2

Looking at setting up an Azure Windows 2012 R2 DC in a single DC (Windows Essentials 2012 R2) on-premise setup for a small office of < 10 users. Office 365 is in-use, with Active Directory Sync enabled.

I'm curious to know how upset Active Directory is going to be if I scheduled an hour of uptime for the Azure DC instance every 8 hours, primarily to reduce costs vs. running an always-on Azure DC instance.

From what I gather, AD replication is defaulted to 5 minutes, but this seems kind of excessive given the size/scope of the forest in this scenario, and presumably the resilience of AD replication when siblings are unavailable.

Caveat: yes I'm aware of the Azure Active Directory Services, but I like the idea of a server, with an IPsec tunnel, that to me seems more flexible/useful in a DR scenario, but feel free to talk me out of it.

gravyface
  • 13,987

2 Answers2

2

The minimum inter site replication interval is 15 minutes, (unless site link notification is enabled). You could configure the site links/connections to replicate at a larger interval, but there would still be a lot of chatter from replication notifications and RPC traffic. Intra site replication interval is 15 seconds, slightly more depending on the number of DC's.

What you are describing is known as a "lag site". You can read more about it here:

Appendix B: Do Not Use a Lag Site as a Disaster Recovery Strategy
https://technet.microsoft.com/en-us/library/dd835581(v=ws.10).aspx

It may seem benign, but Microsoft discourages customers from this approach.

Greg Askew
  • 39,132
1

You have a recipe for a disaster to happen there:

  • If you have less than 10 users on-premise, I'd start with the question why you need AD in the first place? if there is no technical/business reason for it, I'd go fully Azure AD instead: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azureadjoin-overview

  • As far as I know, direct IPsec connections to Azure VMs is not supported. so you'll have to relay on using Azure VPN.

  • Having a secondary DC server that is a sleep almost all the time is not a good idea, it beats the purpose of having a secondary DC server plus reasons as @Greg Askew mentioned in the previous answer.

  • If you consider costs and operations time, a VM/IPsec/Operations of 2 DCs is a big waste for 10 users, not worth the investment.

Hope this helps.

Noor Khaldi
  • 3,879