Forum Discussion
Offline Domain Controller - Security Strategy
Also interested in thoughts on this and would also go to the AD Recycle Bin to recover from inadvertent deletions. So what are we protecting against. If a single DC has failed then you would just build a new one and let it sync. So we must be talking about forest wide AD corruption and so thinking about an authoritative restore. Now we could do an authoritative restore and let it propagate back to all the existing DCs, but I'd be concerned that the cause of the corruption in the first place was one of those DCs so it is just going to happen again. The only way to be sure is to remove all the existing DCs in which case a non-authoritative restore is going to be the starting point, but that is exactly what the offline (and ideally offsite) domain controller is giving you. If the offline DC is compromised with the same malware that caused the issue then likely all the backups are too. So I guess the question boils down to whether it is easier to do backups and then have to restore, or to go through the faff of reconnecting the offline DC periodically to let it resync and have all the replication monitors always reporting a failure for that DC. I think probably backups, but then I also think that your probably knackered anyway if you need to use them, in which case why bother? I do think an offsite online DC is an absolute must have so all of this assumes we aren't talking single site. Would a two year old AD be useful to use as a recovery point (or something likely before the AD was compromised)? Well maybe it would be better than nothing. Like everything else, you really need to work out what you are hoping to protect against and do your FMEA. I think I've talked myself into monthly backups and absolutely 321.
ianmidg An offline domain controller is a bad idea, first because Active Directory hasn't been designed for this purpose. When using a hammer on something else than nails, bad things will happen.
You got Active Directory Recycle Bin for objects recovery. You got DRP for disasters. Those are the right tools for recovery needs.
You can't keep a domain controller offline for too long - tombstone will kick in. Restoring a offline DC within tombstone will still cause tons of issues - GPO, accounts, passwords, tickets etc... not counting issues during normal operations, precisely because it's offline.
- ianmidgDec 12, 2022Copper Contributor
Alban1998 - can you cite something from Microsoft that states it is a bad idea? The fact that tombstones last for 180 days suggests AD has been designed to accommodate DCs being offline for more than a week or so. Were you involved in the original design? I'm trying to work out whether this is your personal opinion or something that can be backed up with best practice from Microsoft.
- Alban1998Dec 12, 2022Iron Contributorianmidg This is my personal opinion after 12+ years of practice. But it doesn't mean it's based on thin air either.
You're welcome to read Microsoft documentation, MS Directory Services (aka AskDS) blog, or even consult Microsoft PFE about it (I did all of that). There is a lot of official guidance and best practices on Active Directory resiliency.
And no, tombstone hasn't been created as a recovery tool (and wasn't always 180 days btw) - neither additional domain controllers (which improve resiliency, but do not replace a DRP).
You are trying to fit a 20 years-old design on your idea to make your point - but it doesn't work like that.
Nobody does what you are trying to do. There are reasons for it. One of them is an offline domain controller is a management/security/day-to-day operations nightmare.- ianmidgDec 12, 2022Copper ContributorLol - we can all quote our experience. I have 22+ years of practice, started with NT 3.5 and got my MCSE+I in 1999. I was interested in whether there were any real reasons for not doing what the OP suggested not just opinions. It isn't my idea or my point. You have no idea whether I am advocating this or not, but it would be useful to get some objective reasons so that other people finding this could be better educated rather that just waving our hands in the air and making claims without pointing to documentation . I would also suggest that you have no idea of what tombstones were created for as you weren't in the original design team (and nor was I). I prefer backups for a number of reasons but the idea of an offline DC is worth investigating, much like an offline root CA, which I guess would also come under your management/security operations nightmare heading.