Handling DNS in a Single Active Directory Domain Controller Environment

scottalanmiller

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@dustinb3403 said in Handling DNS in a Single Active Directory Domain Controller Environment:

@obsolesce that is just one possible outage, and still with warranties you'd be back up and running usually within 24 hours if not faster.

But you can restore a VM to any host. So you don't need the original hardware to restore a VM. Kelly said the SMB depends on AD, and has a dedicated host with a single VM on it for AD. This means there's other servers in play, to host the services that depend on AD. Likely also VM Hosts because, well, that's the proper way to do it.

Once you have a single host only for AD, either you are so tiny that there is nothing else to affect, lol. Or you are likely so large as to not be an SMB. A full server only for your primary AD capacity would almost certainly imply one massive organization.

Obsolesce

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

I see where you are going, but this is something I disagree with. The problem here is that we assume having two (or more) AD servers will be done "correctly" and be set up to do what is needed. But then we assume that if we don't do that, that what is done will be done poorly. That's not a useful comparison mechanism.

This is exactly what I keep seeing every time.

scottalanmiller

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

I see where you are going, but this is something I disagree with. The problem here is that we assume having two (or more) AD servers will be done "correctly" and be set up to do what is needed. But then we assume that if we don't do that, that what is done will be done poorly. That's not a useful comparison mechanism.

This is exactly what I keep seeing every time.

You keep people using this apples and oranges point? Or you see people set it up incorrectly?

I see both, but to the latter, what I see is are shops that aren't making a conscious effort to choose what is right for them (dual AD, or single AD with appropriate setup, or no AD at all) but are just doing random things that happen to result in a single AD server. While yes, that is common, they don't apply to any shop that is actually trying to do their job well - which might result in any one of those scenarios.

Obsolesce

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

I see where you are going, but this is something I disagree with. The problem here is that we assume having two (or more) AD servers will be done "correctly" and be set up to do what is needed. But then we assume that if we don't do that, that what is done will be done poorly. That's not a useful comparison mechanism.

This is exactly what I keep seeing every time.

You keep people using this apples and oranges point? Or you see people set it up incorrectly?

I see both, but to the latter, what I see is are shops that aren't making a conscious effort to choose what is right for them (dual AD, or single AD with appropriate setup, or no AD at all) but are just doing random things that happen to result in a single AD server. While yes, that is common, they don't apply to any shop that is actually trying to do their job well - which might result in any one of those scenarios.

By what I said I meant that I keep seeing people using that argument approach. Exactly as you described. Everything is set up perfectly with 2 DCs, but with 1 DC, everything is set up poorly and to fail.

scottalanmiller

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

I see where you are going, but this is something I disagree with. The problem here is that we assume having two (or more) AD servers will be done "correctly" and be set up to do what is needed. But then we assume that if we don't do that, that what is done will be done poorly. That's not a useful comparison mechanism.

This is exactly what I keep seeing every time.

You keep people using this apples and oranges point? Or you see people set it up incorrectly?

I see both, but to the latter, what I see is are shops that aren't making a conscious effort to choose what is right for them (dual AD, or single AD with appropriate setup, or no AD at all) but are just doing random things that happen to result in a single AD server. While yes, that is common, they don't apply to any shop that is actually trying to do their job well - which might result in any one of those scenarios.

By what I said I meant that I keep seeing people using that argument approach. Exactly as you described. Everything is set up perfectly with 2 DCs, but with 1 DC, everything is set up poorly and to fail.

Ah yes. It's a natural thing and not intentional. It feels logical - "I see this bad thing all the time, I have to assume that's normal." And it is normal, I think. But no matter how common it is, it doesn't apply.

Like the average person not going to college literally does nothing for four years. That's pretty common. But not people who are choosing between college and an alternative approach for career advancement. Two different pools of people.

scottalanmiller

It's actually a form of the Monty Hall Problem.

Dashrender

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

I see where you are going, but this is something I disagree with. The problem here is that we assume having two (or more) AD servers will be done "correctly" and be set up to do what is needed. But then we assume that if we don't do that, that what is done will be done poorly. That's not a useful comparison mechanism.

This is exactly what I keep seeing every time.

You keep people using this apples and oranges point? Or you see people set it up incorrectly?

I see both, but to the latter, what I see is are shops that aren't making a conscious effort to choose what is right for them (dual AD, or single AD with appropriate setup, or no AD at all) but are just doing random things that happen to result in a single AD server. While yes, that is common, they don't apply to any shop that is actually trying to do their job well - which might result in any one of those scenarios.

By what I said I meant that I keep seeing people using that argument approach. Exactly as you described. Everything is set up perfectly with 2 DCs, but with 1 DC, everything is set up poorly and to fail.

Ah yes. It's a natural thing and not intentional. It feels logical - "I see this bad thing all the time, I have to assume that's normal." And it is normal, I think. But no matter how common it is, it doesn't apply.

Like the average person not going to college literally does nothing for four years. That's pretty common. But not people who are choosing between college and an alternative approach for career advancement. Two different pools of people.

The problem with this college example is - people believe (or want to believe) that the college grad will come out of college and start where the person who has been in the workforce for 4 years is at now. Just to toss some titles into it... let's say day one person 1 starts college, and person two starts cleaning rooms. After 4 years person 1 is graduating from college and person two is a night manager. The assuming by many is that person 1 will instantly be able to become a night manager.

I'm not saying it's right or wrong - I know Scott has given an example where after 4 years he was a hotel manager (day time) and now the college grad is lucky if he can become a night manager, and not have to start by cleaning rooms - which in some cases they might.

scottalanmiller

@dashrender said in Handling DNS in a Single Active Directory Domain Controller Environment:

I'm not saying it's right or wrong - I know Scott has given an example where after 4 years he was a hotel manager (day time) and now the college grad is lucky if he can become a night manager, and not have to start by cleaning rooms - which in some cases they might.

In that example, I was the manager in 18 months. So several promotions in before the hospitality students even graduated. And new graduates still started as receptionists, not as managers, due to lack of experience. So it wasn't that I was "in the same place without spending time on college", it was that I was able to be a high level manager, overseeing low level managers, hiring the college students, in that time. The leap was huge, between the two approaches.

Not relevant here, just updating that story.

scottalanmiller

@dashrender said in Handling DNS in a Single Active Directory Domain Controller Environment:

The problem with this college example is - people believe (or want to believe) that the college grad will come out of college and start where the person who has been in the workforce for 4 years is at now. Just to toss some titles into it... let's say day one person 1 starts college, and person two starts cleaning rooms. After 4 years person 1 is graduating from college and person two is a night manager. The assuming by many is that person 1 will instantly be able to become a night manager.

Well of course, the misapplication of the alternative seems reasonable because it appears to support the point originally believed. So no trigger to distrust it, unless you dive into it and realize that someone who had the option of going to college, and chose a different path for the purpose of outperforming college is not going to sit around doing nothing like someone who didn't make that choice or didn't have the option.

scottalanmiller

So, to focus back on the points here...

The idea of this thread was to look at how to do DNS well in an environment where there is only one AD DC. The assumptions have to be...

1. That we are trying to do the setup well.
2. That this is specifically for situations where we've already determined that dual AD DCs doesn't make sense.

Those are the baselines.

scottalanmiller

Printers are a big case that @Kelly mentioned, Those are often overlooked. Mostly because we all hate them.

Something I'm seeing more and more is people printing directly to printers and not going through a print server. I think more and more in the smaller SMBs (those most likely to not have dual AD DCs) this is increasingly common and likely the strongest protection there.

Print servers used to be pretty critical, and large shops with loads of printing still need them. But for smaller companies, how often is this seen in new deployments? I know here it rarely crosses our mind to put in a print server. Just extra complexity. All the printers we deal with typically have built in print servers and it is rare that we need printer security until the shops get pretty big.

dbeato

@mike-davis said in Handling DNS in a Single Active Directory Domain Controller Environment:

I have a number of clients where they need a server, but Server Essentials on a small server is enough. Veeam for backup and if the box fails, they are down for an hour or two while we restore to something else. The licensing to go to a second AD server would more than double the cost of the project. (and isn't worth it for them)

What is the added licensing cost that you are seeing when you setup a second AD server in a non Server Essentials Environment?

Donahue

I dont use a print server, I just directly install the printers on everyone's workstations. The printers have static IP's. Its more cumbersome than I like, but it was more reliable than my attempts at a print server using GPO's.

Donahue

of all the things I could be doing, printers are not something I want to mess with on a regular basis, so the simpler and more reliable, the better.

Dashrender

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

Printers are a big case that @Kelly mentioned, Those are often overlooked. Mostly because we all hate them.

Something I'm seeing more and more is people printing directly to printers and not going through a print server. I think more and more in the smaller SMBs (those most likely to not have dual AD DCs) this is increasingly common and likely the strongest protection there.

Print servers used to be pretty critical, and large shops with loads of printing still need them. But for smaller companies, how often is this seen in new deployments? I know here it rarely crosses our mind to put in a print server. Just extra complexity. All the printers we deal with typically have built in print servers and it is rare that we need printer security until the shops get pretty big.

I could likely get away with direct IP printing - I can still deploy the printers via GPO, so this is probably a good thing for me to consider checking into. It also solves the - the print server has hung/crashed issue.

I'm already doing this at a remote branch that has no servers - so GPO pushes out an IP Printer and gets the driver from another print queue on the server - which doesn't really need to be attached to a real printer at all.

scottalanmiller

@donahue said in Handling DNS in a Single Active Directory Domain Controller Environment:

I dont use a print server, I just directly install the printers on everyone's workstations. The printers have static IP's. Its more cumbersome than I like, but it was more reliable than my attempts at a print server using GPO's.

You have a much larger environment than I typically see do that. But honestly, I agree. This "just works". I'm constantly seeing tickets for small shops that put in a print server and need loads of unnecessary support because they did something more complex than necessary.

scottalanmiller

@dashrender said in Handling DNS in a Single Active Directory Domain Controller Environment:

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

Printers are a big case that @Kelly mentioned, Those are often overlooked. Mostly because we all hate them.

Something I'm seeing more and more is people printing directly to printers and not going through a print server. I think more and more in the smaller SMBs (those most likely to not have dual AD DCs) this is increasingly common and likely the strongest protection there.

Print servers used to be pretty critical, and large shops with loads of printing still need them. But for smaller companies, how often is this seen in new deployments? I know here it rarely crosses our mind to put in a print server. Just extra complexity. All the printers we deal with typically have built in print servers and it is rare that we need printer security until the shops get pretty big.

I could likely get away with direct IP printing - I can still deploy the printers via GPO, so this is probably a good thing for me to consider checking into. It also solves the - the print server has hung/crashed issue.

I'm already doing this at a remote branch that has no servers - so GPO pushes out an IP Printer and gets the driver from another print queue on the server - which doesn't really need to be attached to a real printer at all.

Printers are especially prone to complexity problems for some weird reason. Good place to go a little more down to earth and less fancy.

Dashrender

@donahue said in Handling DNS in a Single Active Directory Domain Controller Environment:

I dont use a print server, I just directly install the printers on everyone's workstations. The printers have static IP's. Its more cumbersome than I like, but it was more reliable than my attempts at a print server using GPO's.

My first attempt at pushing out GPOs for printers was a huge pain. But once it was done, man it made things nice!

Also, look into JB's suggestion of setting all printers to DHCP reservations instead of static. Solves all kinds of issues.

Donahue

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

@donahue said in Handling DNS in a Single Active Directory Domain Controller Environment:

I dont use a print server, I just directly install the printers on everyone's workstations. The printers have static IP's. Its more cumbersome than I like, but it was more reliable than my attempts at a print server using GPO's.

You have a much larger environment than I typically see do that. But honestly, I agree. This "just works". I'm constantly seeing tickets for small shops that put in a print server and need loads of unnecessary support because they did something more complex than necessary.

Yeah, but I only have to mess with them if we get a new workstation, or a new printer. Otherwise I am hands off. The big thing for me was getting only network printers so that we didnt have dependencies of other workstations.

Donahue

@dashrender said in Handling DNS in a Single Active Directory Domain Controller Environment:

@donahue said in Handling DNS in a Single Active Directory Domain Controller Environment:

I dont use a print server, I just directly install the printers on everyone's workstations. The printers have static IP's. Its more cumbersome than I like, but it was more reliable than my attempts at a print server using GPO's.

My first attempt at pushing out GPOs for printers was a huge pain. But once it was done, man it made things nice!

Also, look into JB's suggestion of setting all printers to DHCP reservations instead of static. Solves all kinds of issues.

I've thought about that, and that would actually be the main reason I would consider reservations.