Sergey Nivens - Fotolia


Active Directory disaster recovery: Top remote uses

Active Directory can be an effective medium for remote disaster recovery. These guidelines will help your organization replicate an AD database to a remote location.

Disaster recovery as a service has become a hot topic in recent years, but some organizations use a secondary data center or public cloud provider such as Microsoft Azure or Amazon Web Services for remote disaster recovery. However, an organization must determine how it will handle replication, failover and operations at the off-site location. One of the most effective approaches is to structure Active Directory disaster recovery for remote support.

The primary challenge with remote disaster recovery is ensuring workloads can access the resources they need to function. You can't simply replicate a few virtual machines to a remote location and then power them up in the event of a primary data center failure. The VMs need to access resources such as a location-appropriate IP address, a domain controller and domain name system services.

When it comes to structuring Active Directory disaster recovery resources, the goal is to replicate the Active Directory database to a remote location. The method to accomplish this depends on whether the remote site exists within the public cloud or a standard data center.

Active Directory disaster recovery in the public cloud

If the remote site exists in the public cloud, you could theoretically create virtualized domain controllers in the cloud and configure them to act as part of an existing Active Directory domain. If your goal is to enable a data center-level failover, you will need to create cloud-based domain controllers for each domain in the forest.

Running virtualized domain controllers in the cloud works, but major cloud providers such as Amazon and Microsoft encourage customers to use a dedicated directory service as opposed to a series of virtualized domain controllers. Microsoft, for example, allows customers to use Azure Active Directory as a cloud-based directory, as shown in the figure below. A tool called Azure AD Connect allows Active Directory data, such as user identities, to be synchronized to Azure AD.

Microsoft Azure AD Connect, Active Directory disaster recovery
Microsoft Azure has its own directory.

While functionality should always be the primary concern, organizations also need to consider cost. Azure AD is free -- although there is a charge for Azure AD Premium -- while Microsoft charges customers for each Azure VM in use with cloud-based virtualized domain controllers.

Active Directory disaster recovery in a remote data center

What if an organization wants to fail workloads to an alternate data center? Assuming connectivity exists between the two data centers, it is possible to extend the Active Directory to a remote location. The trick is to take advantage of Active Directory sites. 

Since the release of Windows 2000, Windows Server has used a multi-master replication model. This means every domain controller is writable unless it has been designated by the administrator as a read-only domain controller. When data is written to a domain controller, that domain controller generally replicates the change to all the other domain controllers.

Active Directory sites bring location awareness to the environment. For example, let's say you had two data centers, each with 10 domain controllers. If a domain controller in Data Center A were updated with new data, you probably wouldn't want that domain controller to push updates to each of the 10 domain controllers in Data Center B. Doing so would be inefficient and waste bandwidth.

The solution is to use the Active Directory Sites and Services console to give Data Center A and Data Center B their own IP address range and a bridgehead domain controller responsible for sending and receiving updates on behalf of each site. This allows the bridgehead server in Data Center A to update the bridgehead server in Data Center B. The server in Data Center B can then push the updates to all its domain controllers, rather than having a domain controller in Data Center A individually update all the controllers in Data Center B. 

Active Directory Sites and Services
The Active Directory Sites and Services console is used to construct site topology.

From a DR perspective, segmenting the data centers into Active Directory sites makes a lot of sense. It becomes easier to make each site self-sufficient and allows data replication between the two sites, which is exactly what is needed for Active Directory disaster recovery.

Next Steps

Tips for restoring VMs to Microsoft Azure

Develop plan for failing over to alternate data center

Using Active Directory Federation Services during disaster

Dig Deeper on Disaster recovery facilities - operations