0

I'm in the middle of upgrading a small business domain and my favoured option is switching to Azure AD and removing the on-premise DC. However, I'm concerned that if connectivity drops (ISP maintenance/outage) that:

  • Existing login sessions could be terminated
  • Login will not be possible for the duration of the outage, plus the time it takes workstations to reconnect to the cloud DC

All workstations have local admin accounts of course, but this is a secondary option. I can't find documentation for what is possible when the DC is not reachable, or if successful credentials are cached on workstations (since it copies profile info from the DC on login).

  • That's a pretty good description of other os/cloud combinations. Your concerns don't happen with Azure AD, which you can also tie into a Microsoft account. – Jim B Mar 15 '17 at 01:57
  • Related to http://serverfault.com/questions/538122/how-do-windows-domain-clients-behave-if-the-dc-is-offline although it seems like the advice there is now out of date. –  Mar 15 '17 at 05:09
  • Not really since with Azure AD you don't need to have a DC to log in, you need the service to be up to get to dependant services (like office 365). There is no DC to authenticate to, it's a service. – Jim B Mar 15 '17 at 16:17

1 Answers1

1

Existing login sessions could be terminated - No they won't.

Login will not be possible for the duration of the outage, plus the time it takes workstations to reconnect to the cloud DC - Assuming the user has logged on successfully at least once to a particular domain joined computer they'll be able to log on using cached domain credentials in the event that the DC is unavailable (assuming that the default settings for cached logons hasn't been changed).

I can't find documentation for what is possible when the DC is not reachable, or if successful credentials are cached on workstations (since it copies profile info from the DC on login) - User profiles are created and loaded from the local machine (assuming that roaming/mandatory profiles aren't in use). User profiles do not load from the DC.

For short term unavailability of the DC, your users should be largely unaffected in terms of logging on to their computers. Naturally, anything that requires DNS name resolution will fail (assuming the domain clients only use the DC for DNS as they should). They also won't be able to do things that require a DC, such as changing their password.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • In this case we are using roaming profiles. –  Mar 15 '17 at 01:38
  • "Naturally, anything that requires DNS name resolution will fail" - to put it plainly, your users effectively won't be able to access the internet while the DC is down. – Charles Burge Mar 15 '17 at 01:39
  • @CharlesBurge Oh, of course. This is only in the case of internet already being down, so an unreachable nameserver is not going to have any further impacts. –  Mar 15 '17 at 01:41