Can a Hyper-V VM made from a Server 2012 R2 domain controller backup be used to replace the physical domain controller if it fails?

We have a Dell PER520 with Server 2012 R2 running 5 servers; AD DS, DHCP, DNS and WDS. We created a Hyper-V VM on another server using a bare metal backup created with Windows Server Backup. The VM server is up and running with the network disabled. Should the physical server fail, can this server be put on line with the same static IP settings and take over the 5 services it was supporting? There is another physical domain controller on the network but it is only running AD DS.


Solution 1:

Absolutely not.

A Domain Controller is not a stateless server; quite the opposite: it hosts the Active Directory database, where everything about the domain is stored, including authentication for users and computers. Also, this database is replicated between all DCs in the domain, and they send updates each other and employ several solutions to ensure consistency.

If you were to shut down your physical server and replace it with a clone created from its backup from some time before, it would have an old copy of the AD database, which would be out of sync with the external world; for example, if you created an user account, or changed a password, or renamed a computer, all of those changes would not be present in its copy of the AD database; this would create lots of troubles with... well, everything. Please also note that even if you didn't personally make any change in the domain, there are always several things going on, either done by users (such as password changes) or by automated processes.

So far, so good (not). What if we throw another Domain Controller in the mix? That would make things even worse.

As I said above, Domain Controllers employ all sort of solutions to ensure consistency in the distributed Active Directory database; one of these solution is to make sure that if a DC which should have an up-to-date copy of the AD database suddenly shows up with an old one, it's basically kicked out of the domain; this is the dreaded USN rollback, which is definitely something that you don't want in your domain.

You can (and should) have another Domain Controller in the domain, and you can also run DNS and DHCP on it; this, when properly configured, will provide redundancy for core services. But all DCs will always need to be constantly online in order for AD replication to work.

Whatever you do, never clone (or revert to an older state) a Domain Controller; it's the second biggest entry in the Great List of Things AD Administrators Should Not Do, immediately after "Never Have A Single Domain Controller".


Edit:

You say you already have another Domain Controller; you should install and configure DNS and DHCP on it. The DNS service is automatically replicated on DCs (if you use AD-integrated zones), you'll only need to configure this server as the secondary DNS on all your systems; for DHCP, you can use DHCP failover.

Solution 2:

This is not a good idea. You need to have multiple domain controllers, but they need to be online and communicating with each other. It's also not a disaster recovery plan.

And no it may not work for a variety of reasons.