Sep 22 2021 03:28 PM
Sep 22 2021 03:28 PM
Wanted to start a discussion and pick thoughts on an old strategy of keeping a domain controller offline (disconnected from network or turned off) for 2-4 weeks as a backup apart from taking daily backups. Some choose delayed replication but it has its own drawbacks. What do you think?
Oct 31 2021 12:51 AM
Not something I'd consider - especially in a larger environments.
If I look at it from a data loss perspective, I'd be looking to the AD Recycle Bin in the first instance.
If it's serious data loss, destructive service configuration or security compromise, the primary point of reference is still going to be a known good back-up coupled with an authoritative restoration (plus some other actions in the compromise scenario), to which the "offline" domain controller doesn't bring any real value.
On compromises, given how hard it can be to actually detect them in the first place, you also run the very real risk that the "offline" domain controller only captures the issue, preserves it and re-introduces it once reconnected to the forest (you'd have to have seriously bad luck for this to transpire, but it's possible).
On the "not serious" level, you could also run into replication conflicts, but that's probably not worth speaking to (as it's not that likely) when measuring against the big ticket considerations.
Unless the back-ups routinely fail ten to twenty day in a row, I can't see the benefit (again, for large environments).
On smaller environments, there's some technical merit but I haven't come across anyone (large or small) in recent times that would accept an RPO of ten to twenty working days. So, there's that business element to consider, too.
Dec 08 2022 09:23 AM
Also interested in thoughts on this and would also go to the AD Recycle Bin to recover from inadvertent deletions. So what are we protecting against. If a single DC has failed then you would just build a new one and let it sync. So we must be talking about forest wide AD corruption and so thinking about an authoritative restore. Now we could do an authoritative restore and let it propagate back to all the existing DCs, but I'd be concerned that the cause of the corruption in the first place was one of those DCs so it is just going to happen again. The only way to be sure is to remove all the existing DCs in which case a non-authoritative restore is going to be the starting point, but that is exactly what the offline (and ideally offsite) domain controller is giving you. If the offline DC is compromised with the same malware that caused the issue then likely all the backups are too. So I guess the question boils down to whether it is easier to do backups and then have to restore, or to go through the faff of reconnecting the offline DC periodically to let it resync and have all the replication monitors always reporting a failure for that DC. I think probably backups, but then I also think that your probably knackered anyway if you need to use them, in which case why bother? I do think an offsite online DC is an absolute must have so all of this assumes we aren't talking single site. Would a two year old AD be useful to use as a recovery point (or something likely before the AD was compromised)? Well maybe it would be better than nothing. Like everything else, you really need to work out what you are hoping to protect against and do your FMEA. I think I've talked myself into monthly backups and absolutely 321.
Dec 12 2022 01:06 AM
@ianmidg An offline domain controller is a bad idea, first because Active Directory hasn't been designed for this purpose. When using a hammer on something else than nails, bad things will happen.
You got Active Directory Recycle Bin for objects recovery. You got DRP for disasters. Those are the right tools for recovery needs.
You can't keep a domain controller offline for too long - tombstone will kick in. Restoring a offline DC within tombstone will still cause tons of issues - GPO, accounts, passwords, tickets etc... not counting issues during normal operations, precisely because it's offline.
Dec 12 2022 03:07 AM
@Alban1998 - can you cite something from Microsoft that states it is a bad idea? The fact that tombstones last for 180 days suggests AD has been designed to accommodate DCs being offline for more than a week or so. Were you involved in the original design? I'm trying to work out whether this is your personal opinion or something that can be backed up with best practice from Microsoft.
Dec 12 2022 03:21 AM
Dec 12 2022 03:40 AM
Dec 13 2022 08:36 AM
@ianmidg Read all posts above yours, check the links I provided you and you'll find some real reasons why it's a bad practice to do this.
Offline CA root has its own security challenges, but it's not domain-joined, so all the issues related to an offline domain controller doesn't apply there.