Risks of having only one domain controller

Question

Are there any risks besides downtimes, if there is only a single domain controller for a small company?

I did some research and everyone recommends at least two domain controllers, but I can't find a real reason why it is so important to have more than one.

Downtimes are no real argument. What is earned, if the second server will allow users to connect to the domain, but the main server hosting files and Exchange is down. The users will not be able to work anyway. This may be interessting if you have more than one Exchange server with DAG, cluster, etc. but not if everything else is not redundant.

On the contrary, it seems to me that a second domain controller will make restore procedures more complicated, because you have to seize FSMO roles, use system state restores, replicate data, etc., while a single domain controller would allow to simply restore a full system backup, created with a backup software that allows creation of online images, because I don't have to care about consistency between two domain controllers.

Can anyone provide me with real risks that could arise from a single domain controller? I won't be able to convince my boss to buy a second server only be telling him "everyone recommends a second domain controller". He will ask the same question as I did: " What are the risks, if we don't have one?"

If you want to show him the "real risk", wait until the busy time at work and shut down the server for an hour or two and go to lunch. That should demonstrate. — Bart Silverstrim, Sep 26 '11 at 14:12
If Exchange and the file server are gone, he will not care about the lost possibilty to login. And I will not get 2 x DC + 2 x Exchange + hardware load balancer for a really recommended and redundant solution. A cheap second DC would be the maximum, if I could provide him a real benifit for that solution. — JPS, Sep 26 '11 at 16:07
OR you get two DC's, one Exchange server, and one backup server without a load balancer. — Bart Silverstrim, Sep 26 '11 at 16:08
OR you get one DC, one Exchange server, one backup server and one VM server (hyper-v or vmware) and you virtualize a DC and create additional servers for other roles as needed! — Bart Silverstrim, Sep 26 '11 at 16:09
You sound pretty much like you're looking for justification to just have your one server that does everything. If you want to run it that way, go ahead, see what problems you have down the road. I'm afraid you're not going to find much justification to support that idea here, though. — Bart Silverstrim, Sep 26 '11 at 16:10
Seriously if you want to pursue that route and see if it works for your business, shut down the server and walk away for a few hours. That simulates an outage and repair time to restore, assuming your restore works properly and that you have parts available (an optimal failure condition.) If your boss and coworkers get by with minimal disruption, then your recovery plan can be marked as complete. — Bart Silverstrim, Sep 26 '11 at 16:16
Risk: Failing at life. There isn't a single good reason to ever have a single DC longer than the 10 minutes after you first create your domain, this being the time you take for a coffee break before running dcpromo on the second machine. If cost is an issue, pick up someone's throwaway computer (even a netbook), because honestly that's better than than what you've got now. — gWaldo, Sep 26 '11 at 16:20
I don't look for a justification for having only one server, but for good arguments to get my boss to approve at least a second server. The problem is, that most answers tell me to get a second DC and a redundant Exchange solution. For that solution I need a least two "big" servers for Hyper-V and 2 Server Enterprise licences or some other solution involving 3+ servers and I know that my boss wont approve that - the maximum would be a (small) second server that I could use as 2nd DC and seperate backup server. But I would need good argmuments for that. — JPS, Sep 27 '11 at 07:32
I already gave you your argument. Shut off the server, leave for a couple hours. This is what would happen if you had a catastrophic server failure without redundancy AND your backups worked as hoped. Which they don't always do; what should have been an easy restore on a server turned into a debacle when a RAID 5 array failed, we replaced the disk, and turned out another disk had a URE. Shouldn't have had any downtime, ended up with an overnight restore of everything. — Bart Silverstrim, Sep 27 '11 at 12:22
If you want to illustrate the point, shut down the server and leave. This simulates your disaster plan. If the business doesn't care and carries on without problem, voila. You don't need any more servers for anything. If your boss turns red and is highly irritated at the downtime, you show him the bill that would purchase the redundancy needed. — Bart Silverstrim, Sep 27 '11 at 12:23
Last, you don't really *NEED* a second Exchange solution unless you're an enterprise. I'm not entirely sure why you think you do, as long as your Exchange server is backed up and has adequate RAID in place. If your business isn't huge and you're just duplicating something like a DC you could get along with one "big" server (if you call an old Dell 2950 big) with ESXi (free) and license what you need for one more DC. You can also virtualize smaller servers for specialized purposes, and get another server when your needs grow. — Bart Silverstrim, Sep 27 '11 at 12:26
Here's one risk: http://serverfault.com/questions/316099/clone-failed-windows-server-2008-r2-hdd — MikeyB, Sep 27 '11 at 21:20
@MikeyB, came here to post this. JPS, would you want to be in this position? — tombull89, Sep 28 '11 at 11:49

MDMarra · Answer 1 · 2011-09-26T14:10:57.347

First of all, you're looking at things wrong. You're running Exchange and other services on your server as well as Active Directory and DNS. You're doing it wrong. You really want Domain Controllers to only run Active Directory and DNS. You'll run into serious performance issues down the road if you get a medium number of mailboxes in Exchange and it runs on a DC.

That being said, downtime is a real issue. Is your boss OK with users not being able to log in, access file shares, access other SSO technologies that you might leverage for the hours that it will take to do a restore? If you have two DCs (or more) and you have exchange and file services running on separate servers like you should be, then this becomes a very real problem.

As it is, it seems like you already have all of your eggs in one basket, which is a really really bad position to be in. You should be pushing for a dedicated Exchange server, a 2nd DC, and possibly a file/print server. This, of course, depends on the number of users that you have. Even if you do keep Exchange and any file\print services on your existing DC, if it goes down, your network users won't even be able to log in to their machines to even have basic Internet access.

Finally, seizing the FSMO roles is trivial. As long as both DCs are Global Catalogs, you don't even really have to transfer the roles if you're going to be fixing the downed server immediately anyway.

You're already in a bad position. You should be working towards rectifying it by adding the additional infrastructure that you need to eliminate all-or-nothing downtime, not throwing your hands in the air and saying "well we're pretty much screwed anyway."

score 3 · Answer 2 · answered Sep 26 '11 at 14:04

The risks are as you stated, but I don't think your Exchange server should have a Single Point of Failure either. With two DC's you add in secondary DHCP, DNS, NTP, and authentication. Likewise, load balancing.

My thinking would also be that you're not always thinking of worst case - say you lose DC1 for a few hours thanks to some bad hardware. You may be back up and running very quickly and in the meantime, DC2 is taking on its tasks quite happily.

Likewise, network outages. If you have a cable or port die, then you're not going to be down long but it's long enough for the users to notice.

You don't need to worry too much about FSMO until it's becoming more serious.

score 1 · Answer 3 · answered Mar 13 '13 at 04:56

1

Most people don't seem to understand the issue here. If you have an imaged based backup solution you can restore your single DC within 10 minutes - muc faster the any other method with 2 DCs having to start replicating again. Tombstone and USN issues don't apply as you only have a single DC. Why would a small company purchase 3 servers (2 dedicated Dcs and 1 Fileserver? - that is total overkill.

answered Mar 13 '13 at 04:56

Rainer Kopp

11
1

3

Disagree. You don't need to restore a failed DC if you have more than one. You just need to spin up a new one (you're using templates or automated installs, right?) and then just promote it. That also will only take about 10 minutes. On top of that, how frequently are you taking full image BMR backups of this one single server? Nightly? Weekly? So it's OK to lose up to an entire day or week's worth of all server-based data since you only have this single server? You can do this with two physical servers plus virtualization to minimize the risk of a hardware failure and keep the cost reasonable – MDMarra Mar 13 '13 at 05:00

score 0 · Answer 4 · answered Sep 26 '11 at 14:20

0

As with everything, it depends on what you are doing. My development lab only has one DC. So...the answer is if it isn't important, then it isn't important. BUT! You really need to make sure you understand the risks of having to recreate everyone's user accounts. If you are supporting more than 5 people this can get very very painful.

answered Sep 26 '11 at 14:20

Joshua Toon

91
1
6

Why do I have to recreate all user accounts? If I restore the full system backup image from the nightly backup, everything should be restored. Only Exchange could be a problem, if the current log files are unaccessable. – JPS Sep 26 '11 at 15:49
2

You don't just have to create accounts; you need to go through the process of creating a new domain with the same settings and then restore the backup to it. Even throwing a throwaway ancient computer as an additional DC is better than nothing. – gWaldo Sep 26 '11 at 16:11
3

@JPS We've had problems were the full backup, even though it claims to have been successful, won't restore without causing the server to blue screen. In a case like that, or with bad backups, you're stuck having to rebuild AD, recreating user accounts, and rejoining PCs to the domain. – KJ-SRS Sep 26 '11 at 16:36
When I say recreating the user accounts I am talking about domain users losing their profiles on the workstations. They will have a new SID which means the workstation will create a new profile. This can be changed/fixed...but it's a wicked pain. PLUS all you users will freak out and act like the world is ending because they will think all of their older stuff has been deleted. – Joshua Toon Sep 26 '11 at 16:46
1

@JoshuaToon Users won't get new SIDs if you restore AD from a backup... – MDMarra Sep 26 '11 at 17:53
@MarkM you are correct. Single DC...I'm sure they are doing back up. :) – Joshua Toon Sep 26 '11 at 23:39
@joshuatoon considering the OP commented on your answer and said that they are, I think that's a safe bet. – MDMarra Sep 27 '11 at 00:17
Is this just a last word kind of thing? You win. If you restore from back up then NO accounts would need to be recreated. – Joshua Toon Sep 27 '11 at 11:15

Risks of having only one domain controller

4 Answers4

Linked