1

I'm trying to set up a remote DC for DR, and I've chosen to put it in AWS in a VPC with our other servers being backed up. I can restrict that with security groups to only accept traffic from the main office IP while still having a public IP address, so the primary DC in the local office can see it just fine.

What is more difficult is letting this remote instance in AWS see the DC in the local office. I can connect to our Cisco IPSEC VPN with Shrew Soft, but VPNs have typically been less than reliable for me in the past. I'd also rather not attempt getting into firewall rules that directs traffic from this remote IP to the local DC.

Is there a way to set up replication where the local DC pushes out data, but the remote DC can never contact it directly? Maybe I set it up over the VPN but change the remote DC's IP to its external IP and break the VPN connection? I'm okay if the remote DC has to be read-only, so long as I can change its role for testing/DR.

icrf
  • 151
  • 5
  • 5
    VPNs are not in and of themselves, unstable. If you've experience instability, something has been configured incorrectly. I have IPsec tunnels criss-crossing the internet that stay up and (very) active for months at a time without issue. – EEAA Jul 23 '14 at 20:56
  • If the VPN is setup as dial out from where you main DC is, then the replication would only happen when the DC contacts your box in AWS. Though in truth you should probably setup both way as in a DR event, you'll need it to work the other way around anyways until your local copy is back online.. – MikeAWood Jul 23 '14 at 21:36
  • The VPN is at the local office and the remote server connects to it. I have no problem with requiring the VPN for remote to local replication during a DR event. Those should be very short-term. The long-term event will be replicating local to remote, and that direction can always connect due to the public IP the remote instance will have. I just don't know if replication works that way. And I suspect my VPN problems in the past were from consumer hardware/software that road warriors use. I don't know how AWS would fare. – icrf Jul 24 '14 at 12:52
  • There is another seldom used option to replicate over SMTP. See (#1) http://serverfault.com/questions/245690/has-anyone-ever-used-smtp-site-links (#2) http://support.microsoft.com/kb/947057 Firewall rules may be preferable. – Clayton Jul 24 '14 at 13:17

1 Answers1

2

Manually editing DNS entries to try to get the local DC to talk to the remote one didn't work at all. All my replication links disappeared. So I'm just going to go with the assumption that the VPN will stay alive and the local DC knows nothing about the remote DC's public IP. It only converses over the VPN IP. I'll try to log in and check that it's still running on a regular basis. So far, it's been more stable than home experience.

While changes in either site do propagate to the other site, I'm still seeing a lot of errors in event viewer about it being unable to have a properly spanning tree. But it's moving data, even it takes an extra hop through another DC or something. I'll look into the separate issue and possibly post a question on it when I get a chance to dig into this again.

icrf
  • 151
  • 5