Best Layout of Domain Controllers for Multiple Subnets

Posted on 2014-08-14
Last Modified: 2014-09-10
Hi folks!

In our building, we have two separate subnets of private IP's. The first and second floors of our building use IP addresses in the range and the third floor uses IP's in the range.

Our network is an Active Directory network using a combination of Windows Server 2008 R2 and Windows Server 2012 R2 servers. All clients are Windows 7 Enterprise x64 clients. We currently have DHCP and DNS servers on each subnet, but our two domain controllers are both on the 1.0 subnet.

My question: Is it good practice to have a domain controller one each of the two subnets to minimize the amount of traffic that is having to be routed between them as people log in? Are there any potential drawbacks to placing a domain controller on each subnet? Is there really going to be a performance benefit to having one on each network?

Question by:Ithizar
    LVL 14

    Accepted Solution

    It doesn't really matter, you're overthinking. Active Directory is far more resilient than many admins give it credit for. When I was doing health checks for AD, time after time I'd go on site and admins had gone through all kinds of crazy extra work like setting up replication topologies and site costing. Sure, 10 years ago and in some rare usage case scenarios like global infrastructures and limited pipes that stuff is important - but for the vast majority of infrastructures you are just adding unneeded complexity and work to your job.

    An example would be to turn on change notification and let the KCC (Knowledge Consistency Checker) do it's job. You are not smarter than the KCC - not directly relevant to your question, but relevant to the mindset. DNS and AD are both smart enough to route as needed, and you won't experience any load - the subnet can handle your AD authentication traffic with ease.

    Long story short, if you really want to do it - do it. If you don't, don't. You won't see any quantifiable benefit in doing so, you're just creating busy work for yourself. It is far more beneficial to be proactive with enhancements that will make an actual impact on your environment.

    Source: Me, I'm a Microsoft Accredited Active Directory PFE/SME
    LVL 20

    Expert Comment

    by:Svet Paperov
    The router between both subnets is a single point of failure. If it fails any of your users on 3.0 won’t be able to log on. By placing one DC on each subnet, you will reduce the chance of having unhappy users because of failed router.
    LVL 8

    Expert Comment

    Both answers given above are true. The router is a single point of failure, that could cause problems should it fail. Of course, if it's also your Internet router, you're going to have problems if it fails anyway. But I would give some consideration to that issue, and possibly consider adding a second router into the system, for redundancy. But that depends on a lot of other considerations, like how big of a deal would it be if your network went down? We can't answer that - it's a business question. And AD is pretty resilient.

    But I think that your question was really, "Do I need to put a DC on the 3rd floor network for performance reasons?" The answer to that really comes down to the amount of traffic involved. How many devices are actually involved? How many are on the 3rd floor? How many on the other two floors? What router is it? How badly is that router being taxed? What sorts of applications are your users typically using?
    LVL 3

    Expert Comment

    by:Liam Somerville
    I like to have a domain controller in each subnet but for availability concerns more than anything else. You're not going to run into any sort of load issues in either of your subnets from authentication with such a small address space.

    The upside to doing so is that if you were to have some sort of backbone failure. the domain would be available to each network. I can't think of a downside.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now