How many domain controllers?

[brahma]

Hi there - you may recall that I have recently taken over a school network (Windows 2003 Active Directory) that seems to be something of a mess!! I am frequently getting network problems (see previous post) today I lost one of the domain controllers and the whole network just stopped - servers and PCs. I had to physically remove the power lead from the server to get it up and running.

I'm guessing the server that crashed was the PDC Emulator - but I wouldn't have expected the whole network to stop because of this.

I have today discovered that of my servers I have 3 domain controllers setup with user profiles and as file servers. I have an Exchange 2003 Server - also setup as a domain controller. I have a Windows 2003 NAS box - setup as a domain controller!!! The only device in my network (other than PCs) that is not a domain controller is another NAS box. So I have 5 domain controllers in a 6 server network!! I have around 150 laptops and 200 student PCs in the domain along with about 50 printers. All kit is located on one site.

I think I should demote the Exchange Server to a member server and demote the NAS box to be a member server too. I also think I should move all files and profiles off of the domain controllers and store them on a NAS box.

Do you think this is the right approach?

[maniac]

5 machines setup as domain controllers is a bit OTT, particularly when your network is not that huge compared to some. We only had 2 DCs at my last place, these were dedicated DCs that was their only role, and they served about 650 workstations. The new school I work at has 4 of its machines setup as DCs, which seems a bit OTT, but it's running RM CC3 which I don't want to upset, so it will stay as it is!

What you've described there is probably the best way forwards, DCs should be just that, only a DC, all files and other storage should ideally be on dedicated boxes, that way it's easy to know what each server is doing in the organisation. Just make sure the NAS has a good fast network connection, a good failsafe RAID setup on the discs, and a good history of troublefree operation.

Mike.

[FN-GM]

You should only need 2 domain controllers.

The server that went down was probably the only Global Catalogue server, you might want to consider make one of your other ones a Global Catalogue

[jcollings]

I think your idea is about right. We have 2 DC's (600 PC) that are just DCs - that's all they do (well DNS & DHCP as well). All user files are stored over 3 NAS boxes and another box doing print serving/windows update/antivirus.

Your plan sounds like it will move you in the right direction.

[FN-GM]

We have 2 domain controllers for just over 600 machines, we will soon have a third but that’s an offsite one purely for redundancy.

[dhicks]

As someone with a network with no domain controllers, I'm a bit puzzled as to why you need more than one. What does a domain controller do, other than check usernames and passwords? Surely one very basic machine could handle that, probably all from a RAM disk?

[FN-GM]

You have another just incase one dies, its quicker to get the network by seizing the roles over to another domain controller than reinstalling windows and restoring a backup. Also if configured properly if one does go down the network wont come to a halt.

[imiddleton25]

We have 2 Dc both are global catalog servers,also Dns and dhcp this means we can survive on 1 if needed

[jcollings]

As someone with a network with no domain controllers, I'm a bit puzzled as to why you need more than one. What does a domain controller do, other than check usernames and passwords? Surely one very basic machine could handle that, probably all from a RAM disk?

You can indeed manage with one but 2 is good practice as they will replicate AD information between them and if one fails the other can still authenticate.

[DMcCoy]

Please do not just demote the exchange box! you need to find out the correct order to do it in as it looks like it's different for exchange.

[amfony]

i am not aware of your school size (or in real terms objects in AD) but 5 dcs will incur quite alot of replication traffic (again dependant on your object modifications and number in total) especially compared to 2 DCs.

for 300 computers/1000 students we user 2 DC's

[dhicks]

You have another just incase one dies, its quicker to get the network by seizing the roles over to another domain controller than reinstalling windows and restoring a backup. Also if configured properly if one does go down the network wont come to a halt.

Is fail-over the only real reason for having a second domain controller, then? We can do that by virtualising the DC and mirroring the whole thing to another server, saves having to have two Windows licenses. But am I right in thinking that a DC doesn't really have to do an awful lot, or have a great deal of speed / disk space / network connectivity available? Surely the only traffic that a DC deals with is "check this user", "ok", "check this user", "ok", "check...", etc?

--
David Hicks

[sparkeh]

We can do that by virtualising the DC and mirroring the whole thing to another server, saves having to have two Windows licenses.

Virtual servers require licences too.

[zag]

First thing to do would be to make 2 machines as dedicated DC's with lots of ram.

Then make one the global catalogue server, and seize the roles to the primary one. Make sure you have a dns server and your dhcp and static IP devices point to it.

Then demote any file servers and especially the exchange server, that's a definite bad idea.

Ideally you could have a dedicated profile server, but putting it on the nas box for now should be fine.

[richard.thomas]

But am I right in thinking that a DC doesn't really have to do an awful lot, or have a great deal of speed / disk space / network connectivity available? Surely the only traffic that a DC deals with is "check this user", "ok", "check this user", "ok", "check...", etc?

Normally you'd find all the logon scripts/wallpapers/policies are on the DCs aswell. These obviously need sending to the client machines aswell. The more you have the more requests can be dealt with at the same time. Which is obviously a great advantage in a school as there's so many logoffs/logons at similar times.

So if you just have a PDC then thats one machine thats processing all the logins, serving policies, any scripts you have running out of netlogon and profile (if thats in there).
If you promote some other servers to DCs then they can help with the load and when someone logs on their request will be dealt with by a random server out of the DCs you have.

We have 3 domain controllers, the PDC is the newest server and has 4 dual cores and 8gig of RAM... Maybe overkill but best to have more than less. We have around 700 machines.