1

we've multiple AD Sites (5) for each office which are connected via WAN. Most offices have 2 DCs which are virtualized. What would be the perfect setup for the DC? Currently every DC is a Global Catalog server. Is this necessary? Can only one DC per Site be the GC?

The Domain is running in 2012 Mode.

patricks
  • 288
  • 2
  • 12

2 Answers2

4

Unless you have an explicitly good reason not to, every DC should be a GC. Any other configuration is either a legacy recommendation or something weird like a DC on a cruise ship with a satellite uplink and SMTP site links.

If you've got a "normal" case, like it sounds, just make everything a GC and be done with it.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • Agreed - I've yet to see a modern, compelling case on why you shouldn't. – Dan Jul 03 '13 at 12:17
  • Everything but the infrastructure master (if you need a working one), right? ;) – Shane Madden Jul 04 '13 at 06:42
  • @ShaneMadden If everything is a GC, then you *don't* need a working IM. In fact, [Microsoft now says](http://msdn.microsoft.com/en-us/library/cc223753.aspx) `"If all the domain controllers in a domain also host the GC, then all the domain controllers have the current data, and it is not important which domain controller owns the Infrastructure Master (IM) role."` The same article points out that `"When the Recycle Bin optional feature is enabled [...] there are no tasks associated with the Infrastructure FSMO role"` – MDMarra Jul 04 '13 at 12:21
  • @MDMarra Aha - I thought it was still needed in a multi-domain forest, but I guess not! Thanks! – Shane Madden Jul 04 '13 at 19:48
0

This is a tricky one, it depends on many factors such as:

  • How many users you have on each site
  • Do you have any security concerns for the remote sites?
  • Do you have any administrators on the remote sites or not?
  • How fast is the WAN speed for each site?
  • How frequently you replicate AD between each site, and how big is the replication itself?

These questions should help you design a strong AD network, for a starter, I would recommend the following guidelines:

  • If security is an issues on the remote sites, then use only RODC instead of full writable DCs
  • If the login times are slow on remote sites, then use universal group membership caching
  • If you have admins on the remote sites, then delegate administration to them
  • If the WAN networks are slow, then try to change the replication topology to happen after working hours
  • If both your virtual DCs are hosted on the same physical host, then I would recommend to change that since if the host fails, your entire AD network on the remote site fails.

There are more to write, but those are the things that just came to the top of my head.

Edit: Having one GC on each site is okay, here are further reading about it: http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx

Hope this helps.

Noor Khaldi
  • 3,869
  • 3
  • 19
  • 28
  • The average Users are 40 per Site. No security concerns for the sites. Only on 3 Sites are administrators (be we maintain to change GPO Settings or AD User Settings on one DC). The WAN is connected via 20 MBit. Currently the time between every replication is 15 Minutes. How can i get the information about the size of the replication? Update - The size of the DB is 52 MB – patricks Jul 03 '13 at 11:05
  • 1
    This seems like a very typical installation of AD, with no special requirements, the number of users on each site is relatively small and the WAN connections are fast, replication is not an issue and security is not a huge concern. I would say you're good to go with the current setup. if you're still paranoid then run DCDiag on your DC servers and fix any issues you might have. – Noor Khaldi Jul 03 '13 at 11:57
  • 1
    This doesn't really address the question at all. For example, you talk about RODCs...but RODCs can be Global Catlogs. They're not mutually exclusive. Then you talk about virtualization best practices. He asked a specific question that you managed to avoid answering anywhere in your answer. – MDMarra Jul 03 '13 at 12:14