LHA Consulting, Incorporated

(Ref: http://blog.joeware.net/2008/02/15/1063/, for why AD is (but should not really be) considered a commodity service by most decision-makers in our IT lives.)

So I may be getting the go to put my first few 2008 DCs into production (w00t!), and was just asked whether I would be doing an in-place upgrade or a clean install.  At which point I realized that the idea of an upgrade installation simply never occurred to me.  The reason being?  Is that while Active Directory as a whole is anything but a commodity in my brain, a single domain controller is, and should be, as commodity as they come. 

I'm sure that there are networks of sufficiently small size (my purely unscientific estimate places the seat-count at a few hundred) that for budgetary reasons they're running client-facing services on a domain controller.¹ For these AD footprints?  A good in-place upgrade story for the OS is critical for any domain/forest upgrade work.

Now let's go even a single order of magnitude larger, to an environment in which your domain controller count is no longer in the single digits.  In an environment like this one, I will defend my domain controllers with a whip and a chair - no file shares, no printers, no LOB applications shall despoil the vanilla-ness of my DCs. And not because I love them so, per se, but because I want to be able to kill them off at a moment's notice.

Maybe I'm unique(ly impatient) in this respect, but I've reached a point where I don't bother troubleshooting an issue on a single DC for very long. If a single DC is being a miscreant, if it's clear that the rest of my AD is behaving properly, and if this doesn't become a recurring theme (I've had to do this maybe 3 times in 18 months), I will reach the "whack/metadata cleanup/re-dcpromo" decision point in about 30 minutes. Why?  Because I believe that any one domain controller in my environment just should not be that important: if the loss of a single DC create a significant outage for my clients (FSMO role-holders thrown out as a statistical anomaly), then I simply haven't designed my AD very well.  If I can push out a new OS install in 30 minutes and allow non-critical replication to happen in the background, or else maintain a recent IFM to minimize the WAN hit on a bigger database,  then I consider that a fair way of cutting my losses, time-wise. 

A similar principal applies as it pertains to a 2K8 upgrade: given the rapidity with which I can provision a single DC, I'd rather start with a pristine install so that I know where all the bodies are buried.

dcpromo...it's the new reboot.

[1] Pretend that virtualization doesn't exist, as most shops of that size don't pay for a savvy enough admin to push the envelope there.