We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


New 2008 Server Environment

Medium Priority
Last Modified: 2012-05-06
Hi All,
We have in place a 2003 Server environment, which consists of the following,
"      3 separate physical sites connected with T1s
"      1 forest, 3 separate Domains, abc.com, def.com, xyz.com (disjointed domains)
"      2  Domain controllers at each site (2003 Server) (AD,DHCP, DNS, WINS)for a total of 6 DCs
"      Each site has approximately 250-300 Users.
"      Each Site it IT staffed

The Plan
"      Move to MPLS between the 3 sites
"      Upgrade our environment from 2003 Server to 2008
"      Combine 1 forest/3 domains to 1 forest/ 1 domain (Starting  fresh)

With the advances that are included with 2008 Server I'm not 100% clear on the best path for this migration. Would there be any use for Read-Only Servers in this solution or would each site continue to maintain 2 Domain Controllers?  What would be the best viable solution for the scenario also taking into consideration for fail over between sites.
Watch Question

Top Expert 2013

How secure are your locations, for instance how likely would it be that someone steals a DC.   What is physical security like?
I support a federal organization and our server rooms our very secure so I'm not really worried about RODCs in my current environment.  I do see the need in some places but if someone gets access to our computer rooms then there are more issues than just DC's (because at that point they have breached very secure areas)
You could get away with 1 DC for 250-300 users if you had to at each site but since you have the two boxes already I'd just stick with that.
One big thing here is down the road what do you do with the domain admins.  Are the 3 domains now run by separate DA's?  


Hey Mike,

The Server Rooms at each site are Secure(PCI Compliant) Camera and Bio Locks. I was thinking an RODC for redundancy mostly, if the primary would fail then users could still authenticate. Currently there is IT staff at each site,but we all manage each others domain from time to time anyways. The single domain move would streamline a few thing, one being cross domain permissions, and consistency across the sites.

So you think the best solution would be have 2 Domain controllers at each site just as we are operation now?
Top Expert 2013
Yeah the second DC in each site would give you the extra redudancy and if both DC's (worst case) went down clients could still use the the DC's in the hub.
I'd make all the DC's global catalogs
Sounds like you are very secure so the RODC doesn't do much for you all.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
tigermattSite Reliability Engineer
Most Valuable Expert 2011

I'd pretty much agree with what Mike has mentioned above. The need for RODCs only starts to come when you have many, many sites in which you cannot maintain physical security on your DCs.

For three sites, you would make much better use of having 2 DCs in each site. This provides redundancy in each site, and having local DCs means the network can run on its own with resilience from a single site without a replication link - if the site links fail for any reason.



Thanks, Mike and Matt
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.