Forum Discussion
Offline Domain Controller - Security Strategy
ianmidg An offline domain controller is a bad idea, first because Active Directory hasn't been designed for this purpose. When using a hammer on something else than nails, bad things will happen.
You got Active Directory Recycle Bin for objects recovery. You got DRP for disasters. Those are the right tools for recovery needs.
You can't keep a domain controller offline for too long - tombstone will kick in. Restoring a offline DC within tombstone will still cause tons of issues - GPO, accounts, passwords, tickets etc... not counting issues during normal operations, precisely because it's offline.
Alban1998 - can you cite something from Microsoft that states it is a bad idea? The fact that tombstones last for 180 days suggests AD has been designed to accommodate DCs being offline for more than a week or so. Were you involved in the original design? I'm trying to work out whether this is your personal opinion or something that can be backed up with best practice from Microsoft.
- ianmidg This is my personal opinion after 12+ years of practice. But it doesn't mean it's based on thin air either.
You're welcome to read Microsoft documentation, MS Directory Services (aka AskDS) blog, or even consult Microsoft PFE about it (I did all of that). There is a lot of official guidance and best practices on Active Directory resiliency.
And no, tombstone hasn't been created as a recovery tool (and wasn't always 180 days btw) - neither additional domain controllers (which improve resiliency, but do not replace a DRP).
You are trying to fit a 20 years-old design on your idea to make your point - but it doesn't work like that.
Nobody does what you are trying to do. There are reasons for it. One of them is an offline domain controller is a management/security/day-to-day operations nightmare.- Lol - we can all quote our experience. I have 22+ years of practice, started with NT 3.5 and got my MCSE+I in 1999. I was interested in whether there were any real reasons for not doing what the OP suggested not just opinions. It isn't my idea or my point. You have no idea whether I am advocating this or not, but it would be useful to get some objective reasons so that other people finding this could be better educated rather that just waving our hands in the air and making claims without pointing to documentation . I would also suggest that you have no idea of what tombstones were created for as you weren't in the original design team (and nor was I). I prefer backups for a number of reasons but the idea of an offline DC is worth investigating, much like an offline root CA, which I guess would also come under your management/security operations nightmare heading.
ianmidg Read all posts above yours, check the links I provided you and you'll find some real reasons why it's a bad practice to do this.
Offline CA root has its own security challenges, but it's not domain-joined, so all the issues related to an offline domain controller doesn't apply there.
