DNS AD Integrated and How many DC's to serve about 15,000 ..

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In my environment I have 2,500 staff user accounts (that logon almost
concurrently). Total of 5,000 workstations.
Other 13,000 existing accounts belong to students that normally do not logon
or use computing resources concurrently.

I have (3) DC's on the main site to handle the authentication load and (4)
DC/GCs on each remote branch office.
I will need to replace ToastedDC on the main site due to hardware issues.

My question is this:
When I integrate DNS-AD (currently I have a primary and secondary non
integrated DNS servers), my Windows DNS servers will become DC's as well.

Since those two DNS servers will become DC's, I will have total of (5) DC's
on the main site.
Is there any problem if I let the DNS servers (in addition to DNS role) take
the load as DC's/authentication ? I mean, I figured that since I will have
to make the two DNS servers as DC's to integrate AD-DNS, I no longer would
need to buy (1) additional server to replace my ToastedDC. Does that make
sense ?

I am saying, I will be counting on the DNS servers as DC's and I would like
to confirm if performance and design wise that is alright ?
7 answers Last reply
More about integrated serve
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Active Directory Integrated DNS can only be hosted on a Win 200x Domain
    Controller. This will help avoid DNS single-point-of failure.

    If you use DHCP to issue IP to clients, it may be a good idea to create
    different scopes with one pointing to DC01 and DC02 as Preferred and
    Alternate DNS Servers respectively, and the other scope DNS entries reversed.

    Hope this helps.


    "Marlon Brown" wrote:

    > In my environment I have 2,500 staff user accounts (that logon almost
    > concurrently). Total of 5,000 workstations.
    > Other 13,000 existing accounts belong to students that normally do not logon
    > or use computing resources concurrently.
    >
    > I have (3) DC's on the main site to handle the authentication load and (4)
    > DC/GCs on each remote branch office.
    > I will need to replace ToastedDC on the main site due to hardware issues.
    >
    > My question is this:
    > When I integrate DNS-AD (currently I have a primary and secondary non
    > integrated DNS servers), my Windows DNS servers will become DC's as well.
    >
    > Since those two DNS servers will become DC's, I will have total of (5) DC's
    > on the main site.
    > Is there any problem if I let the DNS servers (in addition to DNS role) take
    > the load as DC's/authentication ? I mean, I figured that since I will have
    > to make the two DNS servers as DC's to integrate AD-DNS, I no longer would
    > need to buy (1) additional server to replace my ToastedDC. Does that make
    > sense ?
    >
    > I am saying, I will be counting on the DNS servers as DC's and I would like
    > to confirm if performance and design wise that is alright ?
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    On Fri, 31 Dec 2004 14:20:43 -0800, "Marlon Brown"
    <marlon_brownj@hotmail.com> wrote:

    >In my environment I have 2,500 staff user accounts (that logon almost
    >concurrently). Total of 5,000 workstations.
    >Other 13,000 existing accounts belong to students that normally do not logon
    >or use computing resources concurrently.
    >
    >I have (3) DC's on the main site to handle the authentication load and (4)
    >DC/GCs on each remote branch office.
    >I will need to replace ToastedDC on the main site due to hardware issues.
    >
    >My question is this:
    >When I integrate DNS-AD (currently I have a primary and secondary non
    >integrated DNS servers), my Windows DNS servers will become DC's as well.
    >
    >Since those two DNS servers will become DC's, I will have total of (5) DC's
    >on the main site.
    >Is there any problem if I let the DNS servers (in addition to DNS role) take
    >the load as DC's/authentication ? I mean, I figured that since I will have
    >to make the two DNS servers as DC's to integrate AD-DNS, I no longer would
    >need to buy (1) additional server to replace my ToastedDC. Does that make
    >sense ?
    >
    >I am saying, I will be counting on the DNS servers as DC's and I would like
    >to confirm if performance and design wise that is alright ?
    >
    DNS load in a LAN is normally fairly light, so there is no huge
    performance hit from running DNS on DCs. Just ensure that the DNS
    servers are setup in DHCP (I presume that you use it),

    When you install DNS on a server that *doesn't* make it a DC. You make
    it a DC with dcpromo and *then* you can AD Integrate it. I think that
    you have it slightly backwards, though I may be reading your post
    wrong.

    You currently have 3 DCs, and will if you upgrade the two DNS servers
    to DCs have 5 DCs, right? One of those 5 is ToastedDC? I'd be inclined
    to see how it goes, but hold the option open of purchasing a
    replacement for ToastedDC. I've no experience in sizing setups.

    Cheers,

    Cliff
    --

    The National Party manifesto can be viewed here:

    http://www.labour.org.nz/policy/index.html
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    That's not right. You can have as many non-ADI DNS as you like. There
    is no "single point of failure" provided you have more than one DNS
    server. In fact, if you use ADI DNS you create a single point of
    failure - AD. If an error occurs in one ADI DNS, it could be
    replicated to all others. The is EXTREMELY unlikely though.

    Cheers,

    Cliff

    On Sat, 1 Jan 2005 10:09:01 -0800, "Desmond Lee"
    <mcp@donotspamplease.mars> wrote:

    >Active Directory Integrated DNS can only be hosted on a Win 200x Domain
    >Controller. This will help avoid DNS single-point-of failure.
    >
    >If you use DHCP to issue IP to clients, it may be a good idea to create
    >different scopes with one pointing to DC01 and DC02 as Preferred and
    >Alternate DNS Servers respectively, and the other scope DNS entries reversed.
    >
    >Hope this helps.
    >
    >
    >"Marlon Brown" wrote:
    >
    >> In my environment I have 2,500 staff user accounts (that logon almost
    >> concurrently). Total of 5,000 workstations.
    >> Other 13,000 existing accounts belong to students that normally do not logon
    >> or use computing resources concurrently.
    >>
    >> I have (3) DC's on the main site to handle the authentication load and (4)
    >> DC/GCs on each remote branch office.
    >> I will need to replace ToastedDC on the main site due to hardware issues.
    >>
    >> My question is this:
    >> When I integrate DNS-AD (currently I have a primary and secondary non
    >> integrated DNS servers), my Windows DNS servers will become DC's as well.
    >>
    >> Since those two DNS servers will become DC's, I will have total of (5) DC's
    >> on the main site.
    >> Is there any problem if I let the DNS servers (in addition to DNS role) take
    >> the load as DC's/authentication ? I mean, I figured that since I will have
    >> to make the two DNS servers as DC's to integrate AD-DNS, I no longer would
    >> need to buy (1) additional server to replace my ToastedDC. Does that make
    >> sense ?
    >>
    >> I am saying, I will be counting on the DNS servers as DC's and I would like
    >> to confirm if performance and design wise that is alright ?
    >>
    >>
    >>

    --

    The National Party manifesto can be viewed here:

    http://www.labour.org.nz/policy/index.html
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    The single point of failure refers to one key advantage of using
    AD-integrated DNS, and can be realized with having multiple DCs, which is not
    uncommon in a large organization.

    It does not mean that other non AD-integrated DNS setup cannot be used to
    enhance DNS availability. For example, demo.com can be AD-integrated on all
    Win 200x Servers with DNS Service, and this same zone can be setup as
    secondary on another DNS Server (NT, Win 200x even Unix if you like) to avoid
    the scenario you described if so desired.

    Note that a Win 200x DNS Server can host AD-integrated, primary and
    secondary zones all at the same time, the latter two being Internet standard
    that are well understood (e.g. backup the text zone files).

    See
    http://support.microsoft.com/default.aspx?scid=kb;en-us;816101

    Hope this clarifies the issue.


    "Enkidu" wrote:

    >
    > That's not right. You can have as many non-ADI DNS as you like. There
    > is no "single point of failure" provided you have more than one DNS
    > server. In fact, if you use ADI DNS you create a single point of
    > failure - AD. If an error occurs in one ADI DNS, it could be
    > replicated to all others. The is EXTREMELY unlikely though.
    >
    > Cheers,
    >
    > Cliff
    >
    > On Sat, 1 Jan 2005 10:09:01 -0800, "Desmond Lee"
    > <mcp@donotspamplease.mars> wrote:
    >
    > >Active Directory Integrated DNS can only be hosted on a Win 200x Domain
    > >Controller. This will help avoid DNS single-point-of failure.
    > >
    > >If you use DHCP to issue IP to clients, it may be a good idea to create
    > >different scopes with one pointing to DC01 and DC02 as Preferred and
    > >Alternate DNS Servers respectively, and the other scope DNS entries reversed.
    > >
    > >Hope this helps.
    > >
    > >
    > >"Marlon Brown" wrote:
    > >
    > >> In my environment I have 2,500 staff user accounts (that logon almost
    > >> concurrently). Total of 5,000 workstations.
    > >> Other 13,000 existing accounts belong to students that normally do not logon
    > >> or use computing resources concurrently.
    > >>
    > >> I have (3) DC's on the main site to handle the authentication load and (4)
    > >> DC/GCs on each remote branch office.
    > >> I will need to replace ToastedDC on the main site due to hardware issues.
    > >>
    > >> My question is this:
    > >> When I integrate DNS-AD (currently I have a primary and secondary non
    > >> integrated DNS servers), my Windows DNS servers will become DC's as well.
    > >>
    > >> Since those two DNS servers will become DC's, I will have total of (5) DC's
    > >> on the main site.
    > >> Is there any problem if I let the DNS servers (in addition to DNS role) take
    > >> the load as DC's/authentication ? I mean, I figured that since I will have
    > >> to make the two DNS servers as DC's to integrate AD-DNS, I no longer would
    > >> need to buy (1) additional server to replace my ToastedDC. Does that make
    > >> sense ?
    > >>
    > >> I am saying, I will be counting on the DNS servers as DC's and I would like
    > >> to confirm if performance and design wise that is alright ?
    > >>
    > >>
    > >>
    >
    > --
    >
    > The National Party manifesto can be viewed here:
    >
    > http://www.labour.org.nz/policy/index.html
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    No. Where is the "single point of failure" if you have several non-ADI
    DNS servers? If any server fails the others can take up the load.
    There is no single point, the failure of which causes the whole of the
    system to fail. This is *exactly* the situation that I set up when I
    first went to a Windows 2000 AD Domain from a Windows NT4 Domain. You
    are totally wrong when you say that non-ADI DNS is "a single point of
    failure".

    Only if you are only running one server is it a single point of
    failure, and this is *also* true if the DNS is ADI on a single server.

    In fact, if AD is corrupted and you have ADI DNS, it is possible that
    you will lose *all* DNS if it is all ADI. In this sense, ADI is a
    single point of failure.

    It is always a good idea to have a non-ADI secondary DNS, if you have
    a machine that it can sit on.

    The key advantages of using ADI DNS zones is that replication is
    handled by AD and not by AXFR and IXFR (zone tranfers), and there is a
    single point for administration. Nothing to do with a "single point of
    failure".

    Cheers,

    Cliff


    On Sat, 1 Jan 2005 15:01:03 -0800, "Desmond Lee"
    <mcp@donotspamplease.mars> wrote:

    >The single point of failure refers to one key advantage of using
    >AD-integrated DNS, and can be realized with having multiple DCs, which is not
    >uncommon in a large organization.
    >
    >It does not mean that other non AD-integrated DNS setup cannot be used to
    >enhance DNS availability. For example, demo.com can be AD-integrated on all
    >Win 200x Servers with DNS Service, and this same zone can be setup as
    >secondary on another DNS Server (NT, Win 200x even Unix if you like) to avoid
    >the scenario you described if so desired.
    >
    >Note that a Win 200x DNS Server can host AD-integrated, primary and
    >secondary zones all at the same time, the latter two being Internet standard
    >that are well understood (e.g. backup the text zone files).
    >
    >See
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;816101
    >
    >Hope this clarifies the issue.
    >
    >
    >"Enkidu" wrote:
    >
    >>
    >> That's not right. You can have as many non-ADI DNS as you like. There
    >> is no "single point of failure" provided you have more than one DNS
    >> server. In fact, if you use ADI DNS you create a single point of
    >> failure - AD. If an error occurs in one ADI DNS, it could be
    >> replicated to all others. The is EXTREMELY unlikely though.
    >>
    >> Cheers,
    >>
    >> Cliff
    >>
    >> On Sat, 1 Jan 2005 10:09:01 -0800, "Desmond Lee"
    >> <mcp@donotspamplease.mars> wrote:
    >>
    >> >Active Directory Integrated DNS can only be hosted on a Win 200x Domain
    >> >Controller. This will help avoid DNS single-point-of failure.
    >> >
    >> >If you use DHCP to issue IP to clients, it may be a good idea to create
    >> >different scopes with one pointing to DC01 and DC02 as Preferred and
    >> >Alternate DNS Servers respectively, and the other scope DNS entries reversed.
    >> >
    >> >Hope this helps.
    >> >
    >> >
    >> >"Marlon Brown" wrote:
    >> >
    >> >> In my environment I have 2,500 staff user accounts (that logon almost
    >> >> concurrently). Total of 5,000 workstations.
    >> >> Other 13,000 existing accounts belong to students that normally do not logon
    >> >> or use computing resources concurrently.
    >> >>
    >> >> I have (3) DC's on the main site to handle the authentication load and (4)
    >> >> DC/GCs on each remote branch office.
    >> >> I will need to replace ToastedDC on the main site due to hardware issues.
    >> >>
    >> >> My question is this:
    >> >> When I integrate DNS-AD (currently I have a primary and secondary non
    >> >> integrated DNS servers), my Windows DNS servers will become DC's as well.
    >> >>
    >> >> Since those two DNS servers will become DC's, I will have total of (5) DC's
    >> >> on the main site.
    >> >> Is there any problem if I let the DNS servers (in addition to DNS role) take
    >> >> the load as DC's/authentication ? I mean, I figured that since I will have
    >> >> to make the two DNS servers as DC's to integrate AD-DNS, I no longer would
    >> >> need to buy (1) additional server to replace my ToastedDC. Does that make
    >> >> sense ?
    >> >>
    >> >> I am saying, I will be counting on the DNS servers as DC's and I would like
    >> >> to confirm if performance and design wise that is alright ?
    >> >>
    >> >>
    >> >>
    >>
    >> --
    >>
    >> The National Party manifesto can be viewed here:
    >>
    >> http://www.labour.org.nz/policy/index.html
    >>

    --

    The National Party manifesto can be viewed here:

    http://www.labour.org.nz/policy/index.html
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Please read the original reply and the MS KB article carefully. The
    discussion is not about single-point-of-failure with multiple AD-integrated
    DNS, rather the possibility of SPOF if not used (and no other non
    AD-integrated DNS servers are around).

    Thanks.

    "Enkidu" wrote:

    >
    > No. Where is the "single point of failure" if you have several non-ADI
    > DNS servers? If any server fails the others can take up the load.
    > There is no single point, the failure of which causes the whole of the
    > system to fail. This is *exactly* the situation that I set up when I
    > first went to a Windows 2000 AD Domain from a Windows NT4 Domain. You
    > are totally wrong when you say that non-ADI DNS is "a single point of
    > failure".
    >
    > Only if you are only running one server is it a single point of
    > failure, and this is *also* true if the DNS is ADI on a single server.
    >
    > In fact, if AD is corrupted and you have ADI DNS, it is possible that
    > you will lose *all* DNS if it is all ADI. In this sense, ADI is a
    > single point of failure.
    >
    > It is always a good idea to have a non-ADI secondary DNS, if you have
    > a machine that it can sit on.
    >
    > The key advantages of using ADI DNS zones is that replication is
    > handled by AD and not by AXFR and IXFR (zone tranfers), and there is a
    > single point for administration. Nothing to do with a "single point of
    > failure".
    >
    > Cheers,
    >
    > Cliff
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You are wrong. The MS KB article says in part:

    " You may want to add additional DNS servers so there is no single
    point of failure. **Instead of** (my emphasis) adding standard
    secondary DNS servers, you can convert the server from a primary DNS
    server to an Active Directory Integrated Primary server and configure
    another domain controller to be a DNS server."

    Microsoft give the option of removing a single point of failure by
    adding a second server. Obviously they recommend that the new server
    be ADI. But it doesn't have to be. It could be a secondary on a member
    server, or even a non-Microsoft DNS. Using ANY DNS server as a
    secondary would remove that single point of failure.

    You said "Active Directory Integrated DNS can only be hosted on a Win
    200x Domain Controller. This will help avoid DNS single-point-of
    failure."

    The original poster already had two (non-ADI) DNS. The WAS no single
    point of failure in his setup!

    I would advise the OP to use ADI DNS, nevertheless. For the other
    benefits.

    Cheers,

    Cliff


    On Sun, 2 Jan 2005 01:15:01 -0800, "Desmond Lee"
    <mcp@donotspamplease.mars> wrote:

    >
    >Please read the original reply and the MS KB article carefully. The
    >discussion is not about single-point-of-failure with multiple AD-integrated
    >DNS, rather the possibility of SPOF if not used (and no other non
    >AD-integrated DNS servers are around).
    >
    >Thanks.
    >
    >"Enkidu" wrote:
    >
    >>
    >> No. Where is the "single point of failure" if you have several non-ADI
    >> DNS servers? If any server fails the others can take up the load.
    >> There is no single point, the failure of which causes the whole of the
    >> system to fail. This is *exactly* the situation that I set up when I
    >> first went to a Windows 2000 AD Domain from a Windows NT4 Domain. You
    >> are totally wrong when you say that non-ADI DNS is "a single point of
    >> failure".
    >>
    >> Only if you are only running one server is it a single point of
    >> failure, and this is *also* true if the DNS is ADI on a single server.
    >>
    >> In fact, if AD is corrupted and you have ADI DNS, it is possible that
    >> you will lose *all* DNS if it is all ADI. In this sense, ADI is a
    >> single point of failure.
    >>
    >> It is always a good idea to have a non-ADI secondary DNS, if you have
    >> a machine that it can sit on.
    >>
    >> The key advantages of using ADI DNS zones is that replication is
    >> handled by AD and not by AXFR and IXFR (zone tranfers), and there is a
    >> single point for administration. Nothing to do with a "single point of
    >> failure".
    >>
    >> Cheers,
    >>
    >> Cliff

    --

    The National Party manifesto can be viewed here:

    http://www.labour.org.nz/policy/index.html
Ask a new question

Read More

Servers DNS Active Directory Windows