How many AD Controllers do I need?

<![CDATA[Is this a strange question?  Some would think so.  I have known  a local IT shop that had only one.  They lost it in a storm, had no backup, and paid $35K to have an IT company make a new one.  After that, they still only had one!  Later the local IT company was hired to augment the IT shop, and they immediately put in a BDC.  Theirs actually became the PDC (yes those term still exist in FSMO) and then it was later removed when their contract ended, leaving not PDC.  So, is it a bad question?  I think not.
Now the most basic answer, for a single location situation, is 2.  Just not 1!   If you have multiple locations I would have 1 at each location.  For a school district (or business) with multiple complexes, a Domain Controller at each complex location would be optimal.  Each DC should handle DHCP and DNS as well.  This allows for local logons to be optimal, with little or no delay.  Additionally I would recommend file servers per complex so that the user files are as local as possible.  A single VMWare (or Hyper-V) machine can handle these various servers (I still make separate role servers) easily.

Server 2016 lets you split DHCP ranges.  As I have different VLANs and ranges per building, I can give the building primary (the close one) most of the range.  I do this by making the VLAN on the machine at the location have no delay, and then put in a delay in that VLAN for the other DCs.  Even in a single location situation I would recommend a delay on the BDC.  This allow one machine to handle normal logons, and allows you a way to gauge your network.  I have a 1ms delay on the BDC and it gets about 5% of the logons.  This is excellent feedback that the network is running well, and is healthy.  If I had a 1ms delay and 40-60% of the logons were on the BDC, I could have an issue.
I have a 10G network with all workstations on 1G connections, including the wireless APs.  The APs are AC and can handle 200 clients, with an AP in every room.  I also have a single location situation with 1200 devices (plus student and staff BYOD connecting as well.)
Back to logon delay.  I would highly recommend playing with this to find your network sweet spot.  Find the __ms setting that results in a 10% or lower fallback to the DC that is secondary (or tertiary).  If every DC is primary on a different VLAN (the primary VLAN for the physical location) then you have fallback for heavy logon times while maintaining the fastest speeds.
With network bandwidth becoming more an issue every day, it is our responsibility as IT professionals to make the user experience and fast and flawless as possible.  We impact the business at hand, and possible loss of production, more than some realize.  Finding the sweet spot for network logons, file access, and internet access, is one the primary ways we can make the things we do in the background obvious to those we support.]]>

Leave a Reply

Your email address will not be published. Required fields are marked *