4

On my VMware ESXi environment there are 10 VMs running. One of the VMs is the domain controller (Windows Server 2008 R2). The other VMs are configured with a static DHCP and DNS IP address in their network settings.

How long is the downtime limit of my domain controller?

Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
MaxMix
  • 189
  • 2
  • 4
  • 11
  • 1
    I have a domain controller on AWS that I use for my home domain. Not only do I keep it off for months, but I recreate it every time it starts. I keep an image of the server on S3, and AD's critical files on a small EBS volume. I've had this for over a year, and have not had a problem. – Edwin Mar 02 '14 at 01:41
  • 1
    @Edwin And if that works fine for your use-case, good for you. That's not something that any professional I know would use at a business. – mfinni Mar 06 '14 at 19:41
  • 1
    @mfinni, you hang in your own circles and have a limited perspective as to what AD can be used for. – Edwin Mar 06 '14 at 21:07
  • 1
    Edwin - have you used this approach at a business? – mfinni Mar 06 '14 at 21:09

1 Answers1

13

If it is the only DC, there is no limit since it has no replication partners. If there is more than one, other DCs will refuse replication from it after it has been offline longer than the tombstone lifetime, which is 180 days by default.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • But if the DC is down and I want to join a Server oder a Computer in the domain, than the DC should be online. Otherwhise this is not possible. Is that right? – MaxMix Mar 02 '14 at 01:46
  • 4
    That is correct. If you only have one DC and it is down, directory services obviously doesn't function. You should **never** have only one DC. – MDMarra Mar 02 '14 at 01:48
  • @MDMarra be carefull with the bolded nevers. It's working well for me! – Edwin Mar 02 '14 at 06:26
  • 4
    @Edwin it works well enough, for as long as it works. That's why you ***never*** use just one. – Falcon Momot Mar 02 '14 at 06:31
  • @mdmarra, Your definition of "one" does not apply with virtualized snapshots. In the world of virtualization, if you don't need guaranteed uptime, you don't need to have multiple DCs. For reliability, multiple vm snapshots and backups are more reliable than multiple servers. – Edwin Mar 02 '14 at 06:45
  • 1
    @edwin you appear to have a strange definition of "reliability". Only having one DC is **never** a reliable situation for a production network. – Rob Moir Mar 02 '14 at 12:35
  • 2
    @Edwin I hope you're referring to your home network here. A single DC in a professional environment is asking for trouble. – MDMarra Mar 02 '14 at 12:37
  • @RobM, with respect, you've offered nothing to back that up. You guys just keep repeating *never*, like The Raven. If you have a single domain controller with snapshots and backups, and you don't need to be up 80% of the time, there's no reason to have more than one DC. The worst that can happen is you have to restore a previous version of the server. – Edwin Mar 02 '14 at 22:53
  • No, the worst thing is that you no longer have internal DNS resolution, so none of your users can get to any websites or internal services. Snapshots are also not meant to be used as a long-term checkpoint. Each snapshot exponentially reduces storage performance. Also, you've also apparently never had a failed snapshot merge before, or a failed restore from backup. And your "Worst case, you have to restore a previous version of the server" is nuts. Maybe you don't need more than one for 5 users but snapshots and backups are not a replacement for proper HA when you're talking directory services – MDMarra Mar 02 '14 at 23:02
  • Really, it's trivial to install and configure a second DC that is also a secondary DNS server. There is 0-second failover for directory services when properly configured with more than one DC. It's *so easy* to configure a second DC. Note that this is not a replacement for backups. This is *in addition* to backups. But again, it's so easy to configure and provides such a benefit that it really is wrong in almost all cases to not have at least two. (Test labs and home environments obviously don't apply. We're talking about businesses) – MDMarra Mar 02 '14 at 23:04
  • And finally `"and if you don't need to be up 80% of the time"`. What business on the planet is OK with being down 20% of the time or more? That's crazy talk. Lab environments with 80% availability are one thing, but that's a **very** low uptime value for businesses. – MDMarra Mar 02 '14 at 23:06
  • I am quite baffled by this answer, and most of all by so much upvotes ! I totally disagree with it and it is totally unconscious : are you telling us that we all can shutdown our DCs ? First hole of your answer appears at first question from the OP, where you tell `directory services obviously doesn't function`. So why setting up an Active Directory domain to not use directory services ? Your answer is dangerous. Your point about replication partners is right, but what if any AD clients ? +13 should be -13 – krisFR Mar 02 '14 at 23:42
  • @user2196728 The OP asked what the "downtime limit" of a domain controller is. "Downtime limit" isn't a thing, so I took it to mean "How long can I have a domain controller offline before I can power it back on and have it not be a functional domain controller anymore". I feel this is a reasonable assumption, since the other thing that it could mean is "How long is the maximum possible time that I can have a DC be down and have my business still operate." The second option is something only his business can answer. I, obviously, answered the first interpretation. Not sure what your problem is? – MDMarra Mar 03 '14 at 00:02