您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

为 Active Directory 和 DNS 设置灾难恢复Set up disaster recovery for Active Directory and DNS

企业应用程序,例如 SharePoint、Dynamics AX 和 SAP,都依赖于 Active Directory 和 DNS 基础结构才能正常工作。Enterprise applications such as SharePoint, Dynamics AX, and SAP depend on Active Directory and a DNS infrastructure to function correctly. 为应用程序设置灾难恢复时,通常需要先恢复 Active Directory 和 DNS,然后再恢复其他应用程序组件,以确保应用程序功能正常。When you set up disaster recovery for applications, you often need to recover Active Directory and DNS before you recover other application components, to ensure correct application functionality.

可以使用 Site Recovery为 Active Directory 创建灾难恢复计划。You can use Site Recovery to create a disaster recovery plan for Active Directory. 发生中断时,可启动故障转移。When a disruption occurs, you can initiate a failover. 并可在数分钟内启动并运行 Active Directory。You can have Active Directory up and running in a few minutes. 如果为主站点中的多个应用程序(如 SharePoint 和 SAP)部署了 Active Directory,则可能希望故障转移整个站点。If you have deployed Active Directory for multiple applications in your primary site, for example, for SharePoint and SAP, you might want to fail over the complete site. 可先使用 Site Recovery 故障转移 Active Directory。You can first fail over Active Directory using Site Recovery. 然后,再使用特定于应用程序的恢复计划故障转移其他应用程序。Then, fail over the other applications, using application-specific recovery plans.

本文介绍如何为 Active Directory 创建灾难恢复解决方案。This article explains how to create a disaster recovery solution for Active Directory. 其中包括先决条件,以及故障转移的说明。It includes prerequisites, and failover instructions. 开始之前,应先熟悉 Active Directory 和 Site Recovery。You should be familiar with Active Directory and Site Recovery before you begin.

必备组件Prerequisites

  • 如果要复制到 Azure,请准备 Azure 资源,包括订阅、Azure 虚拟网络、存储帐户和恢复服务保管库。If you're replicating to Azure, prepare Azure resources, including a subscription, an Azure Virtual Network, a storage account, and a Recovery Services vault.
  • 查看所有组件的支持要求Review the support requirements for all components.

复制域控制器Replicate the domain controller

  • 至少需要在一台托管域控制器或 DNS 的 VM 上设置 Site Recovery 复制。You must set up Site Recovery replication, on at least one VM that hosts a domain controller or DNS.
  • 如果环境中有多个域控制器,还必须在目标站点上设置附加的域控制器。If you have multiple domain controllers in your environment, you also must set up an additional domain controller on the target site. 附加的域控制器可以在 Azure 中,也可位于辅助本地数据中心。The additional domain controller can be in Azure, or in a secondary on-premises datacenter.
  • 如果应用程序数目较少并且只有一个域控制器,则可能希望对整个站点进行故障转移。If you have only a few applications and one domain controller, you might want to fail over the entire site together. 在这种情况下,我们建议使用 Site Recovery 将域控制器复制到目标站点(无论域控制器位于 Azure 还是辅助本地数据中心)。In this case, we recommend using Site Recovery to replicate the domain controller to the target site (either in Azure or in a secondary on-premises datacenter). 也可以将复制的同一个域控制器或 DNS 虚拟机用于测试故障转移You can use the same replicated domain controller or DNS virtual machine for test failover.
    • 如果应用程序数量较多,而环境中不止一个域控制器,或者计划一次性故障转移多个应用程序,除了使用 Site Recovery 复制域控制器虚拟机以外,我们建议在目标站点(Azure 或辅助本地数据中心)上设置附加的域控制器。If you have many applications and more than one domain controller in your environment, or if you plan to fail over a few applications at a time, in addition to replicating the domain controller virtual machine with Site Recovery, we recommend that you set up an additional domain controller on the target site (either in Azure or in a secondary on-premises datacenter). 对于测试故障转移,可使用由 Site Recovery 复制的域控制器。For test failover, you can use domain controller that's replicated by Site Recovery. 对于故障转移,可以在目标站点上使用附加的域控制器。For failover, you can use the additional domain controller on the target site.

使用 Site Recovery 启用保护Enable protection with Site Recovery

可以使用 Site Recovery 来保护托管域控制器或 DNS 的虚拟机。You can use Site Recovery to protect the virtual machine that hosts the domain controller or DNS.

保护 VMProtect the VM

使用 Site Recovery 复制的域控制器用于测试故障转移The domain controller that is replicated by using Site Recovery is used for test failover. 确保它满足以下要求:Ensure that it meets the following requirements:

  1. 域控制器是全局编录服务器。The domain controller is a global catalog server.
  2. 域控制器应为测试故障转移期间所需角色的 FSMO 角色所有者。The domain controller should be the FSMO role owner for roles that are needed during a test failover. 否则,故障转移之后需要获取这些角色。Otherwise, these roles will need to be seized after the failover.

配置 VM 网络设置Configure VM network settings

对于托管域控制器或 DNS 的虚拟机,请在 Site Recovery 中在复制的虚拟机的“计算和网络” 设置下配置网络设置。For the virtual machine that hosts the domain controller or DNS, in Site Recovery, configure network settings under the Compute and Network settings of the replicated virtual machine. 这可确保故障转移后虚拟机附加到正确的网络。This ensures that the virtual machine is attached to the correct network after failover.

保护 Active DirectoryProtect Active Directory

站点到站点保护Site-to-site protection

在辅助站点上创建域控制器。Create a domain controller on the secondary site. 将服务器提升为域控制器角色时,请指定在主站点中使用的同一域名。When you promote the server to a domain controller role, specify the name of the same domain that is being used on the primary site. 可以使用 Active Directory 站点和服务管理单元来配置站点要添加到的站点链接对象的设置。You can use the Active Directory Sites and Services snap-in to configure settings on the site link object to which the sites are added. 通过在站点链接上配置设置,可以控制何时在两个或更多站点之间进行复制,以及复制的频率。By configuring settings on a site link, you can control when replication occurs between two or more sites, and how often it occurs. 有关详细信息,请参阅计划站点之间的复制For more information, see Scheduling replication between sites.

站点到 Azure 的保护Site-to-Azure protection

首先,在 Azure 虚拟网络中创建域控制器。First, create a domain controller in an Azure virtual network. 将服务器提升为域控制器角色时,请指定主站点中使用的同一域名。When you promote the server to a domain controller role, specify the same domain name that's used on the primary site.

然后,为虚拟网络重新配置 DNS 服务器以在 Azure 中使用 DNS 服务器。Then, reconfigure the DNS server for the virtual network to use the DNS server in Azure.

Azure 网络

Azure 到 Azure 的保护Azure-to-Azure protection

首先,在 Azure 虚拟网络中创建域控制器。First, create a domain controller in an Azure virtual network. 将服务器提升为域控制器角色时,请指定主站点中使用的同一域名。When you promote the server to a domain controller role, specify the same domain name that's used on the primary site.

然后,为虚拟网络重新配置 DNS 服务器以在 Azure 中使用 DNS 服务器。Then, reconfigure the DNS server for the virtual network to use the DNS server in Azure.

测试故障转移注意事项Test failover considerations

为避免对生产工作负荷造成影响,测试故障转移在与生产网络隔离的网络中进行。To avoid impact on production workloads, test failover occurs in a network that's isolated from the production network.

大多数应用程序需要域控制器和 DNS 服务器。Most applications require the presence of a domain controller or a DNS server. 因此,在对应用程序进行故障转移之前,必须在用于测试故障转移的独立网络中创建域控制器。Therefore, before the application fails over, you must create a domain controller in the isolated network to be used for test failover. 最简单的方法是使用 Site Recovery 复制托管域控制器或 DNS 的虚拟机。The easiest way to do this is to use Site Recovery to replicate a virtual machine that hosts a domain controller or DNS. 然后,在对应用程序的恢复计划运行测试故障转移之前,先对域控制器虚拟机运行测试故障转移。Then, run a test failover of the domain controller virtual machine before you run a test failover of the recovery plan for the application. 下面介绍了操作方法:Here's how you do that:

  1. 使用 Site Recovery 复制托管域控制器或 DNS 的虚拟机。Use Site Recovery to replicate the virtual machine that hosts the domain controller or DNS.

  2. 创建独立的网络。Create an isolated network. 默认情况下,在 Azure 中创建的任何虚拟网络均独立于其他网络。Any virtual network that you create in Azure is isolated from other networks by default. 建议对此网络使用与生产网络相同的 IP 地址范围。We recommend that you use the same IP address range for this network that you use in your production network. 不要在此网络上启用站点到站点连接。Don't enable site-to-site connectivity on this network.

  3. 在独立网络中提供 DNS IP 地址。Provide a DNS IP address in the isolated network. 使用 DNS 虚拟机预计应会获取的 IP 地址。Use the IP address that you expect the DNS virtual machine to get. 如果要复制到 Azure,请提供用于故障转移的虚拟机的 IP 地址。If you're replicating to Azure, provide the IP address for the virtual machine that's used on failover. 若要输入 IP 地址,请在复制的虚拟机的“计算和网络” 设置中,选择“目标 IP” 设置。To enter the IP address, in the replicated virtual machine, in the Compute and Network settings, select the Target IP settings.

    Azure 测试网络

    提示

    Site Recovery 尝试在名称相同的子网中创建测试虚拟机,并使用虚拟机的“计算与网络” 设置中提供的同一 IP 地址。Site Recovery attempts to create test virtual machines in a subnet of the same name and by using the same IP address that's provided in the Compute and Network settings of the virtual machine. 如果为测试故障转移提供的 Azure 虚拟网络中没有名称相同的子网,则会按字母顺序在第一个子网中创建测试虚拟机。If a subnet of the same name isn't available in the Azure virtual network that's provided for test failover, the test virtual machine is created in the alphabetically first subnet.

    如果目标 IP 地址归属于所选子网,则 Site Recovery 会尝试使用该目标 IP 地址创建测试故障转移虚拟机。If the target IP address is part of the selected subnet, Site Recovery tries to create the test failover virtual machine by using the target IP address. 如果目标 IP 不属于所选子网,则会使用所选子网中下一个可用 IP 创建测试故障转移虚拟机。If the target IP isn't part of the selected subnet, the test failover virtual machine is created by using the next available IP in the selected subnet.

测试故障转移至辅助站点Test failover to a secondary site

  1. 如果要复制到其他本地站点并使用 DHCP,请针对测试故障转移设置 DNS 和 DHCPIf you're replicating to another on-premises site and you use DHCP, set up DNS and DHCP for test failover.
  2. 对隔离网络中运行的域控制器虚拟机执行测试故障转移。Do a test failover of the domain controller virtual machine that runs in the isolated network. 使用域控制器虚拟机最新可用的应用程序一致 恢复点来执行测试故障转移。Use the latest available application consistent recovery point of the domain controller virtual machine to do the test failover.
  3. 针对包含虚拟机(应用程序在其中运行)的恢复计划运行测试故障转移。Run a test failover for the recovery plan that contains virtual machines that the application runs on.
  4. 测试完成后,请在域控制器虚拟机上清理测试故障转移 。When testing is complete, clean up the test failover on the domain controller virtual machine. 此步骤删除为测试性故障转移创建的域控制器。This step deletes the domain controller that was created for test failover.

删除对其他域控制器的引用Remove references to other domain controllers

进行测试故障转移时,不需要将所有域控制器都引入测试网络中。When you initiate a test failover, don't include all the domain controllers in the test network. 若要删除生产环境中存在的对其他域控制器的引用,可能需要为缺失的域控制器获取 FSMO Active Directory 角色并执行元数据清理To remove references to other domain controllers that exist in your production environment, you might need to seize FSMO Active Directory roles and do metadata cleanup for missing domain controllers.

虚拟化安全措施引起的问题Issues caused by virtualization safeguards

重要

本部分介绍的某些配置不是标准或默认的域控制器配置。Some of the configurations described in this section are not standard or default domain controller configurations. 如果不想对生产域控制器进行此类更改,可创建一个 Site Recovery 专门用于测试故障转移的域控制器。If you don't want to make these changes to a production domain controller, you can create a domain controller that's dedicated for Site Recovery to use for test failover. 仅对该域控制器进行此类更改。Make these changes only to that domain controller.

从 Windows Server 2012 开始,Active Directory 域服务 (AD DS) 中内置了额外的安全措施Beginning with Windows Server 2012, additional safeguards are built into Active Directory Domain Services (AD DS). 如果底层虚拟机监控程序平台支持 VM-GenerationID ,这些安全措施就可以防止虚拟化域控制器出现 USN 回退。These safeguards help protect virtualized domain controllers against USN rollbacks if the underlying hypervisor platform supports VM-GenerationID. Azure 支持 VM-GenerationID 。Azure supports VM-GenerationID. 因此,在 Azure 虚拟机上运行 Windows Server 2012 或更高版本的域控制器具有额外的安全防护措施。Because of this, domain controllers that run Windows Server 2012 or later on Azure virtual machines have these additional safeguards.

重置 VM-GenerationID 时,AD DS 数据库的 InvocationID 值也会被重置。When VM-GenerationID is reset, the InvocationID value of the AD DS database is also reset. 除此之外,还放弃了 RID 池,将 sysvol 文件夹标记为非权威。In addition, the RID pool is discarded, and sysvol folder is marked as non-authoritative. 有关详细信息,请参阅 Active Directory 域服务虚拟化简介安全虚拟化 DFSRFor more information, see Introduction to Active Directory Domain Services virtualization and Safely virtualizing DFSR.

故障转移到 Azure 可能会导致 VM-GenerationID 重置。Failing over to Azure might cause VM-GenerationID to reset. 域控制器虚拟机在 Azure 中启动时,重置 VM-GenerationID 会触发额外的安全措施。Resetting VM-GenerationID triggers additional safeguards when the domain controller virtual machine starts in Azure. 尝试登录域控制器虚拟机时,这可能会导致严重延迟 。This might result in a significant delay in being able to sign in to the domain controller virtual machine.

由于该域控制器仅用于测试故障转移,因此不需要实施虚拟化安全措施。Because this domain controller is used only in a test failover, virtualization safeguards aren't necessary. 要确保域控制器虚拟机的 VM-GenerationID 值不改变,可在本地域控制器中将下述 DWORD 的值更改为 4 :To ensure that the VM-GenerationID value for the domain controller virtual machine doesn't change, you can change the value of following DWORD to 4 in the on-premises domain controller:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gencounter\Start

虚拟化安全措施的症状Symptoms of virtualization safeguards

如果在测试故障转移后触发了虚拟化安全措施,则可能会看到下述一项或多项症状:If virtualization safeguards are triggered after a test failover, you might see one or more of following symptoms:

  • GenerationID 值发生变化。The GenerationID value changes.

    生成 ID 更改

  • InvocationID 值发生变化。The InvocationID value changes.

    调用 ID 更改

  • Sysvol 文件夹和 NETLOGON 共享不可用。Sysvol folder and NETLOGON shares aren't available.

    Sysvol 文件夹共享

    NtFrs sysvol 文件夹

  • DFSR 数据库被删除。DFSR databases are deleted.

    DFSR 数据库被删除

在测试故障转移期间排除域控制器问题Troubleshoot domain controller issues during test failover

重要

本部分介绍的某些配置不是标准或默认的域控制器配置。Some of the configurations described in this section aren't standard or default domain controller configurations. 如果不想对生产域控制器进行此类更改,可创建一个专用于 Site Recovery 测试故障转移的域控制器。If you don't want to make these changes to a production domain controller, you can create a domain controller that's dedicated for Site Recovery test failover. 仅对该专用域控制器进行此类更改。Make the changes only to that dedicated domain controller.

  1. 在命令提示符处运行以下命令,检查 sysvol 文件夹和 NETLOGON 文件夹是否已共享:At the command prompt, run the following command to check whether sysvol folder and NETLOGON folder are shared:

    NET SHARE

  2. 在命令提示符处运行以下命令,确保域控制器正常运作:At the command prompt, run the following command to ensure that the domain controller is functioning properly:

    dcdiag /v > dcdiag.txt

  3. 在输出日志中,查找以下文本。In the output log, look for the following text. 下列文本可用于确认域控制器正常运作。The text confirms that the domain controller is functioning correctly.

    • “通过测试连接”"passed test Connectivity"
    • “通过测试播发”"passed test Advertising"
    • “通过测试 MachineAccount”"passed test MachineAccount"

如果满足上述条件,则域控制器很可能运行良好。If the preceding conditions are satisfied, it's likely that the domain controller is functioning correctly. 否则,请完成以下步骤:If it's not, complete the following steps:

  1. 对域控制器执行授权还原。Do an authoritative restore of the domain controller. 请牢记以下信息:Keep the following information in mind:

  2. 在本地域控制器中将以下注册表项设置为 0 ,绕过初始同步要求。Bypass the initial sync requirement by setting the following registry key to 0 in the on-premises domain controller. 如果 DWORD 不存在,可在“Parameters” 节点下创建。If the DWORD doesn't exist, you can create it under the Parameters node.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Repl Perform Initial Synchronizations

    有关详细信息,请参阅排查 DNS 事件 ID 4013:DNS 服务器无法加载 AD 集成 DNS 区域For more information, see Troubleshoot DNS Event ID 4013: The DNS server was unable to load AD integrated DNS zones.

  3. 禁用需要全局编录服务器才能验证用户登录的要求。Disable the requirement that a global catalog server be available to validate the user login. 为此,请在本地域控制器中,将以下注册表项设置为 1 。To do this, in the on-premises domain controller, set the following registry key to 1. 如果 DWORD 不存在,可在“Lsa” 节点下创建。If the DWORD doesn't exist, you can create it under the Lsa node.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\IgnoreGCFailures

    有关详细信息,请参阅禁用需要全局编录服务器才能验证用户登录的要求For more information, see Disable the requirement that a global catalog server be available to validate user logons.

不同计算机上的 DNS 和域控制器DNS and domain controller on different machines

如果要在同一 VM 上运行域控制器和 DN,则可以跳过此过程。If you're running the domain controller and DNs on the same VM, you can skip this procedure.

如果 DNS 与域控制器不在同一个 VM 上,则需创建一个可以进行测试性故障转移的 DNS VM。If DNS isn't on the same VM as the domain controller, you need to create a DNS VM for the test failover. 可以使用全新的 DNS 服务器并创建所有需要的区域。You can use a fresh DNS server, and create all the required zones. 例如,如果 Active Directory 域是 contoso.com,则可以使用名称 contoso.com 创建 DNS 区域。For example, if your Active Directory domain is contoso.com, you can create a DNS zone with the name contoso.com. 必须在 DNS 中更新与 Active Directory 对应的条目,如下所示:The entries that correspond to Active Directory must be updated in DNS as follows:

  1. 确保在恢复计划中的任何其他虚拟机启动之前,以下设置已准备就绪:Ensure that these settings are in place before any other virtual machine in the recovery plan starts:

    • 区域必须以林根名称命名。The zone must be named after the forest root name.
    • 区域必须备份文件。The zone must be file-backed.
    • 必须启用区域以进行安全和非安全更新。The zone must be enabled for secure and nonsecure updates.
    • 托管域控制器的虚拟机的解析程序应指向 DNS 虚拟机的 IP 地址。The resolver of the virtual machine that hosts the domain controller should point to the IP address of the DNS virtual machine.
  2. 在托管域控制器的 VM 中运行以下命令:Run the following command on the VM that hosts the domain controller:

    nltest /dsregdns

  3. 运行以下命令,在 DNS 服务器上添加区域,允许非安全更新,并向 DNS 添加该区域的条目:Run the following commands to add a zone on the DNS server, allow nonsecure updates, and add an entry for the zone to DNS:

    dnscmd /zoneadd contoso.com /Primary

    dnscmd /recordadd contoso.com contoso.com. SOA %computername%.contoso.com. hostmaster. 1 15 10 1 1

    dnscmd /recordadd contoso.com %computername% A <IP_OF_DNS_VM>

    dnscmd /config contoso.com /allowupdate 1

后续步骤Next steps

详细了解如何使用 Azure Site Recovery 保护企业工作负荷Learn more about protecting enterprise workloads with Azure Site Recovery.