AD and its weakness to the communication channel

Summer, sun, weekend

It all started a week ago, the Friday day was over and it was warm and everyone was torn away from work, the staff were living and cheerfully going home, with smiles on their faces, in anticipation of the weekend. The weekend passed instantly, and here it is Monday, as they say the day is hard, but so much so ...
Calls to the IT department began to arrive selectively, but with the same problem, they could not log in to their domain under their account, and someone started working and did not notice what was happening. Everything led to one, errors on the domain controller.

Main problem

I must say, I work in the state. institution whose domain, with a single directory service (ESC) throughout the country. After a brief inspection of the equipment, it turned out that the domain controller swore at the tainted AD database (0xc00002e1). Oaths led to server reboot and request to restore the database through recovery mode. Well, I think, fine, now we will restore the database and start replication with the main domain controller. But it was not there! Due to the imposed restrictions on information security from above, there was simply no access to the controller.

Temporary solution

Employees were assigned an alternate AD server, which enabled them to fully work in their workplaces. During the day, everyone was already comfortably working through a server located at the other end of the city, everything was spinning and that was good, but the problem was not solved yet.

Problem one

Tuesday morning. Came, clicked the computer and went to drink coffee. But I did not have time to move away from the phone, the bell, we can not go in, the computer hangs. The question of how to hang was answered simply: “Applying computer settings.” It was clear that computers again could not reach out to AD, but the connection with the alternative controller was and did not disappear. And oh my goodness! Ping to an alternative server 1500-3000ms, with packet loss. here and so a couple of hundred computers at once included hung up a communication channel to the server. Communication is carried out by means of a DSL connection (2 Mbps).
In order to make everything work faster, I chopped off all the switches in order to remove the load from the channel and connected in order with an interval of a couple of minutes. Ping fell to an acceptable 300-500 ms, you can work.
')

Problem two (bureaucratic)

Big network, your own call center. Answers to letters strictly according to the rules during the day. Of course, at the end of 24 hours, answers were received on what to do with the dohlyachkom in the rack, then long calls, conversations with operators, with call forwarding and conversations with administrators of AD. We came to the conclusion that we need a complete reinstallation of the server with certain settings. No sooner said than done! Now we are sitting waiting for my server to handle, will go into the domain and replicate.

Problem three

A day has passed, the operability check is not confirmed in any way, the server is working, but like an unconfigured empty shell, not a domain controller. Again, calls to the call center, call transfers, finding out the cause of the breakdown, began to look remotely. After entering the domain, and the beginning of replication, it took almost two days, to the question how much progress is in percentage terms, the answer was learned: "3%".
This is where the anxiety began. This is what happens, replication will end by simple calculations in 1.5 months? I think no less. Replication is on the same DSL communication channel, on which hangs about two hundred workstations. Be patient and wait.

Problem four (final)

There is a way out, I thought! You can grab the server in your hands and run to the domain controller from which workstations feed on life. Everything is easy, but there is one BUT! It is only set up through the Dionysus gateway (who knows, he knows what there is), but of course everyone is sitting through this gateway on a secondary controller. And taking this artery at the time, the work of the whole building would stand up. Without a gateway in the network segment where the working domain controller is located, my newly created server would simply not be visible (let me remind you that it is not possible to set up a network connection, there is no access to the system locally).
And this is how we sit for a week and stare at the employees, pings and management, periodically by rank in the call center, to find out the percentage of the downloaded base.

Conclusion

A little more rights, the speed of operation of those support and financing of state structures and the development of communication channels would help to avoid many problems. The development of the ESC was in full swing, but the speed of data exchange with the main structure remained at the level of the 90s, and it cuts the whole idea at the root.