Multi-Role Domain Controllers for Small Offices (< 50 clients)

Posted by kce on Server Fault See other posts from Server Fault or by kce
Published on 2010-12-28T00:52:08Z Indexed on 2010/12/28 0:56 UTC
Read the original article Hit count: 561

Warning: I'm a Linux/*NIX admin so this is all new to me.

I understand that it's not considered a good idea to have only a single domain controller, and that it is also probably a good idea for a domain controller to only do AD/DHCP/DNS (Here). We have two offices, location A with 30 users and location B with 10 users. Our two offices are separated by a WAN that is not particularly robust so I have be instructed that we need to have standalone services in each office. This means that according to "best practices" we will need to build a domain controller and a separate file server in each office. Again, I am not knowledgeable in the ways of Windows but this seems a little unnecessary for an organization of 40 users.

People have commented that I could "get away with" running file services on the domain controller as long as the "load is light". That just seems to generate more questions than it answers.

  1. What constitutes light load?
  2. What are the potential consequences of mixing these roles?

Ideally I would prefer to only have one physical machine at each location. The one in location A (the location with IT staff) can act as the primary domain controller and the one in the smaller office can act as the backup domain controller. If either domain controller fails we can still use the other one for authentication (albeit with some latency) and if the WAN connection fails each office still has access to their respective "local" domain controller. If the file services are ALSO run on each server (and synchronized with something like DFS), a similar arrangement in terms of redundancy can be had without having to purchase, build and install two additional separate servers. It's not that I'm adverse to that (well, any more adverse than I am to whole thing to begin with) but to my simple mind it just seems, well a bit overkill. I can definitely see the benefits of functional separation when we're talking larger organizations, but I need to consider the additional overhead too.

None of this excludes having a DRP setup for the domain controller/s. I assume you can lose two domain controllers just as easily as one.

© Server Fault or respective owner

Related posts about active-directory

Related posts about domain-controller