Offline Domain Controller - Security Strategy

Occasional Visitor



Wanted to start a discussion and pick thoughts on an old strategy of keeping a domain controller offline (disconnected from network or turned off) for 2-4 weeks as a backup apart from taking daily backups. Some choose delayed replication but it has its own drawbacks. What do you think?

1 Reply



Not something I'd consider - especially in a larger environments.


If I look at it from a data loss perspective, I'd be looking to the AD Recycle Bin in the first instance.


If it's serious data loss, destructive service configuration or security compromise, the primary point of reference is still going to be a known good back-up coupled with an authoritative restoration (plus some other actions in the compromise scenario), to which the "offline" domain controller doesn't bring any real value.


On compromises, given how hard it can be to actually detect them in the first place, you also run the very real risk that the "offline" domain controller only captures the issue, preserves it and re-introduces it once reconnected to the forest (you'd have to have seriously bad luck for this to transpire, but it's possible).


On the "not serious" level, you could also run into replication conflicts, but that's probably not worth speaking to (as it's not that likely) when measuring against the big ticket considerations.


Unless the back-ups routinely fail ten to twenty day in a row, I can't see the benefit (again, for large environments).


On smaller environments, there's some technical merit but I haven't come across anyone (large or small) in recent times that would accept an RPO of ten to twenty working days. So, there's that business element to consider, too.