Can a Second Domain Controller, with buggy hard drive hardware, cause a corruption to Active Directory?

We have a new Domain Controller that holds all FSMO roles. We also have two old hardware servers, about 4-5 years old each, set up as secondary Domain Controllers (or better described as Domain Controllers that are DNS servers too not holding any FSMO roles but are Global Catalog servers in the same Site). My question is do I run the risk of corruption in Active Directory if I have a drive failure, due to old hardware, on one of the secondary Domain Controllers. I am really trying to convince the client to buy a new hardware based server for our second Domain Controller but again budget is tight. Thanks.


Solution 1:

Yes, there is a risk. There is no such thing as secondary Domain Controllers, AD is a Multi-Master setup. So if you have corruption on one you could corrupt your AD Database.

Solution 2:

I say yes, there's a small risk, but in all reality

NO

, a corrupted or failed drive will in all likelyhood not ruin your AD environment. Here is why:

1) A drive failure will render the data unreadable. Unless this is the only DC you have (or it's the only Global Catalog), this is not a problem. (If you only have one DC that is a GC, or only one Global Catalog, you need to stand up another post-haste!)

So now, we're only talking corruption:

2a) In order for corruption to modify AD, it would have to modify (let's assume a simple bit-flip) the AD binary database files in such a way that changed the data to a new value that is consistent and compatible with the AD Schema for that object.

(This would likely register a consistency-check error, and AD would throw error messages and possibly throw away the damaged parts and pull a fresh copy of the AD Data itself.)

2b) The bit-flip would then have to register a valid change to the data and update the USN (Update Sequence Number), or the bit-flip would then have update the USN to a valid USN in the future. If the bit-flip changed the USN to a sequence number in the past, it would see itself as having out-of-date records and pull the current USN from the other DCs.

Keep in mind that unless anonymous changes are allowed by your AD (which is not the default; I'm not even sure it's possible, but would be a huge security no-no), a successful authentication and permissions check is required to modify AD. What credentials are used in disk-corruption? Again, another cause for a consistency-check failure.

So, the corruption would have to change the data in a meaningful way, provide an valid authenticated user account, and either trigger an update to the USN or itself update the USN to a valid future value. If it did all of those things, YES, it could corrupt your AD environment. It is absolutely possible, but it is highly HIGHLY unlikely.

What is most likely to happen is that AD will choke and throw errors on that server, but the other DCs will be just fine.


With all of that said, you should absolutely replace failed or failing hardware as soon as possible.

Solution 3:

If you cannot replace your "secondary" DC's, it may be an idea to set them up as read only domain controllers (RODC).

These will basically replicate AD from your "primary" DC and can be queried against, but no changes to AD can be made from these machines. Therefore if one was to be corrupted, you could take it offline and have no risk of corruption of AD.