pros and cons of using Domain Controller and Additional DC

Dear Experts, what are the pros and cons of using DC and ADC?
in test environment, sometimes we got problem with replication.
LVL 4
TjnoNetwork AdministratorAsked:
Who is Participating?
 
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
Each infrastructure should have at least 2 Domain Controllers. (1 primary and 1 secondary).


PROS (2 DCs)
* Not a single point of failure, so if 1 fails you keep your infrastructure
* You can distribute the AD roles.
* You have more than 1 point for your users to login and get the login token (with security and permissions)
* Not a substitute of backups
* Maybe a 3rd in a remote not managed agencies can be used in remotes offices as RODC (Read Only Domain Controller)
* In case of failure of 1DC you can Seize his roles and recover your infrastructure with minimum efforts.
* You can set 2 internals DNS appropriately in DNS1 and DNS2 in the server's NIC, and in DHCP.


CONS(2 DCs)
* You need to hold and maintain 2 computers (2 updates)
* Check replication should be a daily task
* You need to do backups for the 2 machines instead of 1


-------------------------

Single Domain controller:
PRO(1DC)
* You need to backup and maintain just a single computer
* No need to check replication since there's nobody to replicate with.

CONS(1DC)
* It's a single point of failure, if there's not backup, lose your DC you lose your infrastructure, that simple.
* Users can login just to that domain controller. If it's in a reboot process, nobody can login into their computers.
* If for whatever reason the DC is not on, people won't be able to authenticate with others services that depend on the AD (like the exchange, SharePoint, or skype for business).

PS: Agreed with lee, you're using an awful vocabulary to refer to a domain controller and effectively there's no such a thing like "ADC", there are just DCs.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
First, what's an ADC?  There is no "ADC" in Active Directory if you're using proper terminology.  All DCs are just that - DCs - Domain Controllers.  There are 5 Flexible Single Master Operation roles (FSMO roles) and the first DC in a given domain has them all by default... but they can be split up amongst other DCs (though may not be depending on the environment).  You also have Global Catalogs, which the first DC is by default.

If you have experienced, knowledgeable people on staff or managing Active Directory for you (outsourced), then a second DC is a near necessity in my opinion.  If you DON'T know AD and you DON'T have experienced AD people managing your domain, then you LIKELY should only have ONE DC and make sure it's backed up fully and regularly.  Failing to understand how to properly restore a domain controller in a failure can cause catastrophic corruption in your domain.
0
 
RoninCommented:
Microsoft best practices dictates at least to domain controllers per AD site.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Not having backups is a far more serious problem then not having a second DC.  I've seen people cause major problems with multiple DCs when they don't understand AD and they try to restore.  I maintain, ONE DC ONLY if you're not fully versed in Active Directory.  If you ARE experienced, THEN you want two DCs
0
 
TjnoNetwork AdministratorAuthor Commented:
Hi, our DC is used both for authenticating domain users and Exchange mail users, we intent to install a second DC in an other site, using MPLS VPN then 2 DCs will serve round 1000 domain users. We are using Veeam to backup the first DC (which is VM)

@ Jose: "Check replication should be a daily task": What are the procedures to check this? Do you have any reference link?
0
 
Peter HutchisonSenior Network Systems SpecialistCommented:
There are two lots of replication.
1) Replication of objects within the NTDS.dit database such as schema changes, configuration changes and user,group,computer objects.
2) Replication of Sysvol contents esp. Policies and scripts using DFS-R.

You can check replication using the command line tool Repadmin.
https://technet.microsoft.com/en-us/library/cc742066(v=ws.11).aspx

For Sysvol replication, use the dfsrdiag command.
https://blogs.technet.microsoft.com/filecab/2009/05/28/dfsrdiag-exe-replicationstate-whats-dfsr-up-to/

AD Replication console tool:
https://www.microsoft.com/en-za/download/details.aspx?id=30005
0
 
RoninCommented:
As previously mentioned,it should be two DCs per-site. Each one references the other in the TCP/IP properties for the DNS server, as well as itself.
The replication results can be viewed in event viewer as well as in Active Directory Replication Status tool.
You should avoid referencing the other DNS server if it's in another site.
0
 
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
For the kind of questions you have posted, I'd recommend that you get some training.

here's a web page to get training for free.

https://mva.microsoft.com/
1
 
Natty GregIn Theory (IT)Commented:
If you are tech savvy and have an aptitude to learn, then doing these things are easy, If you have no idea, it would be cheaper and wiser to hire a pro
0
 
TjnoNetwork AdministratorAuthor Commented:
many thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.