Benefits of a backup domain controller

Oh, yes-- one big benefit of a second domain controller is that it's
already built when you want to do a Swing Migration.


"Simon Thomson" <> wrote in message
news:%23HsD$...
> We will be adding a second server to our SBS 2008 domain. This will be a
> Server 2008 R2 install ( we are Action Pack subscribers) and will
> primarily be a file server. I am considering making this second server a
> backup domain controller as long as there are no huge issues with having
> the file server and DC roles on the one box.
>
> The main reasons for considering a backup DC are to have failover for AD,
> DNS and DHCP so that people can continue working if our SBS goes down or I
> have to restart it for some reason.
>
> In looking around for the best way to implement this I found a few
> comments which indicate that having a backup DC located in the same office
> as the SBS box is of little or no benefit. I was wondering if anyone else
> had an opinion on this or could elaborate on why it is of little value.
>
> Cheers
> Simon.
>

This is a very good point about multiple DC's and recovery. It should be
noted that with 2008 RODCs can be used for second source authentications
without the issues os USN rolll back. The flip side of that is an RODC can
not be used to recover the domain as no outbound replication occures. RODCs
work well for small remote sites where physical security may be of a concern
as well.

Multiple DHCP servers limitations can be circumvented as well when really
necessary such as for small branch offices.

Andrew M. Saucci, Jr. wrote:
> I will give one big negative about having additional domain
> controllers. If you have only one domain controller, you can easily
> restore it from any good image backup with no problem if necessary.
> Once you introduce a second domain controller, you have to be much
> more careful about reimaging any of the domain controllers. Reimaging
> one of multiple domain controllers introduces problems with USN's,
> replication, and consistency unless the Active Directory is then
> restored from a System State backup.
> I don't see any great value in a second DC in a network that is
> otherwise just a single SBS with no other servers and no offsite
> locations. People can usually log on anyway with cached credentials,
> and too many of your resources will be on the SBS that is
> unavailable. What good is being able to log on if you can't do
> anything? A second DNS can be very useful, especially to maintain
> Internet availability, but you don't have to make the second machine
> a DC to make it a DNS.
> By the way, you can't have easy failover for DHCP. That's one
> of the biggest hurdles in any failover scenario-- one DHCP server
> maximum. And any time I've tried to implement any sort of great
> failover scheme, it always seems as though some obstacle prevents
> something important from happening. Your best bet is to be available
> when a problem occurs and do what is necessary to fix it fast if
> possible.
> I have implemented multiple DC's, but always in multi-site
> situations. It sounds good when I can tell a business owner that if
> one location is destroyed, we have everything replicated at a second
> site for easy recovery and possible instant activation.
>
> "Simon Thomson" <> wrote in message
> news:%23HsD$...
>> We will be adding a second server to our SBS 2008 domain. This will
>> be a Server 2008 R2 install ( we are Action Pack subscribers) and
>> will primarily be a file server. I am considering making this second
>> server a backup domain controller as long as there are no huge
>> issues with having the file server and DC roles on the one box.
>>
>> The main reasons for considering a backup DC are to have failover
>> for AD, DNS and DHCP so that people can continue working if our SBS
>> goes down or I have to restart it for some reason.
>>
>> In looking around for the best way to implement this I found a few
>> comments which indicate that having a backup DC located in the same
>> office as the SBS box is of little or no benefit. I was wondering if
>> anyone else had an opinion on this or could elaborate on why it is
>> of little value. Cheers
>> Simon.

--
/kj

Note that if you decide to use the new server ONLY as a file server,
not a domain controller, that gives you a righteous excuse to turn off
packet signing (set it always off on the new server, off unless required
for the workstations, always on for the domain controller. A group
policy change is required).

Packet signing is a security setting which is standard for a domain
controller, because it blocks man-in-the-middle attacks on your
sign-in, particularly on your group policy settings. But it has a noxious
effect on intensive use of your file server, because it enforces packet
serialisation. It really hits things like MYOB and Quicken.

(david)

"Simon Thomson" <> wrote in message
news:%23HsD$...
> We will be adding a second server to our SBS 2008 domain. This will be a
> Server 2008 R2 install ( we are Action Pack subscribers) and will
> primarily be a file server. I am considering making this second server a
> backup domain controller as long as there are no huge issues with having
> the file server and DC roles on the one box.
>
> The main reasons for considering a backup DC are to have failover for AD,
> DNS and DHCP so that people can continue working if our SBS goes down or I
> have to restart it for some reason.
>
> In looking around for the best way to implement this I found a few
> comments which indicate that having a backup DC located in the same office
> as the SBS box is of little or no benefit. I was wondering if anyone else
> had an opinion on this or could elaborate on why it is of little value.
>
> Cheers
> Simon.
>