We help IT Professionals succeed at work.

Moving a DC out of the Default Domain Controllers Container

jcneil4 asked
Medium Priority
Last Modified: 2006-11-18
We currently have only one site but I will be setting up a second site soon.  I am restructuring the AD organization and am contemplating creating a new DC container because I need some different setting on DC's in the new site.  

Besides being linked to the [default domain cotrollers GPO] is there anything "special" about the default domain controllers container?
Watch Question

Jeff BeckhamEngineer

Setting up a new OU for your secondary domain controller shouldn't be necessary.  What type of settings/restrictions would you need to apply to your second DC and not your first?

If you really decided that you need to do something like this, it would be better to create a security group, add the second DC to the security group, create a GPO with the settings that you'd need, disable the GPO, apply the new GPO to the "Domain Controllers" OU, filter it based on group membership of the group you created and finally enable the GPO.

One last suggestion, is to remember to try and keep your AD design as simple as possible while still accomplishing your administrative and management goals.


Actually I think I have a better solution.  
The main setting I was concerned with is Windows update settings... Each site has a different WSUS server and I like desktops to automatically install on Friday mornings but servers to not automatically install.  

What I think I'll do is: link the time and method setting (download updates and prompt for install) GPO to the Default DC Container, link a auto install method setting GPO to the appropriate desktop OU's.  Then link GPO's with the appropriate Windows Update server to the sites.

Setting one will come from the OU level GPO and setting two will come from the site linked GPO.

This should work right?

That would work, but it's not generally recommended to apply GPOs to your site links, although it is technically feasible.  You can run into issues because the site-linked GPOs are stored in your forest root and it needs to be available in order for the GPOs to be applied.

Since you're working with WSUS, you can also manage what WSUS servers your client connect to from the WSUS management console via groups.  See:


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Top Expert 2005

Agree here.

What you want to do is create target groups and place the servers in their own group.

I think you may find that using your own WSUS for these servers is not practical.  I would never allow the servers to update themselves.  I set each server's local Group Policy to go to MS and download the updates and tell me when they're ready.  I then manually update them selecting the Custom radio button so I can see what updates are there.  This gives you the opportunity to deselect any update you definitely don't want.

Just my thoughts.

Another issue is say its a remote site where you want to give rights to a 2nd person to control the dc.  Thereby giving them rights to create shares and reboot the system.  As for WSUS, I'd say let the one server do all machines if it s small # of sites.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.