Have no more than 1200 DCs in your domain..say new scalability limits.
I wonder if anyone realistically has reached that limit without a need to break down the domain into multiple domains/forest, this limitation lies in FRS’s ability to keep things sane with the SYSVOL replication. The new Active Directory Maximum Limits – Scalability recently published has very interesting pieces of information. I am highlighting below some key bullet points.
- Each domain controller in an Active Directory forest can create a little bit less than 2.15 billion objects during its lifetime.
- There is a limit of approximately 1 billion security identifiers (SIDs) over the life of a domain.
- Security principals (that is, user, group, and computer accounts) can be members of a maximum of approximately 1,015 groups.
- Fully qualified domain names (FQDNs) in Active Directory cannot exceed 64 characters in total length, including hyphens and periods (.).
- The maximum length for the name of an organizational unit (OU) is 64 characters.
- There is a limit of 999 GPOs that you can apply to a user account or computer account.
- The recommended maximum number of members in a group is 5,000. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.(Thanks to LVR).
- For Windows Server 2003, the recommended maximum number of domains when the forest functional level is set to Windows Server 2003 (also known as forest functional level 2) is 1,200.
Even though this technet-published-content puts Windows Server 2008 in context as identified in the applies to section, unfortunately details do not dive into direct scalability improvements for native Windows Server 2008 and R2 Forests. All in all even with a Windows Server 2003 forest, the limitation mentioned here are rarely to be hit in a production environment.