7

We are a small business setting up a new server... budget is limited of course.

I have ~500GB of data to share that needs to be stored locally on the single server we have.

Host Server: Dell Poweredge T610, 24GB RAM, Xeon CPU, RAID6 4TB etc...

Windows Server 2012 R2 STANDARD licence, HYPER-V Core role installed on Host.' -VM1: Active Directory DC/DNS/DHCP -VM2: RDS Terminal Server

My question is, which VM should I store the file services role & file server data VHDX on? I would create a second VHDX for the files but which should I attach it to & run the role?

My first thought was the RDS server because you shouldn't do file servers on a DC as it disables write cache etc... but my concern is since some of our awful legacy apps may require local admin access on the RDS server this makes file permissions useless, therefore it would be better to host it from the DC VM so we can enforce permissions (we can't afford another server 2012 licence to put file services on a separate VM)... but does Active Directory disable write caching on ALL disks/attached VHDX or only on the one which the directory database resides?

Thanks!

user181683
  • 115
  • 1
  • 2
  • 7

1 Answers1

12

A third VM would, obviously, be the most desirable but, obviously, another Windows Server license costs money.

Active Directory will only disable write caching on volumes where the database files are located. Adding a dedicated volume for file service would be fine in that respect.

Of all the roles to "share" on a DC a file server is probably the least worrisome from a security perspective since AD already uses File and Print Sharing for the SYSVOL. You're not really adding any attack surface so long as you're not inappropriately sharing AD-related files.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thanks for the reply - something I just thought of that I may need to consider - what about SMB signing? If i had to turn that off to increase performance on the AD VM then that's increasing the attack surface as well :( although this is just a small business. – user181683 Oct 15 '14 at 16:30
  • I've never heard of anybody ever turning off SMB signing in any environment for performance reasons. I can't imagine it'll be a problem. – Evan Anderson Oct 15 '14 at 17:40