2

I'm trying to backup my local DC to AWS for DR. When running locally, a system state backup and a restore through DSRM works fine. Unfortunately, a server in DSRM fails to boot in AWS (a situation that looks unlikely to resolve), so I'm looking for other options.

My understanding of Active Directory is pretty minimal, as I'm a software developer by trade. I've seen many suggestions for just making another replicated mirror in AWS. My problem there is I have to keep two instances (DC and gateway/VPN) and a VPN running constantly for that to work, as opposed to just consuming a small slice of S3. Unless there's a way for AD replication to run with an extremely intermittent network connection, I don't think that's going to work for me.

Another option I've seen is IFM, making custom installation media for the remote site that contains the AD database. Everything I've read there says there has to be another DC for that domain visible before it can be added as part of that domain. That isn't possible considering this is for DR. The local office may be unavailable.

So I'm looking for some way to make a backup of the AD database and restore it to a new or existing server in isolation from any other DCs without using DSRM. Is that possible?

icrf
  • 151
  • 5
  • "Unless there's a way for AD replication to run with an extremely intermittent network connection, I don't think that's going to work for me." - SMTP transport? – Mathias R. Jessen Jul 14 '14 at 15:51
  • I'm curious as to the reason for not having a remote domain controller. Is it just the (small) cost of having two compute instances up and running at a cloud provider? For DR purposes they really wouldn't need to be powerful. Also, any reason for using AWS specifically? What is your RTO? – phoebus Jul 14 '14 at 20:30
  • I work at a pretty small company, less than 25 employees, and we're trying to keep recurring costs as low as possible. RTO is pretty long, at least several hours. We have two ESX hosts and a DC running on each in the local office, so this is really only for a case where the whole local office is down. We run our website DR in AWS, and that's where I've spent the time to learn their VPC. Other servers are being backed up there, too. I realized too late that they couldn't restore AD. I saw no reason to suspect they couldn't. – icrf Jul 15 '14 at 13:49

1 Answers1

0

Since I couldn't find any good options (SMTP seems strange, looked down upon and never used), I ended up going with an always-on reserved t2.micro instance, which gets me under $10 a month. It connects back to the office via the VPN set up for remote employees and is just a simple replication target in a new site. It's cheap enough to work, and sits idle enough that the t2.micro instance works well with a maxed out compute quota banked. If I let AWS give it an external IP but then lock down access to just the office, I can get away without running the gateway, whose job was primarily NAT.

icrf
  • 151
  • 5