[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1170
  • Last Modified:

Best Layout of Domain Controllers for Multiple Subnets

Hi folks!

In our building, we have two separate subnets of private IP's. The first and second floors of our building use IP addresses in the range and the third floor uses IP's in the range.

Our network is an Active Directory network using a combination of Windows Server 2008 R2 and Windows Server 2012 R2 servers. All clients are Windows 7 Enterprise x64 clients. We currently have DHCP and DNS servers on each subnet, but our two domain controllers are both on the 1.0 subnet.

My question: Is it good practice to have a domain controller one each of the two subnets to minimize the amount of traffic that is having to be routed between them as people log in? Are there any potential drawbacks to placing a domain controller on each subnet? Is there really going to be a performance benefit to having one on each network?

1 Solution
Brad GrouxCommented:
It doesn't really matter, you're overthinking. Active Directory is far more resilient than many admins give it credit for. When I was doing health checks for AD, time after time I'd go on site and admins had gone through all kinds of crazy extra work like setting up replication topologies and site costing. Sure, 10 years ago and in some rare usage case scenarios like global infrastructures and limited pipes that stuff is important - but for the vast majority of infrastructures you are just adding unneeded complexity and work to your job.

An example would be to turn on change notification and let the KCC (Knowledge Consistency Checker) do it's job. You are not smarter than the KCC - not directly relevant to your question, but relevant to the mindset. DNS and AD are both smart enough to route as needed, and you won't experience any load - the subnet can handle your AD authentication traffic with ease.

Long story short, if you really want to do it - do it. If you don't, don't. You won't see any quantifiable benefit in doing so, you're just creating busy work for yourself. It is far more beneficial to be proactive with enhancements that will make an actual impact on your environment.

Source: Me, I'm a Microsoft Accredited Active Directory PFE/SME
Svet PaperovIT ManagerCommented:
The router between both subnets is a single point of failure. If it fails any of your users on 3.0 won’t be able to log on. By placing one DC on each subnet, you will reduce the chance of having unhappy users because of failed router.
Both answers given above are true. The router is a single point of failure, that could cause problems should it fail. Of course, if it's also your Internet router, you're going to have problems if it fails anyway. But I would give some consideration to that issue, and possibly consider adding a second router into the system, for redundancy. But that depends on a lot of other considerations, like how big of a deal would it be if your network went down? We can't answer that - it's a business question. And AD is pretty resilient.

But I think that your question was really, "Do I need to put a DC on the 3rd floor network for performance reasons?" The answer to that really comes down to the amount of traffic involved. How many devices are actually involved? How many are on the 3rd floor? How many on the other two floors? What router is it? How badly is that router being taxed? What sorts of applications are your users typically using?
Liam SomervilleCommented:
I like to have a domain controller in each subnet but for availability concerns more than anything else. You're not going to run into any sort of load issues in either of your subnets from authentication with such a small address space.

The upside to doing so is that if you were to have some sort of backbone failure. the domain would be available to each network. I can't think of a downside.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now