WOOF! Newsletter

July 15, 2022

Why You Should Use a Hybrid Domain Controller Setup

Domain controllers facilitate user authentication for your network. Many businesses have explored 'hybridizing' their Domain Controllers…should you? Here's what a Hybrid DC rollout looks like.


When it comes to network security, the first place to start is the Domain Controller. This is where your user accounts are setup, and where your employees authenticate every day, gaining secure access to the services they need to work.

The Domain Controller, then, is the gateway to your network. It has to stay up and running.  All day, every day.

How do you make sure it stays up? By giving it a twin.

This is what's called a Hybrid Domain Controller setup, and it's what we'll cover in this WOOF.

The Golden Rule of Domain Controllers: Never Have Just One

Domain Controllers run several core components for a company network. Most importantly, on Windows servers, they run Active Directory—the spine of the network.

Active Directory is where all user accounts reside. Every day you open your work laptop and type in your network login, you're authenticating on the company's Active Directory.

Once Active Directory verifies your account, you get access to all of the typical services: email, file services, VoIP, network devices like printers, Internet, and so on.

If it doesn't recognize your account login or password, you don't get in. Simple as that.

This makes Active Directory, and the Domain Controller on which it runs, critical for the network's proper function.

This is why the best practice for Domain Controllers is:  Never have just one. Deploy at least two, in different geographic locations.

That way if one's down, the other can still authenticate users.

How to Run a Domain Controller in the Cloud

Let's say you have a Domain Controller in your company’s on-premise network. It uses the company domain—Acme.com, for example.  We'll call this one "DC One."

If we want to put a second Domain Controller in the cloud – "DC Two" – how does that work?

Turns out it's relatively easy. You can use some cloud service providers to create a cloud-based Domain Controller. It's sometimes referred to as "Infrastructure as a Service," or IaaS. The two big tech cloud IaaS providers are AWS and Azure. 

You can also host your cloud Domain Controller with PlanetMagpie, as many of our customers do. Here’s how that would work. 

We create a secure tunnel from the PlanetMagpie cloud to your internal network.  Then we create the new Domain Controller in PlanetMagpie's data center. Once both are up, you perform a synchronization, and you're done.

This is typically a one-time 8-hour effort.  Hosting is around $250/month.

The Hidden Power of Hybrid: Real-Time Sync for All-the-Time Access

Once you have real-time sync established between DC One and DC Two, you've created a Hybrid Domain Controller setup.

Now you've given your network a quiet, but powerful stability boost.

  1. CONSTANT SYNC – Every account login, password reset, permission level change…it's all synced between DC One and DC Two. In real time.

  2. FAILOVER – If DC One is down for any reason (power outage, hardware failure, cyberattack), users can still authenticate on DC Two and keep working.

The best part? All of this happens automatically, every day, once set up!


Who Should Use Hybrid Domain Controllers?

All businesses that use an Active Directory structure benefit from this setup.  Businesses with more than one physical location can host one Domain Controller in each of their locations.

Businesses using Microsoft 365 can benefit from this setup, as long as they have the Active Directory Sync tool implemented for their domain.


Securing Your Domain Controllers – Keep Them Talking, But Limit Account Management

It's important to note that Domain Controllers need solid security. Since they control your user accounts, which have access to all your company data, cybercriminals love to target them.

How to secure Domain Controllers, then? Typically, you should use the same security tools & methods you did for the rest of the network. Here's a few specific examples as well.

Implement "Read Only" access on the cloud Domain Controllers. When "Read Only" is active, the on-prem Domain Controller keeps the "original" user accounts on it. The cloud Domain Controller gets copies of them.

This way you can't make new user accounts on the cloud Domain Controller...which cuts out a common cyberattack technique, of creating phony users on a cloud Domain Controller and pushing them to its on-prem twin.

Zero-visibility tunnel. Remember the direct tunnel between DC One and DC Two?  When set up correctly, nobody has access to it except one system administrator. It doesn't even display for all other users. If nobody knows it's there, breaking into it is nigh-impossible!

Secondary backups. Always backup both Domain Controllers with a secure cloud backup routine.


Time to "go hybrid" with your Domain Controllers? Please contact us at to talk upgrading.