Link to home
Start Free TrialLog in
Avatar of TheDeaner
TheDeaner

asked on

How many domain controllers should I have or implement in a standard Windows 2008 domain?

Hi all,

We're currently getting the opportunity to redesign a closed network's Windows 2008 architecture. It is pretty vanilla, but here are some of the specs on this domain:

-It is one flat domain
-all DC's and services offered (Sharepoint, Exchange, OCS Chat, etc) will be located at one main physical site due to security reasons
-The DC's will be located on an ESX server as virtual machines.
-500 to 1000 users, possibly 500 more in future expansions over the next 3 years
-20 remote sites, possibly, 10 more over the next 3 years
-30 OU's, possibly 20 more over the next 3 years
-Very little in the way of AD published objects (printers, scanners, etc)

How many domain controllers should we implement in a network like this?

Currently, there are only 2 DC's. I was thinking that we should have a minimum of 5 DC's, one for each FSMO role. Would that be a good starting point? Why would you recommend more or less DC's?

Thanks!
SOLUTION
Avatar of relliott66
relliott66

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Darius Ghassem
Well really dependent on how you want the domain to function. If you have remote sites do you want the remote site to function if you lose connection to HQ? All remotes sites will be authenticating to the HQ DCs if you don't have any DCs located at the remote sites. You will be using your WAN for all resources which can have an affect on the network traffic. If you had one site then the two or five DCs would be fine but really dependent on what your needs are. You don't need a DC for every fsmo role you should keep the fsmo roles on two DCs but even one would do fine.

http://www.petri.co.il/planning_fsmo_roles_in_ad.htm

http://support.microsoft.com/kb/223346
Avatar of TheDeaner
TheDeaner

ASKER

Thanks relliott66,

I was thinking that it would be better to separate out the FSMO roles over each server just to spread the load among FSMO roles, but if you're saying that all that it will do is make more network traffic based on AD replication amongst servers, then it is probably best that we only use two DC's.

I understand what you're saying about the ESX servers and spreading out, considering that if the ESX server goes down then we don't have any have any other DC's. With that in mind, perhaps we should have one or two extra DC's that don't handle FSMO on other physical devices just in case the ESX server does go down (knowing of course that FSMO roles can be pulled to the DC's laying in wait if needs be)?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Darius,

Unfortunately, placing DC's at the remote sites is part of that security risk issue that I was talking about, so all DC's will remain in one physical location. That isn't to say that we could separate the DC's (no matter what number that we decide on) to different physical devices. I understand the pitfalls of not being able to place DC's per site for authentication, but placing them at the different sites isn't an option for us.

As it stands, both DC's are currently functioning as Global Catalog servers. Any problem with that?

Thanks again.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This is more of an opinion/recommendation/best practices question. It was not in direct relation to a technical problem existing on a real device. That being said, I do appreciate the insight from relliot66 and dariusg. Thanks.