3

Warning: I'm a Linux/*NIX admin so this is all new to me.

I understand that it's not considered a good idea to have only a single domain controller, and that it is also probably a good idea for a domain controller to only do AD/DHCP/DNS (Here). We have two offices, location A with 30 users and location B with 10 users. Our two offices are separated by a WAN that is not particularly robust so I have be instructed that we need to have standalone services in each office. This means that according to "best practices" we will need to build a domain controller and a separate file server in each office. Again, I am not knowledgeable in the ways of Windows but this seems a little unnecessary for an organization of 40 users.

People have commented that I could "get away with" running file services on the domain controller as long as the "load is light". That just seems to generate more questions than it answers.

  1. What constitutes light load?
  2. What are the potential consequences of mixing these roles?

Ideally I would prefer to only have one physical machine at each location. The one in location A (the location with IT staff) can act as the primary domain controller and the one in the smaller office can act as the backup domain controller. If either domain controller fails we can still use the other one for authentication (albeit with some latency) and if the WAN connection fails each office still has access to their respective "local" domain controller. If the file services are ALSO run on each server (and synchronized with something like DFS), a similar arrangement in terms of redundancy can be had without having to purchase, build and install two additional separate servers. It's not that I'm adverse to that (well, any more adverse than I am to whole thing to begin with) but to my simple mind it just seems, well a bit overkill. I can definitely see the benefits of functional separation when we're talking larger organizations, but I need to consider the additional overhead too.

None of this excludes having a DRP setup for the domain controller/s. I assume you can lose two domain controllers just as easily as one.

EDIT: The answers I have gotten are really quite good but I would like a look at the other side of the coin if that is possible. What could potentially go wrong by mixing the roles? What am I risking with this kind of setup that I'm not risking with each controller doing Active Directory and only Active Directory?

3 Answers3

10

The 'Must be up' constraint does strongly indicate that a DC needs to be in the second site. Unfortunately. In order to better handle 'net outages and conserve bandwidth, an AD Site needs to be declared in each location and a DC at each.

Also, Microsoft sells their Small Business Server which is a kind of all-in-one machine. DC, Exchange, files. One machine. I don't remember the size of office they pitch it at, but you're pretty close to that size. So...

What constitutes light load?

Considering you have a domain with 40 users, you're probably not going to be incurring a lot of domain-sync related load on your DC machines. This leaves more overhead for file-and-print serving. Happily, file-and-print (file, more than print) is a relatively lightweight service for an office of only 10. So long as the machine is sufficiently server-class and modern, I would run both DC and File roles without a second thought.

Disclaimer: I'm a big-shop admin, and we have smaller-shop admins who frequent here. I may be off base :)

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • Given the small number of users this is more than adequate. We have ten times the number of users with a similar number of dcs at two locations and have few server related issues. – Mitch Dec 28 '10 at 01:58
  • 1
    @kce - 1138 is on the money. For this kind of user load, on modern hardware, DC/DNS/DHCP and file/print can fit all on the same box just ducky. You stick a machine in each office doing these, you should be all set. Be careful with things like DFS though, it doesn't do multi-site file locking or version control, so read up on it fully before deciding it meets your goals. – mfinni Dec 28 '10 at 02:44
  • +1, This situation screams for a RODC/Fileserver at the satellite site using something like DFS or BranchCache to serve files. Comingling the various services on the same OS isn't best practice, and I'd recommend splitting it up into at least two VMs running under Hyper-V Server if you can get the licenses for it; but at only 10 users it should work well enough all together. DFS-R can be scheduled to reduce sync traffic during the workday, and catch up on off hours, plus it's quite resilient for sketchy connections. – Chris S Dec 28 '10 at 19:45
  • @Chris S: A RODC is a Read-Only Domain Controller, correct? We have the hardware (HP DL380 G5) to go with a virtualization approach but I'd rather avoid the added complexity if I can. Again, I think these answers are all pretty much inline with what I need but I'm still wondering *what* I'm risking with the AD and file server functionality on one machine that I'm not risking with them separated out. What could go wrong with the multi-role controller that couldn't go wrong with separate systems (ignoring for a moment, the general principle that functional separation is a good thing regardless). –  Dec 28 '10 at 20:21
  • 2
    I've never had any problems with AD and simple File services (including DFS) being on the same server. The only problems you might run into are the typical 'users fill the drive and the admin who set it up just plopped everything on one partition' so it crashes AD et al. Also with users having write access they could potentially put a virus on the drives (which should be harmless enough in itself, but it's another vector of possible attack). Especially in a small site it's not everyday problems, just those once off odd-ball problems. Correct on RODC. – Chris S Dec 28 '10 at 20:34
  • Ahh, thanks. I just wanted to know what I was risking by keeping all the services on the same server so I could better decide if it is worth building two (physical) machines or a virtualization platform for a branch office of 10 people. –  Dec 28 '10 at 20:47
1

About the only real risk here is that you complicate things - problems with the AD side of things could potentially impact on the file server side (or vice versa) in unexpected ways. This isn't to be under-estimated but neither is it the end of the world. Even this can be mitigated against by using virtualisation to run two virtual servers on one box to keep roles separate - of course there's a cost to that too in terms of complexity but nothing is free in this world.

You're absolutely right that ideally people would only run AD and related roles on a domain controller, but lots of people in the 'real world' add other roles, and most of those people at the 'small business/branch office' end of things do so without too many problems.

You have to be practical after all - Microsoft even have a product that is designed to share lots of roles specifically aimed at small businesses.

Rob Moir
  • 31,664
  • 6
  • 58
  • 86
0

We are running a simliar setup with two locations and two AD/DNS/EX2K/ W2K servers on each side on one box. The only disadvantage is maintainance. If you need to take off one box for any reason temporarly you loose all services on that site, (working over your WAN connection maybe to slow)

We are running a 24h/6d production on both sites so any maintainance is limited to sunday ;-((

ajmind
  • 1