I'm trying to understand what happens when/if our two DC/AD (also DNS, DHCP, one of them is RDS/TS licensing) servers get out of sync for any reason. One is physical, one is virtual. This understanding is necessary for presenting BC/DR information to non-technical people. If one of the two AD/DC servers is unavailable, my understanding is the remaining server will take over. When/if the second AD/DC comes back online what happens?? I vaguely recall seeing something to the effect that not more than 30 minutes should be allowed to pass with one of the AD/DC servers offline, is this true?? Can someone point me to an explanation of what happens, consequences, remedies?? Thank you, Tom

Hello, Two DCs can be not replicating for a specific period called forest tombstone lifetime. This value can be updated. To determine your forest tombstone lifetime: http://technet.microsoft.com/en-us/library/cc784932%28v=ws.10%29.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Try out this link http://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx#w2k3tr_repto_how_yipb

Hello, this depends on the TSL(tombstone lifetime), default on earlier OS doamins is 60 days and on new ones 180 days. At least in this timeframe the DCs MUST synchronize. You can verify with: "Dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Root-Domain" -attr tombstoneLifetime" in an elevated comand prompt. Or with ADSIEdit.msc under the attribute "tombstoneLifetime" in "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Root-Domain". Also it is important that the running DC is Global catalog server, recommended for single domain forest are all DCs should be GC. Additional make the DCs both DNS server and configure ALL domain machines to use both domain DNS servers, NONE ELSE, on the NIC. Without DNS nobody is able to logon to the domain. Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello, Two DCs can be not replicating for a specific period called forest tombstone lifetime. This value can be updated. To determine your forest tombstone lifetime: http://technet.microsoft.com/en-us/library/cc784932%28v=ws.10%29.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer