Should every 2003 server in a domain be a domain controller?

I think that my question is in the title here. I'm in the process of building a domain that will consist of EIGHT windows 2003 servers. Now, I understand that eight isnt the biggest number in a world, but for a firm of thirty, it's still surprising.

The reason I have eight, is because there are numerous diffrent services that will be running on them, two for exchange, two for sharepoint, one for OCS, one for Groove, and one for console style issues, like antivirus, backup, WUS, printer server etc.

The problem I'm facing, is should I make them all domain controllers? What would be the effect of this? What would be the effect of NOT doing this? Any help will be much appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It depends on where are the users. Are they going to be all in the same building, are they going to be on different sites (different physical locations)? How many users per different physical location and how large are the links between them.

It's also important to know, how many domains (e.g. will you create, only one? This is important to decide how many domain controllers you will need for authentication purposes, designated Global Catalogs, and witch ones will hold the Master Operation roles.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Making a machine a Domain Controller is like setting up a new service on the machine, you set up enough to cover the users/machines using it  and provide as much redundancy as you decide you need.

So you might want one primary DC to handle 30 users on one domain on one network, and a second to act as a backup, but there is no requirement at all that EVERY windows server act as a domain controller just for the hell of it.

Also..8 physical servers is alot of hardware for a 30 user outfit! If you're expecting load on these servers to be minimal, but need to host these services on separate servers then you might be able to lower costs significantly if you use virtualization to a degree.
I would not make all of them DC's.  I would use those server resources to partition the DCs away from as much as possible and set up redundant DHCP/DNS/File+Print services...perhaps DFS as well?  Keep your Exchange/Sharepoint/IIS stuff out of the DC's.  Two DC's would give you ample redundancy...the chances of two hardware failures at the same time are unlikely and even if it did happen, if you keep good hardware-level backups and have mirrored hardware (if possible), recovery would be quick and painless.  Each role aside from DC comes as another potential vector for attack.  If a domain controller is compromised Microsoft will tell you the only way to properly recover the Forest is to rebuild it from scratch!  

I have always liked the idea of using virtual servers for the backup DC' is not recommended for hosting Global Catalog or other FSMO roles but would be an easy way to leverage hardware in a smaller environment without having to mingle roles.  For maintenance in a production environment where you have mirrored hardware - this could have great potential for minimizing impact should you encounter problems or would like to perform maintenance during business hours.  Check out this article if you are interested:,289483,sid1_gci1227204,00.html

Microsoft does not recommend running Exchange as a DC.  I would read this article, though it is mainly focused on Exchange, it sheds some light on why you might want to avoid installing other applications and services on your DC:

 I know of no conflicts with SharePoint but there are a few considerations:
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Keep it simple.
Two DC's are enough and don't have that with Exchange!
AngelGabrielAuthor Commented:
Oh no!! So umm.... it seems that running exchange 2007 on a domain controller, is not the smartest idea? Okay, that's a task for another day, to migrate exchange off that DC!

My plan was to install all the servers one by one. As i'm installing them, add each service, groove, OCS, exchange etc - to the service, configure it acordingly, and then move on. The only reason that I installed exchange on this domain controller, is because the users dont appear in the console. Which is going to be another question on EE!
Why not just create another DC and demote the server you currently have Exchange 2007 on?
AngelGabrielAuthor Commented:
pHpp - Not a bad idea, I think I'll do that!! I apprecaite your comments everyone. For those wishing to help with my exchange issues - - that's over here!

The advice given here was sound, I'll give points within 24 hours. Not 100% sure how to split up just 100 points!
You should not make all servers DC's. Two of them are enough. You can make both of them Global Catalog because that will not increase traffic because they are in the same domain and site.

Microsoft has made available a sizing and placement tool that will aid you when trying to determine how many domain controllers you will need and the placement of each domain controller. Using the Active Directory Sizer, you will be able to determine how many domain controllers you will need, along with which of those domain controllers will be Global Catalog servers and bridgehead servers for sites. It will not, however, tell you where you need to place your Master Operations roles. To access the Active Directory Sizer, you simply download it from the Microsoft website (
The download consists of a file called setup.exe. Rename it to something more descriptive, such as adsizer.exe, so that you will know what it is later on when you are going through your files.
Another Active Directory technology whose location needs to be determined is the Master Operations roles. Because only specific servers support the Master Operations functions, you should know the criteria for their placement.

Choosing Master Operations Placement
Due to the importance of the master operations, you should carefully choose where the domain controllers holding each of these roles are placed.

Operations Masters in a Single Domain Forest
Within a single domain forest, the Infrastructure Master does not play a very important role. As amatter of fact, its services are not used at all. Because you will not have any remote domains for the Infrastructure Master to compare domain information to, it will not matter if the domain controller is a Global Catalog server or not. In fact, in a single domain environment, all domain controllers could be enabled as Global Catalog servers because there will be no additional replication costs.
By default, the first domain controller within the domain will hold all of the Master Operations roles and will also be a Global Catalog server. You should also designate another domain controller as a standby server. You do not have to configure anything special on this domain controller. Just make sure that all administrative personnel are aware of your preference to use a specific server as the standby in case the first fails. Then, if a failure of the first server does occur, you can quickly seize the master operations on the second server. Make sure that the two systems are located close to one another and connected via a high-speed connection. You could even create connection objects between the two systems so that they replicate directly to one another, ensuring that their directories are as identical as possible.

Schema Master
The Schema Master role, of which there is only one per forest, is not one that is used very often. Typically, the only time the Schema Master needs to be online after the initial installation of Active Directory is when you are making changes to the schema. When you are planning the placement of the Schema Master, place it in a site where the schema administrators have easy access to it. Also take into consideration the replication that will be incurred when a change is made. For this reason alone you may want to place the Schema Master within a site that has the most domain controllers within the forest.

Domain Naming Master
As with the Schema Master, the Domain Naming Master is not used very often, and it is also a forestwide role. Its role is to guarantee the uniqueness of domain names within the forest. It is also used when removing domains from the forest. For the Domain Naming Master to perform its function, you should locate it on a Global Catalog server, although with Windows Server 2003 this is not a requirement as it was in Windows 2000.
The Domain Naming Master and the Schema Master can be located on the same domain controller because neither of the roles will impact the way the domain controllers function. As with the Schema Master, the Domain Naming Master should be located where the administrative staff can access it.

Relative Identifier (RID) Master
The RID Master is responsible for generating and maintaining the RIDs used by the security principles within the domain. Each domain controller will contact the RID Master to obtain a group of RIDs to be used as the accounts are created. If your domain is in native mode or higher, you should place the RID Master in a site that has domain controllers where administrators are creating a majority of the accounts for its domain. This will allow the RID master to efficiently hand out allocations of RIDs to the domain controllers. If your domain is in mixed mode, consider placing the RID Master on the same server as the PDC emulator from its domain. The PDC emulator is the only domain controller that can create accounts within the domain when the domain is in mixed mode.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.