1

I have been rereading some sections of "Active Directory Bible" by Curt Simmons in preparation for some machine replacement and changes to our windows 2000 active directory infrastructure. It seems that in any relaible active directory network you should have at least two domain controllers so that logins and securities can be processed if one of them is down. However it is stated in this book that Logins require a GC. It is also stated that in a multi-domain controller network, the infrastructure role and the GC role should not be on the same machine, unless all of the domain controllers are GCs. He then says that you would never want to implement an active directory network with all machines as GCs. To quote the book - "However, unless you have a lot of excessive bandwidth you would like to eat up, you should certainly never implement such a solution."

So if you have a two domain controller network and the GC goes down, logon attempts will not work - in which case there is actually no redundancy. So would it really be that bad to have both DCs as GCs in a small (<35) machines network on a gigabit switch? It seems for all of the multiple domain controller redundancy that microsoft claims, there are a lot of single machine roles that can bring the whole thing crashing down in a machine failure. Am I wrong here?

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
AudioDan
  • 398
  • 1
  • 14

2 Answers2

2

A note re: infrastructure master and global catalog servers: In a single domain environment the infrastructure master and global catalog roles being on the same domain controller are no big deal (because infrastructure master doesn't actually do anything in a single domain environment).

Here's an article that describes the problems that can occur in a multidomain environment with the infrastructure master role assigned to a global catalog server: http://support.microsoft.com/kb/248047

This article describes the "exception" to the "don't place the infrastructue master role on a global catalog server" re: single domain environments: http://support.microsoft.com/kb/248047

So, in such an environment as you describe with a single domain and two domain controllers marking both as global catalog servers isn't "bad" and there won't be any ill effects.

The "excessive bandwidth" comments from the book come into play when you look at a large network with multiple physical locations and consider the "cost" of global catalog replication.

I would typically encourage two domain controllers per physical location, at minimum, and two global catalog servers per physical location. Having said that, in smaller organizations the economics are often such that you get to have one domain controller in a "branch office" and therefore one global catalog server. It's less redundant, but the economics of the "risk" associated with the failure of that DC often outweigh the cost of adding a 2nd DC.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • There is only one domain in the forest - so this meets your criteria. But this domain is trusted by a domain on a different pair of domain controllers. No problem there either? Essentially I have an internal network pair of DCs, and a pair of DCs for external web server authentication. The web server domain on the webserver DCs trusts the internal domain but not the other way around. – AudioDan Jul 16 '09 at 14:56
  • There's no problem so long as the forest is single domain. Trust relationships with external domains don't create objects in the trusting forest's global catalog, so infrastructure master won't become "confused" into not creating phantom objects. – Evan Anderson Jul 16 '09 at 15:00
  • Thanks much! Much of this infrastructure has been in place for a while. Sometimes it takes an upgrade for me to make the time to go through it with a fine tooth comb again. – AudioDan Jul 16 '09 at 15:02
1

"stated that in a multi-domain controller network"

You have misread that bit, what he must've said is "in a multi-domain network", i.e. a network with a multiple AD domains in the same forest, not multiple domain CONTROLLERS in 1 domain. As Evan says, in a single-domain AD environment, the Infrastructure master FSMO role has no work to do.

This is also stated in KB223346:

Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are:

  • Single domain forest:

In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.

  • Multidomain forest where every domain controller in a domain holds the global catalog:

If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.

ThatGraemeGuy
  • 15,473
  • 12
  • 53
  • 79