This year alone, I have been involved in the cleanup of several customer domain controllers gone rogue. Some compromised by ransomware and others have failed to boot after having Windows updates pushed to them. You would never think that a Windows update could render a server unusable …
This article is not a lesson in Active Directory itself, as I only have a few paragraphs to work with. This is more about maintenance and backups, both of which are important, and, also a few things I have come across in my time at vBridge. And, as the title suggests, and the saying goes, I am eating my own dog food here, as I am currently deploying a whole bunch of shiny new Windows Server 2019 domain controllers across our organization, so practice what you preach and all of that.
A domain controller is for … domain controlling. Not for other stuff. Try and limit the number of additional roles and functions installed. Lose your domain controller, and you’re losing those roles and functions also. Secondary to this … it’s also a pain in the proverbial when it comes to decommission time, you’ve got to migrate those other functions off too, cert authorities, NPS roles, Azure syncs etc etc. I am currently finding this out the hard way, its time consuming, and writing change controls to move them all is tedious.
While we’re on this subject of new domain controllers ... get rid of those Windows Server 2008 DCs. Twelve years old now! In fact, while you’re at it, get rid of your 2012 DCs too, and even start thinking of your road map away from Server 2016. Don’t upgrade either, as that’s gross and asking for trouble, build from scratch, add the roles, and promote.
Install those Windows updates. I’m not sure whether to laugh or cry when I see a core business server running 2K8 R2 and with 50+ pending updates, or a server that hasn’t been updated and rebooted for two years, domain controller or not. You’d be surprised how often I see this. And before you do install those updates, run a quick backup and/or take a snapshot. That sick feeling in your stomach when it doesn’t boot, won’t feel quite as bad.
Backups. You don’t even have to backup all your DCs, but make sure you at least backup your primary (with the FSMO roles). If you are backing up all of them – don’t do them all at once, as you can interfere with DFS replication. As we are a Veeam-centric organization, enable application aware image processing (AAIP) to ensure transactional consistency of the Active Directory database and SYSVOL catalog. More information here:
And finally, while we’re at it. Are your backups any good? What better time to find out, when the actual SHTF. Make DR tests part of your business continuity tool kit and try to schedule a full test at least once a year. Restore and spin up your primary domain controller and some of your other critical servers in an isolated environment, make sure they boot, can talk to each other, check your applications function, and find out where the strengths and weaknesses are in your RTOs and RPOs.
Happy domain controlling, and enjoy that dogfood too:)