I had a DR question that I'm pretty confident someone here could
answer for me, and it would be much appreciated!
My company has 3 sites, for the sake of this post I will call them HQ,
DR-Site1, and DR-Site2. Our HQ site has 3 domain controllers, and each
DR-Site has 1 single domain controller. During our DR exercises that
occur twice a year, we sever the connection to our HQ site and rely on
only the DC's and resources that we restore from backup at each of the
DR-Sites.
Because of the large number of server restores we do along with the
fact they are restored to different subnets, we find ourselves making
a lot of changes to DNS records, WINS records, and computer accounts
on the DC's at the DR-Sites.
During these exercises, our HQ site continues normal business and the
domain controllers here remain in production. They complain about no
longer seeing/replicating with the DC's at the DR-Sites, but it does
not impact production resources. At the conclusion of the exercises,
our current method of getting everything back to normal is to perform
metadata cleanup at the HQ site, blow away the DC's at the DR-Sites,
and then rebuild/re-promote those DC's to get them back on the
production network.
While the metadata cleanup process isn't all that tedious, I've been
wondering if another procedure might be less time consuming:
Prior to the start of the DRE, take System State backups of the DC's
at the DR-Sites. At the conclusion of the DRE, rather than metadata
cleanup/rebuilds, couldn't we just use those System State backups and
perform non-authoritative restores on the DR-Site domain controllers?
If I understand correctly, the non-authoritative restores would tell
the DR domain controllers that *their* AD data is incorrect/out-of-
date and to replace it with the data from the production DC's. Is my
logic here correct? Or should I just stick with the current method?
Many thanks in advance!