How to Build an AD Replication Delay (Lag) Site

 

To prevent having to restore objects from Active Directory due to accidentally deleting an object, you can have a remote DC which only sends/receives replication on a limited basis.  You also want to prevent users from authenticating against, as well as services being used by other machines, since the metadata on this DC is aging away w/o replication keeping it up to date

 

Because of this you want to remove all advertised services via dns lookup.  To do this, this DC must be isolated from other DC’s and all replication controlled.  For that reason a separate site is required to control Intersite Replication.

 

The following are the steps taken to create a single lag site dc.  If you would like to have more than one time frame to fall back upon, all you need do is repeat these steps for a different DC.

 

• Promote a member server to a DC and allow replication to complete
• Don’t load any unnecessary services
• Don’t load WINS nor make this a WINS client
• Create a separate site and site link (I use “Lag” as part of the name to help document it)
• Create a new site
• Create a new site link, including the source and the Lag sites.  If you notice I have set the Site Link Replication Frequency (Replicate Every) to 15 minutes.

 

• Click on the “Change Schedule” button to set the replication schedule to a time frame that fits for your enterprise.  In this example, I have set the replication schedule for Saturday morning from the hours of 12:00 am to 2:00 am.  So this site should allow replication updates to occur every 15 minutes, on Saturday’s, from the hours of 12:00 am until 2:00 am.  Once a replication cycle starts it will continue until complete, which can go beyond the 2:00 am time frame, but no new cycles will start after 2:00 am.

 

 

• Define the subnet and link it to a site
• Borrowing some knowledge from a blog from Brian Desmond, I have created a separate single host site sub-net.  I have reserved the address for the dc in dhcp (I reserved .240) and then defined the subnet as a /32 ip mask.  The most precisely defined subnet in sites and services is considered the subnet location.

• Move the new dc to the newly defined site (Lag Site)

 

 

 

Now that the DC has been placed in its own site and is no longer receiving regular AD replication updates, it needs to no longer advertise itself as a usable DC.  To do this, a Group Policy Object will be created and linked to this new site.

 

• Create a new GPO, but do not link it to any OU or Site at this time
• Edit the Policy DC Locator DNS records not registered by the DCs.  This is located at Computer Configuration / Administrative Templates / System / Net Logon / DC Locator DNS Records.  The following mnemonics should be entered into the entry box:
• Ldap LdapAtSite Pdc Gc GcAtSite GcIpAddress DcByGuid Kdc KdcAtSite Dc DcAtSite Rfc1510Kdc Rfc1510KdcAtSite GenericGc GenericGcAtSite Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd

 

 

• Link this new Group Policy to the “Lag” site, where the new DC resides
• Change the policy to allow authenticated users to read and remove (Don’t deny) the right to apply
• Add the computer name of the new DC and grant it Read and Apply.  This will help prevent the wrong DC’s from having policy applied against.
• Shut down the new Lag site DC
• Open up the dns zone _msdcs and remove all of the new DC’s dns service records
• Do not remove the Alias (CNAME) record at the root of the zone
• Power the DC backup
• During the reboot any dns records that would be needed will be rebuilt

 

 

Run dcdiag, repadmin and dnslint in verbose mode.

• DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
• repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
• dnslint /ad /s  "ip address of your dc"

 

**Note 1: Using the /E switch in dcdiag will run diagnostics against ALL dc's in the forest.  If you have significant numbers of DC's this test could generate significant detail and take a long time.  You also want to take into account slow links to dc's which will also add to the time.

 

**Note 2: There are certain errors to expect, since the lag site DC won’t be advertising as a KDC you will be warned about this, etc…  But, replication should be error free.

 

**Note 3: Forced replication will still occur, this model only prevents scheduled replication.