AD best practices
-
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
-
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
Your problem here was failure to test backups. there is no reason to have this occur had you tested your backups.
-
@wirestyle22 said in AD best practices:
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
That's not the scenario I described. Windows didn't even boot to that point to worry about AD database consistency.
-
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
That's not the scenario I described. Windows didn't even boot to that point to worry about AD database consistency.
I said that having a second dc can complicate the backup/recovery process (which I really meant to say recovery). Jared said no. I then replied to Jared saying no, not to your post.
-
@dashrender said in AD best practices:
@wirestyle22 said in AD best practices:
@dashrender said in AD best practices:
@marcinozga said in AD best practices:
If your clients pull IP from Windows DHCP, they can register DNS records in Windows DNS servers automatically. If you move DHCP to another non-windows server or device, you will lose that ability. If it ain't broke, don't fix it.
I was pretty sure this wasn't entirely accurate.
Linux based DHCP can update DNS - just maybe not Windows DNS, not sure.
You can setup Samba AD. I'd imagine you can do DNS as well
We're specifically talking about DHCP dynamically updating DNS as DHCP hands out IPs.
Why is this important? I get why it could be a good thing but not sure if it's a must have feature for a non-profit/SMB.
-
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
That's not the scenario I described. Windows didn't even boot to that point to worry about AD database consistency.
I said that having a second dc can complicate the backup/recovery process (which I really meant to say recovery). Jared said no. I then replied to Jared saying no, not to your post.
Not it does not. Because you simply do not recover one of them in a failure scenario. then there is no inconsistency to deal with.
-
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
That's not the scenario I described. Windows didn't even boot to that point to worry about AD database consistency.
AD should be backed up by itself not as part of the OS. There are tools (and even powershell scripts) that can make this extremely easy.
-
@wirestyle22 said in AD best practices:
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
You don't recover AD like you think you recover it. When recovering in a cluster like this bring up an entirely new AD server and promote it to DC. It will pull all of the data from the other domain controller. Remove the other one from AD (forcibly if necessary) and you're good.
-
@coliver said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@jaredbusch said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
@wirestyle22 said in AD best practices:
@marcinozga said in AD best practices:
I had a situation once where having 2 DCs on one host saved my ass. For unknown reason DC died, when booting it stopped at black screen without any messages, I couldn't enter safe mode either. Restoring VM from backups yielded the same result, booting to black screen, even going back as far as 2 months. Having 2nd DC allowed me to seize FSMO roles, delete failing DC, and promote another one. So having 2 even on one host, is not unreasonable.
When having a single DC you could just recover via backups. I think the assumption here is that you will have downtime, but that is only if your DNS server is your DC, which it doesn't have to be. Users wouldn't notice anything if they could resolve hostnames. They login with their cached credentials and everything seems normal. The backup takes a few hours (DC's aren't big).
I guess you missed the part when I said restoring DC from backups didn't do any good.
That is not the scenario I'm talking about. You had a second DC. That complicates the backup process.
No it does not.
A live database being replicated doesn't create time disparities that could potentially not resolve correctly?
That's not the scenario I described. Windows didn't even boot to that point to worry about AD database consistency.
AD should be backed up by itself not as part of the OS. There are tools (and even powershell scripts) that can make this extremely easy.
In a total fialure scenario, you just recover the entire server. Done.
In a single server scenario, you agian, jsut recover the entire server done.No reason to deal with any other tool for AD.
-
@dashrender said in AD best practices:
Well, this would be a reason for the non-profit to fire their paid consultants. The non-profit isn't looking for the best solution, instead they are keeping some consultants in cash for no reason.
I'm pretty sure @scottalanmiller would call this corruption.Fear, not corruption. They are weaning themselves from old consulting firm, but worry that I (as an unpaid volunteer) will not always be available. They want to be left with a network that can be maintained by available resources.
My second DC will be at a second location connected by the 50 mb internet location. Both sites will have local authentication and the link is plenty to handle replication given the relatively small number of users.
The new servers are Dell T30s at $329 each. A 2 core Server 2016 pack costs $8 (16 required) and a CAL is $3. Fairly cost effective and they stay in their comfort zone.
I appreciate all of the feedback, especially regarding splitting DHCP and FS. I'm still unsure as to whether it's bad practice to run the FS on the same instance of Windows server as DC/DNS. I have a vague memory of reading that somewhere, but that's the way the former consultants set up the current server.
The MS license allows two VMs, so I can split the roles if it's needed and best to stay all MS, or offload FS and DHCP to linux. My take on the feedback so far (given that I'm definitely going with two physical servers running MS Server) is that offloading FS and DHCP roles is possible, but may create additional headaches and lose some degree of functionality.
-
@jfath said in AD best practices:
@dashrender said in AD best practices:
Well, this would be a reason for the non-profit to fire their paid consultants. The non-profit isn't looking for the best solution, instead they are keeping some consultants in cash for no reason.
I'm pretty sure @scottalanmiller would call this corruption.Fear, not corruption. They are weaning themselves from old consulting firm, but worry that I (as an unpaid volunteer) will not always be available. They want to be left with a network that can be maintained by available resources.
My second DC will be at a second location connected by the 50 mb internet location. Both sites will have local authentication and the link is plenty to handle replication given the relatively small number of users.
The new servers are Dell T30s at $329 each. A 2 core Server 2016 pack costs $8 (16 required) and a CAL is $3. Fairly cost effective and they stay in their comfort zone.
I appreciate all of the feedback, especially regarding splitting DHCP and FS. I'm still unsure as to whether it's bad practice to run the FS on the same instance of Windows server as DC/DNS. I have a vague memory of reading that somewhere, but that's the way the former consultants set up the current server.
The MS license allows two VMs, so I can split the roles if it's needed and best to stay all MS, or offload FS and DHCP to linux. My take on the feedback so far (given that I'm definitely going with two physical servers running MS Server) is that offloading FS and DHCP roles is possible, but may create additional headaches and lose some degree of functionality.
Where do I get Dell servers for $329?
OK these are basically desktop PCs being called servers. No redundant powersupplies, what's the RAID option? is it real RAID or fakeRAID?What are you replicating to the remote location? Just the AD authentication stuff?
-
@dashrender Yep, T30 are the low end Dell servers. ECC and single Xeon E3-1225, but no redundant PS. I'll throw in an LSI HW raid controller before deployment. And the $329 price was a one day sale. Just AD replication between sites.
-
@jfath said in AD best practices:
@dashrender Yep, T30 are the low end Dell servers. ECC and single Xeon E3-1225, but no redundant PS. I'll throw in an LSI HW raid controller before deployment. And the $329 price was a one day sale. Just AD replication between sites.
Even if the remote side is free to host on, it doesn't seem worth the $329 spent, plus the RAID card and I'm assuming drives are still needed.
Make good backups, test the backups and go. One DC, One server should be all that's needed.
-
@dashrender said in AD best practices:
...Make good backups, test the backups and go. One DC, One server should be all that's needed.
Good to know and makes my life easier. Not having much experience in this area, I was following the 'wisdom' of the Internet that seems to insist on separate physical primary and secondary DCs for every installation.
-
@jfath Virtualization and backup technology for said virtualization means that unless you are some special snowflake (you are not) then you should never need that kind of crap anymore. Honestly, most SMB never needed it before either.
-
@jfath said in AD best practices:
@dashrender said in AD best practices:
...Make good backups, test the backups and go. One DC, One server should be all that's needed.
Good to know and makes my life easier. Not having much experience in this area, I was following the 'wisdom' of the Internet that seems to insist on separate physical primary and secondary DCs for every installation.
that is very old thinking, and wasn't even right back then. physical DC haha...
If you want an explanation on any of the things provided here, just ask. Showing how in IT the business side is every bit as important as the actual tech is important.
-
@jfath said in AD best practices:
I do plan to use a second physical machine with another Win Server VM as the secondary DC. I understand AD well enough to know why it's important to have two if you're going to have one.
Almost never is there value to that. For a new installation, there is literally zero value in most cases. What risk is there to losing AD for an hour or a week? Would there be one minute of impact? Not likely.
-
@jfath said in AD best practices:
Fear, not corruption. They are weaning themselves from old consulting firm, but worry that I (as an unpaid volunteer) will not always be available. They want to be left with a network that can be maintained by available resources.
That makes no business sense. Of course you might disappear. So might the paid resource. What will definitely disappear is the money. If they wanted actual support, they have loads of options that they could pay anytime. Paying a firm not doing a good job or not doing any work or whatever actually lowers their ability to get actual support by costing them the money that they need to pay for the actual support when the time comes.
-
@jfath said in AD best practices:
@dashrender Yep, T30 are the low end Dell servers. ECC and single Xeon E3-1225, but no redundant PS. I'll throw in an LSI HW raid controller before deployment. And the $329 price was a one day sale. Just AD replication between sites.
That's a lot of money. Is there any value to it? I mean that literally - is there any at all?
-
@dashrender said in AD best practices:
@jfath said in AD best practices:
@dashrender said in AD best practices:
that is very old thinking, and wasn't even right back then. physical DC haha...
Sorry, I meant two DC VMs running on two separate physical machines, not actually physical DCs.
@scottalanmiller said in AD best practices:
That's a lot of money. Is there any value to it? I mean that literally - is there any at all?
Nope, absolutely none. And that's my mistake - there's much misinformation on the Internet that says it's a best practice and my lack of experience prompted me to accept it. That's why I asked you smart guys. I'll put the second server in my home lab or deploy it somewhere that it actually makes sense.
Convincing them to go with a non-AD/MS solution is another matter. Simply not going to happen.
So... still the remaining first question - is there any problem with putting DC, DNS, DHCP, and FS roles all on a single VM? Should FS be split?
