When making choices for a new Active Directory environment, choices eventually need to be made for the Operating System for the Active Directory Domain Controllers. The key question here is whether the Enterprise and Datacenter Editions add any substantial functionality to the Standard Edition. Let’s go through the differences between the main Windows Server editions:
Windows features
Number of processors
One of the main differences between the Standard, Enterprise and Datacenter editions of Windows Servers is the amount of supported processor sockets. Now, Domain Controllers won’t burn a lot of processor cycles, except:
- when the Active Directory infrastructure is quite elaborate. In that case however, scaling out Active Directory by implementing additional Domain Controllers is the way to go.
- for the Domain Controller, holding the PDC emulator Flexible Single Master Operations (FSMO) role, since all password and group policy changes replicate from this server. Implementing this server as a dedicated Domain Controller and splitting Windows, the system volume (SYSVOL), the Active Directory database and the Active Directory logs to different physical sets of spindles will get you pretty far with four logical processors.
Amount of addressable RAM
Standard, Enterprise and Datacenter editions of Windows Server allow for different upper limits in addressable RAM from a license perspective. The table below shows the maximum licensed amount of RAM per edition, per architecture, per Service Pack and per family:
x86 | x64 | |
Windows 2000 Server | ||
Windows 2000 Server | 4 GB | N.A. |
Windows 2000 Advanced Server | 8 GB |
N.A. |
Windows 2000 Datacenter Server | 32 GB | N.A. |
Windows Server 2003 Standard Edition | 4 GB | 16 GB |
Windows Server 2003 Standard Edition (Service Pack 1) | 4 GB | 32 GB |
Windows Server 2003 Standard Edition (Service Pack 2) | 4 GB | 32 GB |
Windows Server 2003 Enterprise Edition | 32 GB | 64 GB |
Windows Server 2003 Enterprise Edition (Service Pack 1) | 64 GB | 1024 GB |
Windows Server 2003 Enterprise Edition (Service Pack 2) | 64 GB | 2048 GB |
Windows Server 2003 Datacenter Edition | 128 GB | 512 GB |
Windows Server 2003 Datacenter Edition (Service Pack 1) | 128 GB | 1024 GB |
Windows Server 2003 Datacenter Edition (Service Pack 2) | 128 GB | 2048 GB |
Windows Server 2003 R2 | ||
Windows Server 2003 R2 Standard Edition | 4 GB | 32 GB |
Windows Server 2003 R2 Standard Edition (Service Pack 2) | 4 GB | 32 GB |
Windows Server 2003 R2 Enterprise Edition | 64 GB | 1024 GB |
Windows Server 2003 R2 Enterprise Edition (Service Pack 2) | 64 GB | 2048 GB |
Windows Server 2003 R2 Datacenter Edition | 128 GB | 1024 GB |
Windows Server 2003 R2 Datacenter Edition (Service Pack 2) | 128 GB | 2048 GB |
Windows Server 2008 | ||
Windows Server 2008 Standard Edition | 4 GB | 32 GB |
Windows Server 2008 Enterprise Edition | 64 GB | 2048 GB |
Windows Server 2008 Datacenter Edition | 64 GB | 2048 GB |
Windows Server 2008 R2 | ||
Windows Server 2008 R2 Standard Edition | N.A. | 32 GB |
Windows Server 2008 R2 Enterprise Edition | N.A. | 2048 GB |
Windows Server 2008 R2 Datacenter Edition | N.A. | 2048 GB |
The table clearly shows the gaps between maximum licensed supported amounts of RAM, but also shows these gaps diminishing.
Available RAM in Domain Controllers is nice to have. As I pointed out earlier in my post on why 64bit-only Windows Server is good for Active Directory, within RAM you can cache the Active Directory Database, which improves the performance of Domain Controllers significantly. So, a large database might be a reason to choose an Enterprise Edition or even Datacenter edition of Windows Server as your Domain Controller.
The cacheable limit of 32bit installations of Windows Server Standard Edition would be reached when the Active Directory database would reach 2,75 GB. This amounts to roughly 300,000 user objects and their corresponding stuff (computer accounts, groups, etc).
The cacheable limit of a 64bit installation of Windows Server Standard Edition would be reached when the whole of 32GB is filled (or on Windows Server 2003 without any Service Pack, when 16GB is filled) The environment to reach the limit would encompass roughly 3,5 million users.
Other features
When choosing an edition of Windows Server for a Domain Controller, other features might persuade you to choose an Enterprise or Datacenter edition of Windows Server 2003 and up when specific requirements exist to support these features:
Feature | Standard | Enterprise | Datacenter |
Hot Add Memory support |
v |
v |
|
Fault Tolerant Memory Sync |
v |
v |
|
Hot Add Processors |
v |
||
Hot Replace Memory |
v |
||
Hot Replace Processors |
v |
Certificate Services
Some believe a Domain Controller needs to be based on an Enterprise (or Datacenter) Edition of Windows Server, because of Active Directory Certificate Services. This is a common misconception.
Active Directory Certificate Services on Enterprise and Datacenter edition of Windows Server (2008) provide the following features:
Feature | Standard | Enterprise | Datacenter |
Windows Server 2008 | |||
Certificate Authority |
v |
v |
v |
Network Device Enrollment Service |
v |
v |
|
Online Responder service |
v |
v |
|
v2 and v3 certificate templates |
v |
v |
|
Key archival |
v |
v |
|
Role separation |
v |
v |
|
Certificate Manager restrictions |
v |
v |
|
Delegated enrollment agent restrictions |
v |
v |
|
Windows Server 2008 R2 | |||
Certificate Enrollment Web Service |
v * |
v |
v |
Certificate enrollment across forests |
v |
v |
|
Improved support for high-volume CAs |
v |
v |
v |
* Certificate enrollment across forests requires an enterprise CA running the Enterprise or Datacenter edition of Windows Server
Since certain features are only available when the Active Directory Certificate services are installed on an Enterprise Edition or Datacenter Edition of Windows Server, the assumption is made the Domain Controller also needs to be based on an Enterprise Edition of Windows Server. This is the root cause of the misconception.
Domain Controllers don’t need to be Windows Server Enterprise Edition, since Active Directory Certificate Services don’t need to be installed on a Domain Controller.
Distributed File System
Besides caching the Active Directory in RAM, there is one other real reason (but only in some specific situations) to make the Enterprise or Datacenter edition of Windows Server your platform of choice for Domain Controllers: Distributed File Server (DFS) roots.
About DFS roots
A DFS root in DFS terms is the root from which DFS sprouts. Links can be added to a DFS root. These links are shared folders and can be replicas of each other. Links show up as folders in the DFS root. The DFS root acts as the DFS namespace.
Two types of DFS roots exist: Stand-alone DFS roots and Domain-joined roots. A domain-joined DFS root will publish itself in Active Directory and supports replication, whereas a stand-alone DFS root does not.
However, in environments with Windows 2000 Server-based Domain Controllers, you’ll want a Domain-joined DFS root to reside on a Domain Controller, since root servers running Windows 2000 Server or Windows Server 2003 and that are not domain controllers cannot determine a DFS client computer’s site when the restrictanonymous registry entry is set to 2 on domain controllers running Windows 2000 Server.
Note:
The restrictanonymous setting above is not set to 2 on a default installation of Windows Server, but is recommended as a security precaution to restrict anonymous connections by the Microsoft Baseline Security Analyzer (MBSA).
In Windows 2000 Server-based servers (Domain Controllers or Member servers), you could host one domain-joined DFS root. In Windows Server 2003 and up you can host multiple DFS roots on servers, when the server (a Domain Controller or a Member server) is based on either an Enterprise edition or Datacenter edition of Windows Server.
Concluding
From an Active Directory point of view the Enterprise and Datacenter editions of Windows Server don’t bring anything extra to the table compared to Windows Server Standard Edition.
However, placing Windows Server Enterprise Edition or Windows Server Datacenter Edition-based Domain Controllers, would provide better performance per Domain Controller in the following scenarios:
- You’re required to run 32bit Domain Controllers and the environment encompasses more than 300,000 users.
- A requirement or possibility is to run 64bit Domain Controllers, but you’re required to utilize Windows Server 2003 without any Service Pack and the environment encompasses more than 2 million users.
- A requirement or possibility is to run 64bit Domain Controllers, but the environment encompasses more than 3,5 million users.
When requirements exist to use the advanced features of either Enterprise or Datacenter Edition of Windows Server (Hot Add/Replace Memory, Hot Add/Replace Processors, Fault tolerant Memory Sync) you obviously cannot choose Windows Server Standard Edition as the default platform for your Domain Controllers.
When a requirement exists to host multiple domain-joined DFS roots in a multi-site Active Directory environment with Windows 2000 Server-based Domain Controllers and high security needs, it’s recommended to host domain joined DFS roots on Domain Controllers. You could host them on multiple Windows Server Standard-based Domain Controllers, but the number of Domain Controllers you’d need quickly grows large. Windows Server Enterprise edition, would be a viable alternative.
Further reading
TechNet Forums – Windows 2008 Domain Controllers Standard vs. Enterprise
Compare Technical Features and Specifications
Memory Limits for Windows Releases
Active Directory Certificate Services Overview
Microsoft TechNet – DFS Technical Reference
Windows 2003 DFS (Distributed File System)
Multiple DFS Roots and Domain Controllers
Creating a DFS root
Working with Windows 2000's Distributed File System
Configure a DFS environment in Windows Server 2003
Login