Moving a DC out of the Default Domain Controllers Container

Posted on 2006-03-21
Last Modified: 2006-11-18
We currently have only one site but I will be setting up a second site soon.  I am restructuring the AD organization and am contemplating creating a new DC container because I need some different setting on DC's in the new site.  

Besides being linked to the [default domain cotrollers GPO] is there anything "special" about the default domain controllers container?
Question by:jcneil4
    LVL 9

    Expert Comment

    Setting up a new OU for your secondary domain controller shouldn't be necessary.  What type of settings/restrictions would you need to apply to your second DC and not your first?

    If you really decided that you need to do something like this, it would be better to create a security group, add the second DC to the security group, create a GPO with the settings that you'd need, disable the GPO, apply the new GPO to the "Domain Controllers" OU, filter it based on group membership of the group you created and finally enable the GPO.

    One last suggestion, is to remember to try and keep your AD design as simple as possible while still accomplishing your administrative and management goals.
    LVL 1

    Author Comment

    Actually I think I have a better solution.  
    The main setting I was concerned with is Windows update settings... Each site has a different WSUS server and I like desktops to automatically install on Friday mornings but servers to not automatically install.  

    What I think I'll do is: link the time and method setting (download updates and prompt for install) GPO to the Default DC Container, link a auto install method setting GPO to the appropriate desktop OU's.  Then link GPO's with the appropriate Windows Update server to the sites.

    Setting one will come from the OU level GPO and setting two will come from the site linked GPO.

    This should work right?

    LVL 9

    Accepted Solution

    That would work, but it's not generally recommended to apply GPOs to your site links, although it is technically feasible.  You can run into issues because the site-linked GPOs are stored in your forest root and it needs to be available in order for the GPOs to be applied.

    Since you're working with WSUS, you can also manage what WSUS servers your client connect to from the WSUS management console via groups.  See:
    LVL 51

    Expert Comment

    Agree here.

    What you want to do is create target groups and place the servers in their own group.

    I think you may find that using your own WSUS for these servers is not practical.  I would never allow the servers to update themselves.  I set each server's local Group Policy to go to MS and download the updates and tell me when they're ready.  I then manually update them selecting the Custom radio button so I can see what updates are there.  This gives you the opportunity to deselect any update you definitely don't want.

    Just my thoughts.


    Expert Comment

    Another issue is say its a remote site where you want to give rights to a 2nd person to control the dc.  Thereby giving them rights to create shares and reboot the system.  As for WSUS, I'd say let the one server do all machines if it s small # of sites.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now