locked
How many domain controllers are recommended? RRS feed

  • Question

  • We are running a Windows 2008 R2 Datacenter Domain Controller on a Virtual Machine (VMware) at the main location. We have less than 50 employees, we also have a co-location (within 20 miles) in case of disaster. There is a 10 meg pipe between locations that we will be increasing soon. 1. Would like to know how many domain controllers are recommended at the main site and how many at the co-location to recover from disaster? 2. Would like to know if the FSMO roles should be seperated or can all FSMO roles should remain on 1 DC?

    Your response is greatly appreciated.

    Wednesday, March 14, 2012 3:18 PM

Answers

  • There should be a minimum of two DCs in a domain.  If you only have one domain, all your DCs should also be GCs.  

    How many DCs at each site will depend on what your requirements are.  One DC at each site can service thousands of users with regard to authentication.  However, if the DC fails, is it OK for your users to traverse the pipe to the co-lcoation?  If so, that should be fine.  What are the chances of a DC failure in one site and the pipe to the co-lo failing as well?  Low right, but is it low enough for your business risk?  If not, then you would need two DCs at each physical location.  

    The interesting thing is that while one DC in the entire domain will probably give you about 98-99% availability, each DC you add only increments the availability slightly, but your costs increase at a much higher rate.  Reaching 100% of service availability increases costs exponentially.

    You can keep the fsmo roles on one server.  not a problem.  during maintenance you can eaisily move them and in a failure, seizing roles is not an issue either.  all the roles on one server will not overload the DC, especially not for such a small amount of users.


    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube

    • Marked as answer by gemini608 Wednesday, March 14, 2012 3:53 PM
    Wednesday, March 14, 2012 3:28 PM
  • I don’t think you will see a “generic” recommendation for no of DCs.  However, in general, it is recommended to have at least 2 DCs per domain.  If something goes wrong with one DC, you will have the 2<sup>nd</sup> DC.  However, it can be based on your requirements, applications like Exchange, SLA, backup/restore solution etc.  You can have one DC in main location and 1 in co-location facility.  In this case, if something goes wrong with DC in main location, clients will be looking for any available DC in the forest/domain. This can increase the traffic from main location to co-location.  Since you have only 50 users, I don’t believe you will see a bandwidth issue.  


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    • Marked as answer by Elytis Cheng Thursday, March 15, 2012 9:52 AM
    Wednesday, March 14, 2012 3:34 PM

All replies

  • There should be a minimum of two DCs in a domain.  If you only have one domain, all your DCs should also be GCs.  

    How many DCs at each site will depend on what your requirements are.  One DC at each site can service thousands of users with regard to authentication.  However, if the DC fails, is it OK for your users to traverse the pipe to the co-lcoation?  If so, that should be fine.  What are the chances of a DC failure in one site and the pipe to the co-lo failing as well?  Low right, but is it low enough for your business risk?  If not, then you would need two DCs at each physical location.  

    The interesting thing is that while one DC in the entire domain will probably give you about 98-99% availability, each DC you add only increments the availability slightly, but your costs increase at a much higher rate.  Reaching 100% of service availability increases costs exponentially.

    You can keep the fsmo roles on one server.  not a problem.  during maintenance you can eaisily move them and in a failure, seizing roles is not an issue either.  all the roles on one server will not overload the DC, especially not for such a small amount of users.


    Guides and tutorials, visit ITGeared.com.

    itgeared.com facebook twitter youtube

    • Marked as answer by gemini608 Wednesday, March 14, 2012 3:53 PM
    Wednesday, March 14, 2012 3:28 PM
  • I'd put one in HQ and one in your DR site.  Two DCs is more than enough for 50 users but a minimum two are always recommended.  I'd put all FSMOs on the same DC in this case.    Make them both global catalogs and run DNS on both (assume you are running AD Integrated DNS)

    Thanks

    Mike


    http://adisfun.blogspot.com
    Follow @mekline

    Wednesday, March 14, 2012 3:29 PM
  • I don’t think you will see a “generic” recommendation for no of DCs.  However, in general, it is recommended to have at least 2 DCs per domain.  If something goes wrong with one DC, you will have the 2<sup>nd</sup> DC.  However, it can be based on your requirements, applications like Exchange, SLA, backup/restore solution etc.  You can have one DC in main location and 1 in co-location facility.  In this case, if something goes wrong with DC in main location, clients will be looking for any available DC in the forest/domain. This can increase the traffic from main location to co-location.  Since you have only 50 users, I don’t believe you will see a bandwidth issue.  


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    • Marked as answer by Elytis Cheng Thursday, March 15, 2012 9:52 AM
    Wednesday, March 14, 2012 3:34 PM
  • With only 50 employees the load will not be horribly heavy.  Unless you have some application in your environment that generates high kerberos traffic, then technically a single server with Microsoft recommended hardware specs [or VM provisioning] should would just fine.

    However, you should have at least two domain controllers for redundancy, and preferably one domain controller in each site.

    With being a smaller organization such as your, I honestly could not think of a good reason to segregate all of your FSMOs.  Place them all together on your most well provisioned and reliable DC.  You can use the below guidelines from FSMO placement.

    http://support.microsoft.com/kb/223346

    Wednesday, March 14, 2012 3:34 PM
  • Thanks for all responses.
    Wednesday, March 14, 2012 4:01 PM