AD DS: All domains should have at least two functioning domain controllers for redundancy

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (

Operating System

Windows Server 2008 R2

Windows Server 2012


Active Directory Domain Services (AD DS)






The domain has only one functioning domain controller.


In the event of a failure on the domain's only domain controller, users will not be able to log in to the domain or access domain resources.


Add one or more additional domain controllers to the domain to handle authentication and authorization requests in case there is a failure on the domain's single available domain controller.

To provide fault tolerance, every domain in your Active Directory environment should have at least two functioning domain controllers. Additional domain controllers may be required, based on user authentication and application requirements.

There are many factors to consider regarding decisions about the number of domain controllers to place in each domain. These decisions are based on performance of authentication, access to resources, replication, and cost.

The use of read-only domain controllers (RODCs) can increase security dramatically and can also increase performance. The cost of adding RODCs in the correct scenarios is minimal, and they should be considered. For more information about RODCs, see Read-Only Domain Controller Planning and Deployment Guide (

You can change a decision to add or remove domain controllers anytime.

Additional references

For more information, see Step B2: Determine the Number of Domain Controllers (