All, What is the current guidance on domain controller placements in a well connected, regionally dispersed environment? I have always placed DC’s based on the Microsoft Branch Office recommendations, but I seen a few companies centralizing most of their DC’s in one or two data centers with the thought process being that they have a lot of bandwidth to the remote sites, so local DC’s are not needed. Site survival doesn’t seem to be a driver. What do you all think of this scenario and what would you recommend, and why? I have my own opinion’s but I want to hear what the brain trust has to say. 😊 Gary G GraySent from my Windows 10 phone
Current thoughts on DC placements
- 192 Views
- Last Post 24 May 2016
In a mature organisation you'd expect to see site profiles that explain what services and performance are expected for sites. Where DCs are is generally one of the considerations in meeting the requirements for the site profile. I'd be weary of anyone claiming that AD best practices should be considered outside of all other considerations.
It all depends on the (a) cost of having a site offline and (b) the likelihood of a link failing. If a * b > the administrative overhead and security risk of having an additional DC,
then you should put a DC at the site. I don’t think it’s much more complicated than that.
My experience has been that most orgs are happy with their site connectivity (or are installing redundancy) and are consolidating their DCs into relatively few data centers to reduce
operational costs and reduce security risk. I would certainly lean in that direction.
What you doing is really poor practice, cause licence, server, coolling (VM licence and so on) eats a lot of money, if we would talk a bunch on offices. Anyway, take Infrastructere and Planning guide for AD ( IPD) and you'll see that if you do not special requirements for avilability certain services, you colud place DC to office over 500 + folks.
BOIS was written in 2003, dude! Many orgs have 100 MB WAN link now, and DC only in Datacenters. Logic is very simple- it is more cheaper to set up 2 redundant ISP, then setup DC (or 2) in every location, maintain, operate it there, not in datacenter where is all conditions for best life of domain controllers are. For what? For 64 kb authentication traffic per user? OMG, no. Look at world from 2016 glasses, there services live in datacenters, and not into users next door.
I usually start with all of the DCs living in datacenters and then work through business/technical reasoning for where DCs might need to be placed on the edges. The days of WAN bandwidth being a key driver
are in many cases no longer there, so you need to focus on what the impact to the business is going to be if AD isn’t reachable.
w – 312.625.1438 | c – 312.731.3132