DNS AD Integrated and How many DC's to serve about 15,000 user accounts

[Marlon Brown]

In my environment I have 2,500 staff user accounts (that logon almost
concurrently). Total of 5,000 workstations.
Other 13,000 existing accounts belong to students that normally do not logon
or use computing resources concurrently.

I have (3) DC's on the main site to handle the authentication load and (4)
DC/GCs on each remote branch office.
I will need to replace ToastedDC on the main site due to hardware issues.

My question is this:
When I integrate DNS-AD (currently I have a primary and secondary non
integrated DNS servers), my Windows DNS servers will become DC's as well.

Since those two DNS servers will become DC's, I will have total of (5) DC's
on the main site.
Is there any problem if I let the DNS servers (in addition to DNS role) take
the load as DC's/authentication ? I mean, I figured that since I will have
to make the two DNS servers as DC's to integrate AD-DNS, I no longer would
need to buy (1) additional server to replace my ToastedDC. Does that make
sense ?

I am saying, I will be counting on the DNS servers as DC's and I would like
to confirm if performance and design wise that is alright ?

 

[Enkidu]

In my environment I have 2,500 staff user accounts (that logon almost
concurrently). Total of 5,000 workstations.
Other 13,000 existing accounts belong to students that normally do not logon
or use computing resources concurrently.

I have (3) DC's on the main site to handle the authentication load and (4)
DC/GCs on each remote branch office.
I will need to replace ToastedDC on the main site due to hardware issues.

My question is this:
When I integrate DNS-AD (currently I have a primary and secondary non
integrated DNS servers), my Windows DNS servers will become DC's as well.

Since those two DNS servers will become DC's, I will have total of (5) DC's
on the main site.
Is there any problem if I let the DNS servers (in addition to DNS role) take
the load as DC's/authentication ? I mean, I figured that since I will have
to make the two DNS servers as DC's to integrate AD-DNS, I no longer would
need to buy (1) additional server to replace my ToastedDC. Does that make
sense ?

I am saying, I will be counting on the DNS servers as DC's and I would like
to confirm if performance and design wise that is alright ?

DNS load in a LAN is normally fairly light, so there is no huge
performance hit from running DNS on DCs. Just ensure that the DNS
servers are setup in DHCP (I presume that you use it),

When you install DNS on a server that *doesn't* make it a DC. You make
it a DC with dcpromo and *then* you can AD Integrate it. I think that
you have it slightly backwards, though I may be reading your post
wrong.

You currently have 3 DCs, and will if you upgrade the two DNS servers
to DCs have 5 DCs, right? One of those 5 is ToastedDC? I'd be inclined
to see how it goes, but hold the option open of purchasing a
replacement for ToastedDC. I've no experience in sizing setups.

Cheers,

Cliff

 

[Guest]

Active Directory Integrated DNS can only be hosted on a Win 200x Domain
Controller. This will help avoid DNS single-point-of failure.

If you use DHCP to issue IP to clients, it may be a good idea to create
different scopes with one pointing to DC01 and DC02 as Preferred and
Alternate DNS Servers respectively, and the other scope DNS entries reversed.

Hope this helps.

 

[Enkidu]

That's not right. You can have as many non-ADI DNS as you like. There
is no "single point of failure" provided you have more than one DNS
server. In fact, if you use ADI DNS you create a single point of
failure - AD. If an error occurs in one ADI DNS, it could be
replicated to all others. The is EXTREMELY unlikely though.

Cheers,

Cliff

 

[Guest]

The single point of failure refers to one key advantage of using
AD-integrated DNS, and can be realized with having multiple DCs, which is not
uncommon in a large organization.

It does not mean that other non AD-integrated DNS setup cannot be used to
enhance DNS availability. For example, demo.com can be AD-integrated on all
Win 200x Servers with DNS Service, and this same zone can be setup as
secondary on another DNS Server (NT, Win 200x even Unix if you like) to avoid
the scenario you described if so desired.

Note that a Win 200x DNS Server can host AD-integrated, primary and
secondary zones all at the same time, the latter two being Internet standard
that are well understood (e.g. backup the text zone files).

See
http://support.microsoft.com/default.aspx?scid=kb;en-us;816101

Hope this clarifies the issue.

 

[Enkidu]

No. Where is the "single point of failure" if you have several non-ADI
DNS servers? If any server fails the others can take up the load.
There is no single point, the failure of which causes the whole of the
system to fail. This is *exactly* the situation that I set up when I
first went to a Windows 2000 AD Domain from a Windows NT4 Domain. You
are totally wrong when you say that non-ADI DNS is "a single point of
failure".

Only if you are only running one server is it a single point of
failure, and this is *also* true if the DNS is ADI on a single server.

In fact, if AD is corrupted and you have ADI DNS, it is possible that
you will lose *all* DNS if it is all ADI. In this sense, ADI is a
single point of failure.

It is always a good idea to have a non-ADI secondary DNS, if you have
a machine that it can sit on.

The key advantages of using ADI DNS zones is that replication is
handled by AD and not by AXFR and IXFR (zone tranfers), and there is a
single point for administration. Nothing to do with a "single point of
failure".

Cheers,

Cliff

 

[Guest]

Please read the original reply and the MS KB article carefully. The
discussion is not about single-point-of-failure with multiple AD-integrated
DNS, rather the possibility of SPOF if not used (and no other non
AD-integrated DNS servers are around).

Thanks.

 

[Enkidu]

You are wrong. The MS KB article says in part:

" You may want to add additional DNS servers so there is no single
point of failure. **Instead of** (my emphasis) adding standard
secondary DNS servers, you can convert the server from a primary DNS
server to an Active Directory Integrated Primary server and configure
another domain controller to be a DNS server."

Microsoft give the option of removing a single point of failure by
adding a second server. Obviously they recommend that the new server
be ADI. But it doesn't have to be. It could be a secondary on a member
server, or even a non-Microsoft DNS. Using ANY DNS server as a
secondary would remove that single point of failure.

You said "Active Directory Integrated DNS can only be hosted on a Win
200x Domain Controller. This will help avoid DNS single-point-of
failure."

The original poster already had two (non-ADI) DNS. The WAS no single
point of failure in his setup!

I would advise the OP to use ADI DNS, nevertheless. For the other
benefits.

Cheers,

Cliff