AD best practices
-
@dashrender Yep, T30 are the low end Dell servers. ECC and single Xeon E3-1225, but no redundant PS. I'll throw in an LSI HW raid controller before deployment. And the $329 price was a one day sale. Just AD replication between sites.
-
@jfath said in AD best practices:
@dashrender Yep, T30 are the low end Dell servers. ECC and single Xeon E3-1225, but no redundant PS. I'll throw in an LSI HW raid controller before deployment. And the $329 price was a one day sale. Just AD replication between sites.
Even if the remote side is free to host on, it doesn't seem worth the $329 spent, plus the RAID card and I'm assuming drives are still needed.
Make good backups, test the backups and go. One DC, One server should be all that's needed.
-
@dashrender said in AD best practices:
...Make good backups, test the backups and go. One DC, One server should be all that's needed.
Good to know and makes my life easier. Not having much experience in this area, I was following the 'wisdom' of the Internet that seems to insist on separate physical primary and secondary DCs for every installation.
-
@jfath Virtualization and backup technology for said virtualization means that unless you are some special snowflake (you are not) then you should never need that kind of crap anymore. Honestly, most SMB never needed it before either.
-
@jfath said in AD best practices:
@dashrender said in AD best practices:
...Make good backups, test the backups and go. One DC, One server should be all that's needed.
Good to know and makes my life easier. Not having much experience in this area, I was following the 'wisdom' of the Internet that seems to insist on separate physical primary and secondary DCs for every installation.
that is very old thinking, and wasn't even right back then. physical DC haha...
If you want an explanation on any of the things provided here, just ask. Showing how in IT the business side is every bit as important as the actual tech is important.
-
@jfath said in AD best practices:
I do plan to use a second physical machine with another Win Server VM as the secondary DC. I understand AD well enough to know why it's important to have two if you're going to have one.
Almost never is there value to that. For a new installation, there is literally zero value in most cases. What risk is there to losing AD for an hour or a week? Would there be one minute of impact? Not likely.
-
@jfath said in AD best practices:
Fear, not corruption. They are weaning themselves from old consulting firm, but worry that I (as an unpaid volunteer) will not always be available. They want to be left with a network that can be maintained by available resources.
That makes no business sense. Of course you might disappear. So might the paid resource. What will definitely disappear is the money. If they wanted actual support, they have loads of options that they could pay anytime. Paying a firm not doing a good job or not doing any work or whatever actually lowers their ability to get actual support by costing them the money that they need to pay for the actual support when the time comes.
-
@jfath said in AD best practices:
@dashrender Yep, T30 are the low end Dell servers. ECC and single Xeon E3-1225, but no redundant PS. I'll throw in an LSI HW raid controller before deployment. And the $329 price was a one day sale. Just AD replication between sites.
That's a lot of money. Is there any value to it? I mean that literally - is there any at all?
-
@dashrender said in AD best practices:
@jfath said in AD best practices:
@dashrender said in AD best practices:
that is very old thinking, and wasn't even right back then. physical DC haha...
Sorry, I meant two DC VMs running on two separate physical machines, not actually physical DCs.
@scottalanmiller said in AD best practices:
That's a lot of money. Is there any value to it? I mean that literally - is there any at all?
Nope, absolutely none. And that's my mistake - there's much misinformation on the Internet that says it's a best practice and my lack of experience prompted me to accept it. That's why I asked you smart guys. I'll put the second server in my home lab or deploy it somewhere that it actually makes sense.
Convincing them to go with a non-AD/MS solution is another matter. Simply not going to happen.
So... still the remaining first question - is there any problem with putting DC, DNS, DHCP, and FS roles all on a single VM? Should FS be split?
-
@jfath said in AD best practices:
So... still the remaining first question - is there any problem with putting DC, DNS, DHCP, and FS roles all on a single VM? Should FS be split?
Because of licensing costs, I do exactly this. All of those roles live on a single server. I've had many servers at many customers for more than a decade and never ran into a problem because of these all being on the same host.
Now that said - you get two VMs worth of Windows Server with your normal licensing. So in your case I would be more apt to setup an AD/DNS/DHCP VM and a file serving VM. At minimum I'd probably put DNS on the second VM as well - this would allow you use Windows DNS and reboot either VM without causing an internet interruption.
-
@jfath If possible you should separate the file server from the domain controller. It can seriously hinder your work to not be able to reboot your domain controller at will.
-
@dashrender said in AD best practices:
...So in your case I would be more apt to setup an AD/DNS/DHCP VM and a file serving VM. At minimum I'd probably put DNS on the second VM as well - this would allow you use Windows DNS and reboot either VM without causing an internet interruption.
@wirestyle22 said in [AD best practices]
It can seriously hinder your work to not be able to reboot your domain controller at will.
Thank you - that's exactly the input I was looking for. So single DC with DNS, DHCP on one VM and another VM on the same physical machine running DNS and FS. Perfectly simple - easy to install and maintain.
-
@jfath said in AD best practices:
@dashrender said in AD best practices:
@jfath said in AD best practices:
@dashrender said in AD best practices:
that is very old thinking, and wasn't even right back then. physical DC haha...
Sorry, I meant two DC VMs running on two separate physical machines, not actually physical DCs.
@scottalanmiller said in AD best practices:
That's a lot of money. Is there any value to it? I mean that literally - is there any at all?
Nope, absolutely none. And that's my mistake - there's much misinformation on the Internet that says it's a best practice and my lack of experience prompted me to accept it. That's why I asked you smart guys. I'll put the second server in my home lab or deploy it somewhere that it actually makes sense.
Convincing them to go with a non-AD/MS solution is another matter. Simply not going to happen.
So... still the remaining first question - is there any problem with putting DC, DNS, DHCP, and FS roles all on a single VM? Should FS be split?
In my experience, it's more convenient and can be better to have them separated. But, you don't need to. None of those services will break or cause issues by being on the same OSE.
Some others already mentioned having the ability to perform maintenance on either the infrastructure VM (ad/dns/dhcp) or file server VM without interrupting the other services. I prefer to keep file servers on their own VM, but I work with big and busy file servers among other reasons. So it certainly doesn't need to be how I do it in all cases.
-
@jfath said in AD best practices:
So... still the remaining first question - is there any problem with putting DC, DNS, DHCP, and FS roles all on a single VM? Should FS be split?
AD DC, DNC and DHCP should be all one VM. FS is an acceptable function to mix with your DC when you need to. But ideally, you'd have it split. So if the VM licensing exists, split it out.
