How many domain controllers should I have or implement in a standard Windows 2008 domain?

TheDeaner used Ask the Experts™
Hi all,

We're currently getting the opportunity to redesign a closed network's Windows 2008 architecture. It is pretty vanilla, but here are some of the specs on this domain:

-It is one flat domain
-all DC's and services offered (Sharepoint, Exchange, OCS Chat, etc) will be located at one main physical site due to security reasons
-The DC's will be located on an ESX server as virtual machines.
-500 to 1000 users, possibly 500 more in future expansions over the next 3 years
-20 remote sites, possibly, 10 more over the next 3 years
-30 OU's, possibly 20 more over the next 3 years
-Very little in the way of AD published objects (printers, scanners, etc)

How many domain controllers should we implement in a network like this?

Currently, there are only 2 DC's. I was thinking that we should have a minimum of 5 DC's, one for each FSMO role. Would that be a good starting point? Why would you recommend more or less DC's?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Why the overkill?  You could just use 2 with that few users and objects and still maintain redundancy.  Being that it is an ESX environment I am hoping that you are using multiple hosts and not trying to put all DCs on one host.  

I run an environment similar to what you mentioned above.  ESX, Sharepoint (2007 and 2010), Exchange, OCS and a few more Enterprise applications.  35,000 users, very few other objects (except for distro groups and contacts), and with just 2 DCs it purrs like a kitten.  I would say start small, keep it redundant and dont forget that if the load calls for it that you can always add more on the fly.   This reduces the loads on the host as well as reduces maintenance on the part of the support team (for which they will be grateful).  If there is a particular reason why you 'want' to run that many then please share :)
Top Expert 2012

Well really dependent on how you want the domain to function. If you have remote sites do you want the remote site to function if you lose connection to HQ? All remotes sites will be authenticating to the HQ DCs if you don't have any DCs located at the remote sites. You will be using your WAN for all resources which can have an affect on the network traffic. If you had one site then the two or five DCs would be fine but really dependent on what your needs are. You don't need a DC for every fsmo role you should keep the fsmo roles on two DCs but even one would do fine.


Thanks relliott66,

I was thinking that it would be better to separate out the FSMO roles over each server just to spread the load among FSMO roles, but if you're saying that all that it will do is make more network traffic based on AD replication amongst servers, then it is probably best that we only use two DC's.

I understand what you're saying about the ESX servers and spreading out, considering that if the ESX server goes down then we don't have any have any other DC's. With that in mind, perhaps we should have one or two extra DC's that don't handle FSMO on other physical devices just in case the ESX server does go down (knowing of course that FSMO roles can be pulled to the DC's laying in wait if needs be)?
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

If you have only one physical host, but other "physical servers" that you can assign the role of a DC to, then I would definitely recommend adding on at least one 'physical" DC.  But, that begs another question, if you do have one you could do that to, then why not make it an ESX host as well? :)  Better usage of the hardware and allows you to build out on demand as long as the Host can support the load of the VMs...


Hi Darius,

Unfortunately, placing DC's at the remote sites is part of that security risk issue that I was talking about, so all DC's will remain in one physical location. That isn't to say that we could separate the DC's (no matter what number that we decide on) to different physical devices. I understand the pitfalls of not being able to place DC's per site for authentication, but placing them at the different sites isn't an option for us.

As it stands, both DC's are currently functioning as Global Catalog servers. Any problem with that?

Thanks again.
Top Expert 2012
No problem with both DCs but I would recommend going with at least three DCs two VMs and one phsyical

If you would are worried about security look into RODC which are Read only DCs that can be placed at remotes sites


This is more of an opinion/recommendation/best practices question. It was not in direct relation to a technical problem existing on a real device. That being said, I do appreciate the insight from relliot66 and dariusg. Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial