Is a single CPU-server ok? What about RAM and network-connection single 100MBit/S or better dual 10GBit/S?
What are the parameters to decide? count of users or kind of servers in the domain like web-server or database-server like sql server 2008R2?
What are the requirements on a windows domain controller
domain-controllerwindows-server-2008
Best Answer
The basic requirements for a domain controller are, on paper, no different to the requirements for installing Windows Server in the first place. That is, the requirements to just install it and have it sitting there.
So, from the Microsoft windows 2008r2 website:
(Not mentioned on the website)
(n.b. Windows 2012r2 requirements are pretty much identical)
However, as you say in your question, requirements might change depending on the size and amount of activity in the domain.
Web servers and SQL servers and the like don't increase any domain controller requirements simply because they are present in the domain, they're just another member server in that regard. However, if these services are authenticating domain users for access to their resources then they will increase the amount of work the DC has to do. Exchange is similar, but due to its tight integration into the domain the amount of extra work it will bring would probably be higher than that of a web server or SQL server.
If you have services that bind to one particular domain controller explicitly instead of to the domain then you should monitor the additonal workload that's generated on that particular domain controller. I've seen some systems that not only bind to a particular DC but which also generate a fair amount of 'noise' queries generate quite a lot IO and processor load on their target DC.
"Cheap" ways to improve the performance of a DC include the usual methods of improving performance for windows:
More RAM:
The more memory available for caching the better. It's really that simple.
Disks:
Put the AD Database (ntds.dit) onto separate disk spindles (ideally RAID protected and as fast as possible).
Allow at least 0.5Gb per 1000 users when allocating disk space for the AD database. Given the price of RAM these days, this probably isn't a bad idea for growing the RAM allocation either.
Network connections:
Faster network will always help response but you will only see a return on money spent here if no other parts of the system are acting as a bottleneck.
Processor:
Multiple cores are king; these days its probably better to have (and probably easier to purchase!) more processor cores than fewer, but faster single cores. I'd say that anything more than dual core might be difficult to justify on a DC without testing, however, but you'd probably want to go quad core if you were planning to have more than 10,000 users.
Other Server Roles:
Be careful about how you mix server roles.
There are certain roles that typically get folded in with the domain controller in all but the biggest networks (e.g. DNS/DHCP/WINS/Cert Server) with little harm.
There are some that get folded into a DC and will cause performance issues on all but the smallest networks (e.g. File Server/intranet server/WDS Server) but these issues are probably manageable depending on load.
Just updating the answer to say: These days (end of 2013), virtualisation is a lot more common than when I first wrote this answer (early 2011). Mixing roles on the same hardware as a DC is much more easy to manage and more robust when you take advantage of virtualisation. With HyperV available as a role within Windows itself and HyperV server (plus plenty of other alternatives) available out there, you should be able to avoid mixing roles on the same server instance too much.
These previous two classes of role are a case of a balancing act, how concerned you are about performance on your DCs vs. the resources you have available to provision your network. It's better to have a file server on the DC than to have a network without a file server at all because you have nowhere else to put it.
There are some services which (imho) you should try to avoid mixing with the DC role as much as possible, due to possible serious performance, disaster recovery and/or security issues (exchange server, SQL server, Internet server and proxy server).
If you follow those rules you should have DCs that perform well and are easy to maintain and troubleshoot.