Step B2: Determine the Number of Domain Controllers
Published: February 25, 2008
A previous section of this guide addressed the need to determine the physical placement of domain controllers. A related decision is to determine the number of domain controllers for each location.
There are many deciding factors around how many domain controllers to have for each domain. Decisions are based on performance of authentications, access to resources, replication, and cost.
Task 1: Determine Number of Domain Controllers
For each domain in each location identified in Step B1, the minimum number of domain controllers required needs to be identified. The table below describes the minimum number of domain controllers required, based on number of users.
Table 3. Minimum Number of Domain Controllers
For workloads greater than 10,000 users in a site, additional testing should be performed with user workloads to determine the need for additional hardware. Previous guidance stated an extra Quad processor system for every additional 5,000 users. However, for authentication-only workloads, this will be overkill for most environments.
If only one domain controller per location exists, consideration should be made for the need to span the WAN to communicate with a domain controller for authentication and access to resources in the event of failure of the local domain controller.
All domain controllers within a domain must be fully aware of all information related to the domain. This is handled by replication of the Active Directory database between domain controllers. This replication occurs within Active Directory sites and across site boundaries. If the number of replication partners in a given site reaches 15 or more, an additional domain controller should be added to the site. Another domain controller should be added for each additional 15 replication partners.
Review all applications that rely on Active Directory data. Some applications, such as Exchange Server, require additional domain controllers in order to function correctly. Evaluate the need for additional domain controllers based on the expected loads and requirements of the applications.
Task 2: Determine Type of Domain Controller Placed in Location
For each domain controller identified, determine whether that domain controller will be a write-able or a read-only domain controller (RODC). The full domain controller should only be placed in locations where the physical security of the domain controller can be ensured.
The primary reason to use an RODC is for locations with poor physical security. Since the RODC is read-only, nothing on the RODC can be changed and replicated back to the write-able domain controllers. RODCs require upstream access to a full domain controller for authentication purposes. By default, none of the hashes for passwords are replicated to the RODC. The RODC forwards the request for logon to a writeable domain controller. It’s possible to configure the environment so that the full domain controller replicates the requested hash back to the RODC for caching. It should be noted that if this occurs and the RODC is compromised, only the hashes replicated to the RODC need to be reset.
The functionality provided by the RODC may be affected if the WAN is down or a full domain controller is not available to service requests from the RODC.
Determine which domain controllers will be writable and which will be read-only, and record the decisions in the job aid.
A minimum of two domain controllers is needed to provide fault tolerance for a domain. Based on previously described business requirements, domain controllers can be placed in physical locations to provide local authentication. Additional domain controllers may be required based on user authentication and application requirements. The use of RODC servers can increase security dramatically and also can increase performance. The cost for adding these servers in the correct scenarios is minimal and should be considered.
The decision to add or remove domain controllers can be changed at any time.
Windows 2000 Active Directory Sizer Tool at http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/w2kadst.mspx