Can a Windows Server 2008 domain controller service multiple Active Directory sites?

Posted on 2008-11-13
Last Modified: 2012-05-05
I have a AD forest that is 2008 forest functional level.  I'd like to create an AD site for each physical location in the organization that contains only those subnets for the site.  However, I only have domain controllers at a few of those sites.  I thought I had read an article somewhere that mentioned that there was a new feature in Server 2008 that allowed a single domain controller to service multiple AD sites.  This wasn't a reghack, but a published ability that I thought could be managed through the AD Sites and Services snap-in.  However, I'm can not find anything that would let me do this in the tool.

To avoid questions, I'll try to describe the environment:
* Multiple physical locations (let's say 10 for academic reasons)
* Only a few of those locations need domain controllers (let's say 3 for academic reasons)
* The customer wants an AD site for every physical site
* There's a central site in the company that everyone talks to directly.  That site has multiple DC's.
* 2 of the remote physical sites will have a single domain controller
* 7 of the sites will not have a domain controller
* The single hub site should be the authentication source for itself and the 7 sites that do not have domain controllers

I came upon a KB article (200498) that mentions doing this for Windows 2000 and 2003.  It's basically a reghack to add a SiteCoverage value to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.

Is this still the only way to allow a DC to service multiple sites or is there something new and cool in 2008 that lets us do this another way?  And, I don't remember what article I read that talked about this, so I may have just been smoking something one day and thought I read something that didn't exist.  ;)

Also, I know that we can assign subnets from multiple physical sites into the central hub site, but that's not what I'm asking.  I want a domain controller (or multiple domain controllers) in ADSiteA to also service ADSiteB that does not have a domain controller.

Thanks in advance for your help!
Question by:DustinHollenback
    LVL 23

    Expert Comment

    There is no reason W2K, W2K3 or even W2K8 wouldn't manage several sites as standard.
    Its just the traffic that becomes an issue. And the new AD Stub Controller, allows remote AD servers to contain only their local credentials, so its its stolen, the whole org is not risked.

    You will need at least 512K pipes for Group policy rollout, and enough to allow for authentication, apart from that, it will be the other services that make the customer spend the dollars, as it would be challenging to provide a remote fileserver and printserver while maintaining reasonable connection speeds for clients, or you'd better have a big pipe...
    LVL 70

    Expert Comment

    ideally you should have a DC at each site to prevent cross-site logon traffic - but its not essential. The default behaviour is for any client to attemempt to locate a DC in their own site for authentication, however, if no DC is found - or there is no response, then the client will seek another DC - This is the default behaviour - you need not do anything.
    LVL 1

    Author Comment

    debuggerau and KCTS,

    I may not have been very clear with my question.  I understand the AD Site structure and when and where to place domain controllers based on bandwidth, latency, number of authenticated users, and all of the other variables.  And, based on the size of some of my locations, there is no way that I'll be placing a DC at those physical sites.

    Is there a way in the new AD Sites and Services GUI to assign a single domain controller to service 2 or more defined AD sites?  I know that it is possible with a registry hack on the domain controller, but I wanted to see if this was more refined in Windows Server 2008.
    LVL 23

    Expert Comment

    Is there a way in the new AD Sites and Services GUI to assign a single domain controller to service 2 or more defined AD sites?

    - We started asserted that it is possible, in fact, this is the default..

    Which has got me wondering, what hack are you referring too?

    The whole idea of which DC to login too is a mute one, as it will authenticate to whatever DC it can see first, and failing that, move onto the next, until it finds a resource to validate itself against...
    LVL 1

    Accepted Solution

    you can force the clients in a site that has no DC's, to look to specific site DC's by weighting the site links.

    How Domain Controllers Are Located in Windows XP

    How to optimize the location of a domain controller or global catalog that
    resides outside of a client's site

    LVL 1

    Author Comment

    Hi Matthijssen,

    This page is exactly what I was looking for:  The KB article does not mention Server 2008, but I'll hope that it hasn't changed in the new OS.  

    Thank you!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    One of the major disadvantages of still running XP in production is its lack of Internet Explorer Favourites directory redirection. If your users frequently roam between computers, the usual workaround is to enable Roaming Profiles to have the favou…
    At least once a month I see a Question in one of the Windows Server related Zones asking about Best Practices for GPO Security.  I have been in IT for 20 years, and a Sys Ad for over 15.  I know this will sound cliché, but this is mostly a preferenc…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now