2

Looking at setting up an Azure Windows 2012 R2 DC in a single DC (Windows Essentials 2012 R2) on-premise setup for a small office of < 10 users. Office 365 is in-use, with Active Directory Sync enabled.

I'm curious to know how upset Active Directory is going to be if I scheduled an hour of uptime for the Azure DC instance every 8 hours, primarily to reduce costs vs. running an always-on Azure DC instance.

From what I gather, AD replication is defaulted to 5 minutes, but this seems kind of excessive given the size/scope of the forest in this scenario, and presumably the resilience of AD replication when siblings are unavailable.

Caveat: yes I'm aware of the Azure Active Directory Services, but I like the idea of a server, with an IPsec tunnel, that to me seems more flexible/useful in a DR scenario, but feel free to talk me out of it.

gravyface
  • 13,947
  • 16
  • 65
  • 100

2 Answers2

2

The minimum inter site replication interval is 15 minutes, (unless site link notification is enabled). You could configure the site links/connections to replicate at a larger interval, but there would still be a lot of chatter from replication notifications and RPC traffic. Intra site replication interval is 15 seconds, slightly more depending on the number of DC's.

What you are describing is known as a "lag site". You can read more about it here:

Appendix B: Do Not Use a Lag Site as a Disaster Recovery Strategy
https://technet.microsoft.com/en-us/library/dd835581(v=ws.10).aspx

It may seem benign, but Microsoft discourages customers from this approach.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
1

You have a recipe for a disaster to happen there:

  • If you have less than 10 users on-premise, I'd start with the question why you need AD in the first place? if there is no technical/business reason for it, I'd go fully Azure AD instead: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-overview

  • As far as I know, direct IPsec connections to Azure VMs is not supported. so you'll have to relay on using Azure VPN.

  • Having a secondary DC server that is a sleep almost all the time is not a good idea, it beats the purpose of having a secondary DC server plus reasons as @Greg Askew mentioned in the previous answer.

  • If you consider costs and operations time, a VM/IPsec/Operations of 2 DCs is a big waste for 10 users, not worth the investment.

Hope this helps.

Noor Khaldi
  • 3,829
  • 3
  • 18
  • 28
  • They have an on-premise Essentials server where their LOB applications run; presumably they'd have to Azure Join this server as well. Also not sure how Group Policy (mapped drives) would play out in this scenario, so sometimes Tried and True (tm) wins out. – gravyface Apr 11 '17 at 19:19
  • Also, an IPsec site-to-site VPN tunnel does indeed work; I have one configured in our lab to Azure on a Cisco ASA and it's been happily up-and-running for several weeks. – gravyface Apr 11 '17 at 19:20
  • Let me rephrase, IPsec site-to-site works with Azure VPN gateways, not directly with VMs using services such as RRAS or other methods, here is why this doesn't work: http://serverfault.com/questions/734797/running-an-ipsec-client-vpn-server-within-azure – Noor Khaldi Apr 11 '17 at 19:58
  • And, if you need a replica DC on Azure, just go with the smallest VM available, the A1 works nicely for something around 20 USD / month. If you had the option, migrate the entire on prem server to Azure, might be cheaper for you to have it there instead of using 2 DCs, IPsec and what not. – Noor Khaldi Apr 11 '17 at 20:02
  • Yes, this is what I've done: A1 seems to be working quite well in this regard. I'm going to keep it running 24/7. – gravyface Apr 12 '17 at 18:45
  • Just a comment here, for those interested in "why on-premise?": while SMB (file shares) seem to handle latency ok when used under normal circumstances (opening/editing Office documents, etc.), traditional client/server applications suffer greatly even with sub 30 sec latency that we tend to get to/from the Azure VPN gateways with hybrid fiber/cable-based Internet connections that most of our clients have and can afford. – gravyface Jun 02 '17 at 19:39