Best Layout of Domain Controllers for Multiple Subnets

Hi folks!

In our building, we have two separate subnets of private IP's. The first and second floors of our building use IP addresses in the range and the third floor uses IP's in the range.

Our network is an Active Directory network using a combination of Windows Server 2008 R2 and Windows Server 2012 R2 servers. All clients are Windows 7 Enterprise x64 clients. We currently have DHCP and DNS servers on each subnet, but our two domain controllers are both on the 1.0 subnet.

My question: Is it good practice to have a domain controller one each of the two subnets to minimize the amount of traffic that is having to be routed between them as people log in? Are there any potential drawbacks to placing a domain controller on each subnet? Is there really going to be a performance benefit to having one on each network?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brad GrouxSenior Manager (Wintel Engineering)Commented:
It doesn't really matter, you're overthinking. Active Directory is far more resilient than many admins give it credit for. When I was doing health checks for AD, time after time I'd go on site and admins had gone through all kinds of crazy extra work like setting up replication topologies and site costing. Sure, 10 years ago and in some rare usage case scenarios like global infrastructures and limited pipes that stuff is important - but for the vast majority of infrastructures you are just adding unneeded complexity and work to your job.

An example would be to turn on change notification and let the KCC (Knowledge Consistency Checker) do it's job. You are not smarter than the KCC - not directly relevant to your question, but relevant to the mindset. DNS and AD are both smart enough to route as needed, and you won't experience any load - the subnet can handle your AD authentication traffic with ease.

Long story short, if you really want to do it - do it. If you don't, don't. You won't see any quantifiable benefit in doing so, you're just creating busy work for yourself. It is far more beneficial to be proactive with enhancements that will make an actual impact on your environment.

Source: Me, I'm a Microsoft Accredited Active Directory PFE/SME

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Svet PaperovIT ManagerCommented:
The router between both subnets is a single point of failure. If it fails any of your users on 3.0 won’t be able to log on. By placing one DC on each subnet, you will reduce the chance of having unhappy users because of failed router.
d0ughb0yPresident / CEOCommented:
Both answers given above are true. The router is a single point of failure, that could cause problems should it fail. Of course, if it's also your Internet router, you're going to have problems if it fails anyway. But I would give some consideration to that issue, and possibly consider adding a second router into the system, for redundancy. But that depends on a lot of other considerations, like how big of a deal would it be if your network went down? We can't answer that - it's a business question. And AD is pretty resilient.

But I think that your question was really, "Do I need to put a DC on the 3rd floor network for performance reasons?" The answer to that really comes down to the amount of traffic involved. How many devices are actually involved? How many are on the 3rd floor? How many on the other two floors? What router is it? How badly is that router being taxed? What sorts of applications are your users typically using?
Liam SomervilleSenior Security ConsultantCommented:
I like to have a domain controller in each subnet but for availability concerns more than anything else. You're not going to run into any sort of load issues in either of your subnets from authentication with such a small address space.

The upside to doing so is that if you were to have some sort of backbone failure. the domain would be available to each network. I can't think of a downside.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.