ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SAMIT: Do You Need Two AD Domain Controllers?

    Scheduled Pinned Locked Moved IT Discussion
    samitscott alan milleractive directoryhigh availabilitybest practicesyoutubead dcdomain controller
    72 Posts 14 Posters 11.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by scottalanmiller

      Youtube Video

      People often quote that it is best practice to always have two (or more) Active Directory Domain Controllers for your domain. But is this true? This doesn't follow the patterns of the industry and does not make logical sense. Let's delve into why the number of domain controllers that you need is dependent on your use case scenario.

      black3dynamiteB 1 Reply Last reply Reply Quote 5
      • black3dynamiteB
        black3dynamite @scottalanmiller
        last edited by

        @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

        Youtube Video

        People often quote that it is best practice to always have two (or more) Active Directory Domain Controllers for your domain. But is this true? This doesn't follow the patterns of the industry and does not make logical sense. Let's delve into why the number of domain controllers that you need is dependent on your use case scenario.

        All these best practices seems to be carried over from the days of physical servers.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @black3dynamite
          last edited by

          @black3dynamite said in Do You Need Two AD Domain Controllers? SAMIT Video:

          All these best practices seems to be carried over from the days of physical servers.

          The need for two didn't exist then, either. It's never been a best practice, always a complete misunderstanding of HA at best, a sales tactic at worst.

          dave247D 1 Reply Last reply Reply Quote 1
          • ObsolesceO
            Obsolesce
            last edited by

            Microsoft wants you to do it so you pay them more money for licensing.

            Other than that, it's good for remote locations across a WAN.

            Probably already covered in the video, didn't watch it yet.

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Obsolesce
              last edited by

              @tim_g said in Do You Need Two AD Domain Controllers? SAMIT Video:

              Microsoft wants you to do it so you pay them more money for licensing.

              That's definitely why they don't spend time correcting the misconception. It's a big bonus for them for people to think that you always need two, no matter what.

              1 Reply Last reply Reply Quote 0
              • dafyreD
                dafyre
                last edited by

                In an environment with only one AD server, how do you handle DNS if your lone AD server dies?

                Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.

                You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.

                coliverC scottalanmillerS 2 Replies Last reply Reply Quote 0
                • coliverC
                  coliver @dafyre
                  last edited by

                  @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                  In an environment with only one AD server, how do you handle DNS if your lone AD server dies?

                  Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.

                  You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.

                  Why not just use public DNS for your servers? Then you don't have to worry too much about having DNS on-site.

                  dafyreD 1 Reply Last reply Reply Quote 0
                  • dafyreD
                    dafyre @coliver
                    last edited by dafyre

                    @coliver said in Do You Need Two AD Domain Controllers? SAMIT Video:

                    @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                    In an environment with only one AD server, how do you handle DNS if your lone AD server dies?

                    Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.

                    You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.

                    Why not just use public DNS for your servers? Then you don't have to worry too much about having DNS on-site.

                    For internal servers? I'm not sure public DNS providers will allow you to use private IP addresses any more.

                    Edit: Even if they would, do you want to be giving out your private IP ranges to the public?

                    1 Reply Last reply Reply Quote 2
                    • scottalanmillerS
                      scottalanmiller @dafyre
                      last edited by

                      @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                      In an environment with only one AD server, how do you handle DNS if your lone AD server dies?

                      Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.

                      You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.

                      BIND, Host files

                      dafyreD 1 Reply Last reply Reply Quote 0
                      • dafyreD
                        dafyre @scottalanmiller
                        last edited by dafyre

                        @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                        @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                        In an environment with only one AD server, how do you handle DNS if your lone AD server dies?

                        Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.

                        You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.

                        BIND, Host files

                        See my comment about folks not really having the skill set to run BIND (not in the SMB market anyway).

                        Host files could work, but then you have to keep them distributed and updated. Something like Sodium could work if the SMB is aware of it for that purpose, or some kind of automatic scripts to do it... But would somebody at the SMB level of IT actually think about something like that?

                        syko24S scottalanmillerS 3 Replies Last reply Reply Quote 1
                        • ObsolesceO
                          Obsolesce
                          last edited by

                          In most SMBs, your AD server is the AD, DHCP, DNS, Print, and maybe a file server.

                          This whole single AD server can really only make sense if we are just talking about AD.

                          Once we start mixing in all infrastructure services, then this is where you take into consideration where Scott says case by case basis... completely depends on your environment and setup.

                          Common sense will come in to play.

                          JaredBuschJ 1 Reply Last reply Reply Quote 2
                          • JaredBuschJ
                            JaredBusch @Obsolesce
                            last edited by

                            @tim_g said in Do You Need Two AD Domain Controllers? SAMIT Video:

                            In most SMBs, your AD server is the AD, DHCP, DNS, Print, and maybe a file server.

                            This whole single AD server can really only make sense if we are just talking about AD.

                            Once we start mixing in all infrastructure services, then this is where you take into consideration where Scott says case by case basis... completely depends on your environment and setup.

                            Common sense will come in to play.

                            Actually, the adding in of all of those resources does nothing to mean you need another server.

                            None of those extra services are natively simple to setup in an HA way.

                            The best thing to do is to have the single server virtualized and quick to restore from backup.

                            ObsolesceO 1 Reply Last reply Reply Quote 5
                            • ObsolesceO
                              Obsolesce @JaredBusch
                              last edited by

                              @jaredbusch said in Do You Need Two AD Domain Controllers? SAMIT Video:

                              @tim_g said in Do You Need Two AD Domain Controllers? SAMIT Video:

                              In most SMBs, your AD server is the AD, DHCP, DNS, Print, and maybe a file server.

                              This whole single AD server can really only make sense if we are just talking about AD.

                              Once we start mixing in all infrastructure services, then this is where you take into consideration where Scott says case by case basis... completely depends on your environment and setup.

                              Common sense will come in to play.

                              Actually, the adding in of all of those resources does nothing to mean you need another server.

                              None of those extra services are natively simple to setup in an HA way.

                              The best thing to do is to have the single server virtualized and quick to restore from backup.

                              Sure... it depends on what is running on the server and it depends on other things like number of locations, distance, number of users, bandwidth, etc.

                              My point was to clarify this is all about having a single AD DC, and after that, there are more factors to consider.

                              1 Reply Last reply Reply Quote 0
                              • syko24S
                                syko24 @dafyre
                                last edited by

                                @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                In an environment with only one AD server, how do you handle DNS if your lone AD server dies?

                                Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.

                                You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.

                                BIND, Host files

                                See my comment about folks not really having the skill set to run BIND (not in the SMB market anyway).

                                Host files could work, but then you have to keep them distributed and updated. Something like Sodium could work if the SMB is aware of it for that purpose, or some kind of automatic scripts to do it... But would somebody at the SMB level of IT actually think about something like that?

                                Apart from tickets can Sodium do anything else at this point? Or did you mean once the functions are added?

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @dafyre
                                  last edited by

                                  @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                  @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                  @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                  In an environment with only one AD server, how do you handle DNS if your lone AD server dies?

                                  Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.

                                  You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.

                                  BIND, Host files

                                  See my comment about folks not really having the skill set to run BIND (not in the SMB market anyway).

                                  Host files could work, but then you have to keep them distributed and updated. Something like Sodium could work if the SMB is aware of it for that purpose, or some kind of automatic scripts to do it... But would somebody at the SMB level of IT actually think about something like that?

                                  I don't accept the "SMB hires bad people and therefore should do a bad job" argument. It makes no logical sense. Why would anyone hire someone that can't do the job, why would they keep them if they hired them by accident, and why would someone in that position be excused to not attempt to do a good job? Why does the SMB so often get used as an excuse to not need basic business or IT competence?

                                  There is no logic that connects "people often do things badly" with "people shouldn't be told how to do things well."

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @syko24
                                    last edited by

                                    @syko24 said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                    @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                    @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                    @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                    In an environment with only one AD server, how do you handle DNS if your lone AD server dies?

                                    Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.

                                    You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.

                                    BIND, Host files

                                    See my comment about folks not really having the skill set to run BIND (not in the SMB market anyway).

                                    Host files could work, but then you have to keep them distributed and updated. Something like Sodium could work if the SMB is aware of it for that purpose, or some kind of automatic scripts to do it... But would somebody at the SMB level of IT actually think about something like that?

                                    Apart from tickets can Sodium do anything else at this point? Or did you mean once the functions are added?

                                    Functions need to be added, but that one will be soon. Hosts management is very simple.

                                    syko24S 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @dafyre
                                      last edited by

                                      @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                      But would somebody at the SMB level of IT actually think about something like that?

                                      This is like asking if we should bother telling people how to brake safely on snow or ice since most people will just panic and slam the brakes, anyway.

                                      dafyreD 1 Reply Last reply Reply Quote 0
                                      • syko24S
                                        syko24 @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                        @syko24 said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                        @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                        @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                        @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                        In an environment with only one AD server, how do you handle DNS if your lone AD server dies?

                                        Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.

                                        You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.

                                        BIND, Host files

                                        See my comment about folks not really having the skill set to run BIND (not in the SMB market anyway).

                                        Host files could work, but then you have to keep them distributed and updated. Something like Sodium could work if the SMB is aware of it for that purpose, or some kind of automatic scripts to do it... But would somebody at the SMB level of IT actually think about something like that?

                                        Apart from tickets can Sodium do anything else at this point? Or did you mean once the functions are added?

                                        Functions need to be added, but that one will be soon. Hosts management is very simple.

                                        Cool looking forward to the updates. I just thought maybe I missed something.

                                        1 Reply Last reply Reply Quote 0
                                        • dafyreD
                                          dafyre @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                          @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                          But would somebody at the SMB level of IT actually think about something like that?

                                          This is like asking if we should bother telling people how to brake safely on snow or ice since most people will just panic and slam the brakes, anyway.

                                          That's kinda my point. Somebody could think about BIND after AD has already spread its guts all over the virtual walls, lol.

                                          I think for most, the best bet is as @JaredBusch mentioned if you have a single AD controller, just virtualize it so you can restore from snapshots or backups and be done with it.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 2
                                          • scottalanmillerS
                                            scottalanmiller @dafyre
                                            last edited by

                                            @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                            @scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                            @dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:

                                            But would somebody at the SMB level of IT actually think about something like that?

                                            This is like asking if we should bother telling people how to brake safely on snow or ice since most people will just panic and slam the brakes, anyway.

                                            That's kinda my point. Somebody could think about BIND after AD has already spread its guts all over the virtual walls, lol.

                                            But, how is that a point? What relevance does that have? Why would "some people might not have taken advice" affect "when we give advice?"

                                            dafyreD 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 2 / 4
                                            • First post
                                              Last post