Multiple Domain controllers

[skev303]

Hi,

Ive inhereted a client with more than one of thier internal servers
configured as domain controller..

As i understand it this is not good..there is some general flakiness on the
network so removing/demoting/reconfiguring is not a big problem.

Thanks in advance for any help.

 

[Danny Sanders]

Best practice is to have more than one DC in a domain.

hth
DDS W 2k MVP MCSE

 

[Chriss3 [MVP]]

There is not a problem to have more than one Domain Controller you can have
as many domain controllers as necessary, Its recommended for redundancy and
availability of the directory.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[skev303]

There is not a problem to have more than one Domain Controller you can
have as many domain controllers as necessary, Its recommended for
redundancy and availability of the directory.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

Thanks guys!

 

[Cary Shultz [A.D. MVP]]

Skev33,

Where do you get the idea that having multiple Domain Controllers is a bad
idea and how is the 'general flakiness on the network' caused by having
multiple Domain Controllers?

Cary

 

[Andrew Mitchell]

Skev33,

Where do you get the idea that having multiple Domain Controllers is a bad
idea and how is the 'general flakiness on the network' caused by having
multiple Domain Controllers?

Hi Cary.
I'm not sure about Skev's network but one I inherited had *every* server
configured as a DC. There were 9 of them in a single site that had 400 users.
That included the exchange server, file server and print server. Even the ISA
server was setup as a DC!!
I quickly reduced that to 2 DC's onsite and another at the disaster recover
site.

 

[skev303]

Hi Cary,

We have our PDC which is ok
Our Exchange server is a DC
Our web server is a DC
Our 2 x file servers are both DC's !

Im used to either single server enviroments or a PDC with a BDC in reserve.




----- Original Message -----
From: "Cary Shultz [A.D. MVP]" <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
Sent: Thursday, October 28, 2004 12:46 AM
Subject: Re: Multiple Domain controllers

 

[skev303]

Hi Cary.
I'm not sure about Skev's network but one I inherited had *every* server
configured as a DC. There were 9 of them in a single site that had 400 users.
That included the exchange server, file server and print server. Even the ISA
server was setup as a DC!!
I quickly reduced that to 2 DC's onsite and another at the disaster recover
site.

Hi Andy...sounds like a similar situation.

Did you notice an improvement on your network?

Thanks for any info.

 

[Cary Shultz [A.D. MVP]]

Good afternoon, Andrew!

I have seen some crazy things out there as well. Sometimes I just have to
shake my head. Not that Skev33 is doing anything incorrectly. Sometimes
you just do not know things - so you ask. Skev33 is doing the proper thing
by asking. Sometimes the person who 'knows' is a bit misguided and gives,
well, misguided advice. Lord only knows that I have done that!

And, unfortunately, that whole idea of putting a book underneath your pillow
at night and knowing everything in it by the next morning ( well, in the
case of the 'Mastering...' series it might take two nights! ) just does not
work for me. I hope that not everyone is as thick-headed as I am and can
make use of this supposed learning method.

There are a lot of people out there who do their best to make things work.
I guess that I will say that there are a lot of ways for that to happen.
Shoot, where I worked in California before moving to Roanoke - when we
merged with another company that company was a complete mess. How anything
worked there at all was a minor miracle. And it was not really the guy's
fault who took care of things. He was a sharp guy. There were, err,
political reasons.

Anyway, it takes all kinds and there will always be more than one way to get
something done.

Skev33 is going to be alright.

Cary

 

[Andrew Mitchell]

the


Hi Andy...sounds like a similar situation.

Did you notice an improvement on your network?

Thanks for any info.

No real improvements as such. Exchange may have run a bit quicker but not
noticably. I mainly did it to prevent any future problems. I like my DCs to
be DCs - and that's all. Putting a DC on an internet facing box is just
asking for trouble IMHO.

 

[Andrew Mitchell]

Good afternoon, Andrew!

Afternoon? It's 11 PM!!

I have seen some crazy things out there as well. Sometimes I just have
to shake my head. Not that Skev33 is doing anything incorrectly.
Sometimes you just do not know things - so you ask. Skev33 is doing the
proper thing by asking. Sometimes the person who 'knows' is a bit
misguided and gives, well, misguided advice. Lord only knows that I
have done that!

Yep. Me too.

And, unfortunately, that whole idea of putting a book underneath your
pillow at night and knowing everything in it by the next morning ( well,
in the case of the 'Mastering...' series it might take two nights! )
just does not work for me.

That's where you're screwing it up. You don't put the book under your
pillow. Everyone knows the correct place to put your books is gathering
dust on a shelf at work. You NEVER read them, but they look impressive when
the boss wanders past ;-)

I hope that not everyone is as thick-headed
as I am and can make use of this supposed learning method.

I prefer to set up a lab, break things, then try to fix it again.

There are a lot of people out there who do their best to make things
work. I guess that I will say that there are a lot of ways for that to
happen. Shoot, where I worked in California before moving to Roanoke -
when we merged with another company that company was a complete mess.
How anything worked there at all was a minor miracle. And it was not
really the guy's fault who took care of things. He was a sharp guy.
There were, err, political reasons.

I know that feeling. I'm trying to get decent security at work. The systems
I can fix. The problems is the people. Trying to get them to stop telling
each other their passwords is impossible, and management seem reluctant to
help out.

PS: How are you going with the scripting?

 

[Cary Shultz [A.D. MVP]]

Andrew,

in-line....

Afternoon? It's 11 PM!!

Well, it was 'afternoon' somewhere! ;-)

Yep. Me too.

We all do at times. I can recall a few times where I have given less than
completely accurate advice.....will happen more times than I care to admit!

That's where you're screwing it up. You don't put the book under your
pillow. Everyone knows the correct place to put your books is gathering
dust on a shelf at work. You NEVER read them, but they look impressive when
the boss wanders past ;-)

You know, I am always confusing things. Maybe this is the problem. And I
am hoping that the kinks in my neck will disappear as well!

I prefer to set up a lab, break things, then try to fix it again.

I do as well. have one set up at home - much to the chagrin of the Misses!

I know that feeling. I'm trying to get decent security at work. The systems
I can fix. The problems is the people. Trying to get them to stop telling
each other their passwords is impossible, and management seem reluctant to
help out.

PS: How are you going with the scripting?

I watched the first two of the 'scripting guys' webcasts lastnight ( well,
er, actually it was technically this morning! ) and am really looking
forward to getting deeper into this. They are talking about VBScripting and
using both WMI and ADSI as the interfaces. it looks like a whole lotta
doors are going to open up ( well, in worst case scenario they will not be
pad-locked anymore! ).

Thank you for asking. I will take you up on your offer when I get to the
'doing'...that test lab at home is going to be very handy!


Cary

 

[Cary Shultz [A.D. MVP]]

Howdy Skev33!

Can't always have things as you would like but I think that - generally
speaking - this is way too many domain controllers. But then again, I can
not really make that statement as we have not a lot of information about
your environment.

In the single server environment ( possibly Small Business Server 2000 and
2003 ) all of your eggs are typically in one basket. There is usually a
reason for this ( money, money, money ). The concept of PDC and BDC does
not really exist anymore in the WIN2000/WIN2003 environment but I understand
what you are saying.

The Exchange Server running on a Domain Controller is alright, I guess. I
would typically prefer that the Exchange Server be running on a Member
Server. The Web Server being a Domain Controller is gonna be a big no-no!
I hope that it is only your Intranet 'Web' Server and not the machine that
hosts your publicly accessible web site. That would be, err, interesting.
The two File Servers also being Domain Controllers - this would normally not
make me peep too much. So, in a perfect world - with very little
information - I would say that the DC on which Exchange is running *COULD*
be a great candidate for dcpromo and that the DC on which the 'Web Server'
is running *WOULD* be a really great candidate for dcpromo.

But, again, we have very little information from you so I can not make
anything but very general observations.

HTH,

Cary

Hi Cary,

We have our PDC which is ok
Our Exchange server is a DC
Our web server is a DC
Our 2 x file servers are both DC's !

Im used to either single server enviroments or a PDC with a BDC in reserve.




----- Original Message -----
From: "Cary Shultz [A.D. MVP]" <[email protected]>
Newsgroups: microsoft.public.win2000.active_directory
Sent: Thursday, October 28, 2004 12:46 AM
Subject: Re: Multiple Domain controllers

Skev33,

Where do you get the idea that having multiple Domain Controllers is a bad
idea and how is the 'general flakiness on the network' caused by having
multiple Domain Controllers?

Cary

flakiness

on

 

[skev303]

Howdy Skev33!

Can't always have things as you would like but I think that - generally
speaking - this is way too many domain controllers. But then again, I can
not really make that statement as we have not a lot of information about
your environment.

In the single server environment ( possibly Small Business Server 2000 and
2003 ) all of your eggs are typically in one basket. There is usually a
reason for this ( money, money, money ). The concept of PDC and BDC does
not really exist anymore in the WIN2000/WIN2003 environment but I
understand
what you are saying.

Hi Cary...Agreed..was just looking to get some info from guys working on
bigger environments, 90% of my work is in the SBS field!

The Exchange Server running on a Domain Controller is alright, I guess. I
would typically prefer that the Exchange Server be running on a Member
Server. The Web Server being a Domain Controller is gonna be a big no-no!
I hope that it is only your Intranet 'Web' Server and not the machine that
hosts your publicly accessible web site.
That would be, err, interesting.

Ahhh now you see what im getting at! The last support company set this up as
a DC with 2 public websites hosted on the machine! Ive already run DCPROMO &
demoted it to a stand alone server for now..long term the websites will go
to an external hosting company & that o-so expensive leased line can got
too! Theres not enough traffic to warrant the expense.

The two File Servers also being Domain Controllers - this would normally
not
make me peep too much. So, in a perfect world - with very little
information - I would say that the DC on which Exchange is running *COULD*
be a great candidate for dcpromo and that the DC on which the 'Web Server'
is running *WOULD* be a really great candidate for dcpromo.

Yeah...ive got a lot of Exchange issues to wade through before demoting the
Exchange server... :-(
Im in noo rush to mess with that bad boy just yet!

Thanks again for you input.

 

[Andrew Mitchell]

I watched the first two of the 'scripting guys' webcasts lastnight (
well, er, actually it was technically this morning! ) and am really
looking forward to getting deeper into this. They are talking about
VBScripting and using both WMI and ADSI as the interfaces. it looks
like a whole lotta doors are going to open up ( well, in worst case
scenario they will not be pad-locked anymore! ).

Also very easy to break things in bulk That lab is going to get a
workout, I see.

Thank you for asking. I will take you up on your offer when I get to
the 'doing'...

No worries. Feel free to contact me any time.

that test lab at home is going to be very handy!

I've got the same sort of setup here. 1 Win2003 DC with Exchange 2003, 1 Win
2000 member server running SQL 2000 and IIS, a couple of worksations and an
old Sun Sparc.

I find I'm doing most of my work on VMWare though. It's a lot easier to setup
a 'clean' network, and revert to that 'clean' environment in a matter of
minutes using the Snapshot feature. Very handy for testing destructive
changes.