
Oct 8, 2001
26
0
18,530
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi All,

I need to stand up a domain that will have two sites. The problem is I
need to do this before the WAN link is up. How long can the remote
site's DC work without updating with the main site? I seem to
remember there is some kind of time limit a DC can be removed from the
operation masters. Due to the type of AD domain/network (classified) I
can not even have it go through a modem to update the DC's.

Thanks
Jon
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

A DC should not be cut off from the rest of the network during the tombstone
period (180 days for Windows 2003 SP1, 60 days for Windows 2000 and Windows
2003 gold). In addition, there are several reasons why such a plan is
problematic and best avoided if at all possible. The FSMO roles will be
inaccessible between the disconnected sites for one thing, and if you are a
security conscious site then any account disabling or locking out at one
site will not take effect at the other site.
AD was not designed for such a deployment scenario and you should try to
avoid it if you can.

"JRS" <jonathan.stephens@ngc.com> wrote in message
news:1115564404.305838.45630@z14g2000cwz.googlegroups.com...
> Hi All,
>
> I need to stand up a domain that will have two sites. The problem is I
> need to do this before the WAN link is up. How long can the remote
> site's DC work without updating with the main site? I seem to
> remember there is some kind of time limit a DC can be removed from the
> operation masters. Due to the type of AD domain/network (classified) I
> can not even have it go through a modem to update the DC's.
>
> Thanks
> Jon
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Simon Geary" <simon_geary@hotmail.com> wrote in message
news:uI0Rw5#UFHA.3312@TK2MSFTNGP09.phx.gbl...
> A DC should not be cut off from the rest of the network during the
tombstone
> period (180 days for Windows 2003 SP1, 60 days for Windows 2000 and
Windows
> 2003 gold). In addition, there are several reasons why such a plan is
> problematic and best avoided if at all possible. The FSMO roles will be
> inaccessible between the disconnected sites for one thing, and if you are
a
> security conscious site then any account disabling or locking out at one
> site will not take effect at the other site.
> AD was not designed for such a deployment scenario and you should try to
> avoid it if you can.

Everything Simon said, and...

Don't even get CLOSE to "tombstone lifetime" since it is a
hard interval.

You will lose cross subnet browsing if the "site" without
the PDC Emulator has more than one subnet (or more than
one domain but this doesn't sound like your case.)

You may have trouble replicating when you do hook up
due to time drift unless you independently set the time on
the DCs (not hard to do, but easy to overlook -- limit is
5 minutes difference which is usually maintained automatically.)

You should probably consider at least a weekly dial up.

You can even set the replication interval so the two DCs (sets of
DC) will not consider that abnormal.)
 

jrs

Distinguished
Oct 8, 2001
26
0
18,530
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks for all your insight.
I did not think I could do it, but I did not have the info to go to
management and tell them it's not going to work.
Thanks again.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"JRS" <jonathan.stephens@ngc.com> wrote in message
news:1115641602.478917.64530@z14g2000cwz.googlegroups.com...
> Thanks for all your insight.
> I did not think I could do it, but I did not have the info to go to
> management and tell them it's not going to work.

Well, you 'can' do it for a while OR (better) if you let them
talk once or twice a week.

Unless the AD changes are very large, then you can do that
occasional contact over a dial up line. Even adding 100
users is likely around 400 KB.

Dial modems can handle that if the line is reasonably clean
and you work to make sure the line is up when the DCs try
to talk -- also this is one of the cases where the "mutual
replication" (registry) flag is useful.

Normally replication is one way (performed by each side
separately) but with the mutual flag set, then when one calls
the other DC they both get their changes.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
 

TRENDING THREADS