Posts

Testing your Domain Controler

If you’re in charge of the infrastructure at your work you probably deployed your share of DCs. Let’s say you’re about to deploy 2 more at a new site. Microsoft recommends they both be Global Catalogue Servers. You get everything to work just fine- and then someone starts adding more and more users- until pretty soon they double the original number. How will your Domain Controllers handle the extra load?
Microsoft has this little tool called the Active Directory Performance Testing Tool (ADTest.exe). ADTest is an Active Directory load-generation tool that will simulate client transactions on a host server.
“Remember that benchmarking and performance exercises are useful for comparing platforms or for getting a general understanding of the hardware requirements for common implementation scenarios.”- in other words, use it as a guideline not as exact science and allow for different results in the real world. Nevertheless it’s a great planning tool.

Server 2008 and the RODC (Read-Only Domain Controller)

Speaking to several people about the Server 2008 migrations, there were a lot of questions and reactions to the new Read-Only Domain Controller (RODC) option. Some confusion too, as some thought this is similar to Windows NT 4.0’s Backup Domain Controller (BDC) type technology.

 

The difference between a RODC and a BDC is apparent when there are more than two DCs per domain. In Windows NT 4.0 you could only have 1 read-write Primary Domain Controller (PDC), and the other DCs had to be read-only BDCs. Windows Server 2008 allows you to choose which DCs are read-writable and which are read-only with a great degree of freedom. By example, if you have 30 DCs in your domain, you can have 26 regular DCs and 4 RODCs.

 

One reason for having an RODC is if you have a DC that is not physically secure. In that case, not only could data be obtained from the DC, but malicious data could be injected into the vulnerable DC. With a normal read-writable DC, such damage would replicate throughout the domain and maybe even through the entire forest. By having an RODC the damage could be localized.