Active Directory
A set of directory-based technologies included in Windows Server.
6,131 questions
Yes you can disconnect the DC from the domain for an extended period of time but there are few things to take into consideration:
- I would increase the tombstone period, to be on the safe side, this will increase the drive space for the DIT but shouldn't be significant
- The DC on the ship should not hold any of the FSMO roles
- I would assume there will be little or no need to create new objects when disconnected from the rest of domain. There is a risk of that the DC will running out of RIDs when disconnected from the network, this will prevent any new objects from being created
- Ensure the clients on the ship are using the ship DC for name resolution and time
- Any changes to the schema or domain structure should only be completed when the ship DC is connected to the network
- User on the ship who enter incorrect password may experience an extended timeout before they receive an incorrect password error
- Ensure that AD site and services are configured with a separate site for the ship DC and client, with the IP addresses correctly assigned to the site
- If the clients are using DHCP for IP addresses, you will need a DHCP server on the ship, which issues the ship DC as the primary DNS server, with on shore DCs as secondary
- When the ship DC is connected to the network, you need to make sure the DC sync correctly with the domain, before it's disconnected again.
As with everything you will need to test the solution, and confirm there are no other dependency on the on-shore environment.
Gary.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)