Planning Regional Domain Controller Placement

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Planning Regional Domain Controller Placement

For cost efficiency, plan to place as few regional domain controllers as possible. First review the Geographic Locations and Communication Links worksheet to determine whether a location is a hub. Plan to place regional domain controllers for each domain that is represented in each hub location.

In addition, ensure the physical security of domain controllers in hub locations so that unauthorized personnel cannot access them. Do not place domain controllers in a location in which you cannot guarantee the physical security of the domain controller.

After you place regional domain controllers in all hub locations, evaluate the need for placing regional domain controllers at satellite locations. Eliminating unnecessary regional domain controllers from satellite locations reduces the support costs required to maintain a remote server infrastructure.

To authenticate client logons and access to local file servers, most organizations place regional domain controllers for all regional domains that are represented in a given location. However, you must consider many variables when evaluating whether a business location requires its clients to have local authentication or the clients can rely on authentication and query over a WAN link. Figure 3.10 shows how to determine whether to place domain controllers at satellite locations.

Figure 3.10   Determining Whether to Place Domain Controllers at Satellite Locations

Whether to Place Domain Controllers at Satellites

Domain Controller Physical Security

Do not place a regional domain controller in a satellite location if you cannot ensure the physical security of the domain controller. A person who has physical access to a domain controller can attack the system by:

  • Accessing physical disks by starting an alternate operating system on a domain controller.

  • Removing (and possibly replacing) physical disks on a domain controller.

  • Obtaining and manipulating a copy of a domain controller system state backup.

Add regional domain controllers only to locations in which you can guarantee their physical security. For more information about securing domain controllers, see Best Practice Guide for Securing Windows Server Active Directory Installations on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=28521).

On-site Technical Expertise Availability

Domain controllers need to be managed continuously for various reasons. Place a regional domain controller only in locations that include personnel who can administer the domain controller, or be sure that the domain controller can be managed remotely.

WAN links that experience frequent outages can cause significant productivity loss to users if the location does not include a domain controller that can authenticate the users. If your WAN link availability is not 100 percent, place a regional domain controller in locations where the users require the ability to log on when the WAN link is down.

Authentication Availability

Certain organizations, such as banks, require that users be authenticated at all times. Place a regional domain controller in a location where the WAN link availability is not 100 percent but users require authentication at all times.

If your WAN link availability is 100 percent, then whether you place a domain controller at the location depends on the logon performance requirements over the WAN link. Factors that influence logon performance over the WAN include link speed and available bandwidth, number of users and usage profiles, and the amount of logon network traffic versus replication traffic.

The activities of a single user can congest a slow WAN link. Place a domain controller at a location if logon performance over the WAN link is unacceptable.

The average percentage of bandwidth utilization indicates how congested a network link is. If a network link has an average bandwidth utilization that is greater than an acceptable value, place a domain controller at that location.

Number of users and usage profile

The number of users and their usage profile at a given location can help determine whether you need to place regional domain controllers at that location. To avoid productivity loss in the event of a WAN link failure, place a regional domain controller at a location that has a staff of one hundred or more users.

The usage profile indicates how the users use the network resources. You need not place a domain controller in a location that contains only a few users who do not frequently access network resources.

Logon network traffic vs. replication traffic

If a domain controller is not available within the same location as the Active Directory client, then the client creates logon traffic on the network. The amount of logon network traffic that is created on the physical network is influenced by several factors, including group memberships, number and size of GPOs, logon scripts, and IntelliMirror® features such as offline folders, folder redirection, and roaming profiles.

On the other hand, a domain controller that is placed at a given location generates replication traffic on the network. The frequency and amount of updates made on the partitions hosted on the domain controllers influence the amount of replication traffic that is created on the network. The different types of updates that can be made on the partitions hosted on the domain controllers include adding or changing users and user attributes, changing passwords, and adding or changing global groups, printers, or volumes.

To determine if you need to place a regional domain controller at a location, compare the cost of logon traffic created by a location without a domain controller versus the cost of replication traffic created by placing a domain controller at the location.

For example, consider a network that has branch offices that are connected through slow links to the headquarters and in which domain controllers can easily be added. If the daily logon and directory lookup traffic of a few remote site users causes more network traffic than replicating all company data to the branch, consider adding a domain controller to the branch.

If reducing the cost of maintaining domain controllers is more important than network traffic, centralize the domain controllers for that domain and do not place any regional domain controllers at the location.

For a worksheet to assist you in documenting the placement of regional domain controllers and the number of users for each domain that is represented in each location, see "Domain Controller Placement" (DSSTOPO_4.doc) on the Windows Server 2003 Deployment Kit companion CD (or see "Domain Controller Placement" on the Web at https://www.microsoft.com/reskit). For an example of a completed Domain Controller Placement worksheet, see "Example: Determining Domain Controller Placement" later in this chapter.

You need to refer to the information about locations in which you need to place regional domain controllers when you deploy regional domains. For more information about deploying regional domains, see "Deploying Windows Server 2003 Regional Domains" in this book.