In a bit of a pinch: a client needs to test an Active Directory enabled CRM system that consists of a SQL 2008 Server and a Windows 2008 Standard Server (the application server). As far as I know, Active Directory is required for end-user authentication and for application-to-SQL authentication.
We need to pull these two servers out of their current domain environment and setup at a testing facility that has Internet connectivity, but is not on the domain (foo.local) or any domain for that matter; they're just a bunch of workstations in a workgroup at the moment.
My initial thought was to setup an IPSec tunnel to the client's location to/from the testing facility, but I'm wondering if the LAN subnet overlap would be a pain (pfSense firewalls here) to manage and/or if changing the IP addresses of the two servers (FOOAPP and FOOSQL) to a different subnet to avoid the overlap would cause some grief in AD land (i.e. the domain controller would not "know" who these servers are).
My other thought was to setup a Read Only Domain Controller and bring it on-site to the testing facility, but from my cursory reading of the technet docs, it sounds like it needs to be able to talk to the client location domain controller(s).
Lastly, I know you can authenticate a workstation off-line with cached credentials: would that work with a member server? I'm assuming not as the SQL authentication that takes place between FOOAPP and FOOSQL probably does not utilize caching at all, but please enlighten me if not.
Any other options?
CLARIFICATION
These servers aren't being used in production right now. While they're joined to the customer's domain, there's no data in it and nobody's using it; they're just idle member servers at the moment. The SQL database will be loaded with test data and then used for training, but we'll be putting them back into the client's location and thus into production after this user acceptance/end-user training period is completed (with the test data removed).
We can't do the testing/training on-site because it would be too disruptive to the client's office and they don't have a large board room to accommodate the testing/training groups.
EDIT
I guess this can all be distilled into two questions:
-
What happens to a (Read Only | Writable) domain controller when it's isolated from other domain controllers?
-
Does Active Directory "care" about IP addresses? i.e. perhaps I can put these two servers on a different subnet temporarily and setup an IPSec tunnel so that these servers and workstations at the testing facility can communicate with the domain at the client's office.
Best Answer
Active Directory functions by default in a multimaster replication mode, where each domain controller is independently authoritative for the domain(s) it manages. Thus, the test DCs will still be able to handle logins and receive updates (password changes and the like) even while disconnected. The two sets of DCs (the live ones and the ones in the test site) will slowly diverge over time, but that's only a problem if you intend to converge them afterwards.
Here is my suggestion for handling this scenario: