FAQ  Search  Memberlist  Usergroups  Register  Profile  Private messages  Log in

position of a new DC

Forum Index -> microsoft.public.windows.server.active_directory

Author	Message
tree leafs Guest	Posted: Fri Oct 19, 2007 11:52 am    Post subject: position of a new DC Hi, I need to rebuild a major file server and an exchange server and then promote one of them to be a new DC, which one should I choose? the exchange server or the file server? which is better? Or neither of them?
Back to top
Troy McClure Guest	Posted: Fri Oct 19, 2007 11:52 am    Post subject: Re: position of a new DC obviously neither. a DC should be a dc and nothing more "tree leafs" <treeleafs@hotmail.com> wrote in message news:u%23%23U4ojEIHA.4400@TK2MSFTNGP05.phx.gbl... Quote: Hi, I need to rebuild a major file server and an exchange server and then promote one of them to be a new DC, which one should I choose? the exchange server or the file server? which is better? Or neither of them?
Back to top
kj [SBS MVP] Guest	Posted: Sun Oct 21, 2007 6:17 am    Post subject: Re: position of a new DC Austin Osuide wrote: Quote: Don't think It has to do with size, Tree... We have a mid sized AD.. 140k user and >2000 sites.. There are much much larger ADs in the US and certain corp test environments but that's not the issue. If I was responsible for a small 20 user AD, I would not use the same box for my DC and Exchange server unless I was made to run SBS. I don't get a warm fuzzy secure feeling running things that way and it also adds complexities to AD Disaster Recovery procedures with DCs I have come to know and understand. At 0200hrs when the "stuff" usually hits the air circulation system, I don't want to have to figure in Exchange into that recovery procedure we need to do. And, more importantly, I don't want Exchange admins logging on to my DCs! :-) Just joking - not. Regards, Austin If you had a 20 user AD, I doubt you'd have a separate Exchange Admin. <g> Quote: "tree leafs" <treeleafs@hotmail.com> wrote in message news:uF5XCZ3EIHA.4140@TK2MSFTNGP03.phx.gbl... Hi Austin, I guess you might have a very big AD. How many users, sites, and OUs etc. in your AD? "Austin Osuide" <austin@nowhere.com> wrote in message news:3FqSi.11665$dM4.2553@fe04.usenetserver.com... Hi Tree, It wasn't detailed, the explanation. Is that what your Microsoft TAM tells you? Even 3rd party AD apps on my DCs give me the hibbie jibbies! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23Y5qfpxEIHA.4628@TK2MSFTNGP02.phx.gbl... Hi Austin, thanks for the detailed explanation. So the major concern is the security. Is there anything to do with the performance? I understand your concern, but as far as the security is concerned, having access to the shares on a file server does not necessarily give users access to the server itself. By default, normal users will not be able to remotely logon into the DCs. Nor can they execute programs on the file server, unless it is also a terminal server. In reality, nowadays it's very hard to purchase a new server that just do the DC but nothing else. In reality, people tend to put DC(s) on newest and/or most powerful server(s) as it is more reliable. "Austin Osuide" <austin@nowhere.com> wrote in message news:emDVfWxEIHA.4296@TK2MSFTNGP04.phx.gbl... :-) OK. Your DC is probably your most important security device on your network. It holds your account database and as such, you'd want to restrict access to it. Using it as a "File Server" obviously defeats this objective. As far as Exchange is concerned, it's a bit more complex. Even though it's supported, it's not "Best Practice" and not usually recommended. Plus, you could get yourself into all kinds of headaches if you DCpromo out a DC with Exchange running on it or subsequently take Exchange off the DC. Kind of locks you into the move. I guess it all falls down to risk analysis, funding and what your religious bias is.. Maybe that's why I don't do SBS.. Even within funding constraints, my belief is to have DCs on "well scaled" servers. They don't have to be the biggest and most expensive boxes out there. To those who believe, no explanation is necessary. To those who don't, no explanation is possible. Unfortunately, you'll get this all the time from SBSers ;-) Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23wzM1WwEIHA.1208@TK2MSFTNGP03.phx.gbl... Can you explain why? That means if I want to have two DCs in a domain (and in same site) I would have to have 2 dedicated DCs, right? In reality I see so many implementations that a DC is also a file server or an exchange server. In SBS, the DC is also everything else. Thanks, "Austin Osuide" <austin@nowhere.com> wrote in message news:TF4Si.23$K92.13@fe09.usenetserver.com... Hi Tree ;-) The answer you'll get is: YES! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:uDPcOrkEIHA.4228@TK2MSFTNGP02.phx.gbl... but this is not the only DC in the domain. do you mean a DC can not take any other roles? "Troy McClure" <n@n.com> wrote in message news:uHpkwQkEIHA.4308@TK2MSFTNGP06.phx.gbl... obviously neither. a DC should be a dc and nothing more "tree leafs" <treeleafs@hotmail.com> wrote in message news:u%23%23U4ojEIHA.4400@TK2MSFTNGP05.phx.gbl... Hi, I need to rebuild a major file server and an exchange server and then promote one of them to be a new DC, which one should I choose? the exchange server or the file server? which is better? Or neither of them? -- /kj
Back to top
tree leafs Guest	Posted: Sun Oct 21, 2007 6:55 am    Post subject: Re: position of a new DC Hi Austin, an AD with ~140K users and >2000 sites will certainly justify a dedicated DC or DCs. I am thinking of a site with ~50 users and currently has a file server and we want to add an exchange server. That's the question coming from. I need to decide to put AD on which of these two servers. I accept your point that AD on exchange server is supported but not recommanded. So I would opt to put the AD on the file server. When users connecting to the shares, users' credentials will be checked anyway. Cheers, "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message news:uPrqdA4EIHA.4140@TK2MSFTNGP03.phx.gbl... Quote: Austin Osuide wrote: Don't think It has to do with size, Tree... We have a mid sized AD.. 140k user and >2000 sites.. There are much much larger ADs in the US and certain corp test environments but that's not the issue. If I was responsible for a small 20 user AD, I would not use the same box for my DC and Exchange server unless I was made to run SBS. I don't get a warm fuzzy secure feeling running things that way and it also adds complexities to AD Disaster Recovery procedures with DCs I have come to know and understand. At 0200hrs when the "stuff" usually hits the air circulation system, I don't want to have to figure in Exchange into that recovery procedure we need to do. And, more importantly, I don't want Exchange admins logging on to my DCs! :-) Just joking - not. Regards, Austin If you had a 20 user AD, I doubt you'd have a separate Exchange Admin. g "tree leafs" <treeleafs@hotmail.com> wrote in message news:uF5XCZ3EIHA.4140@TK2MSFTNGP03.phx.gbl... Hi Austin, I guess you might have a very big AD. How many users, sites, and OUs etc. in your AD? "Austin Osuide" <austin@nowhere.com> wrote in message news:3FqSi.11665$dM4.2553@fe04.usenetserver.com... Hi Tree, It wasn't detailed, the explanation. Is that what your Microsoft TAM tells you? Even 3rd party AD apps on my DCs give me the hibbie jibbies! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23Y5qfpxEIHA.4628@TK2MSFTNGP02.phx.gbl... Hi Austin, thanks for the detailed explanation. So the major concern is the security. Is there anything to do with the performance? I understand your concern, but as far as the security is concerned, having access to the shares on a file server does not necessarily give users access to the server itself. By default, normal users will not be able to remotely logon into the DCs. Nor can they execute programs on the file server, unless it is also a terminal server. In reality, nowadays it's very hard to purchase a new server that just do the DC but nothing else. In reality, people tend to put DC(s) on newest and/or most powerful server(s) as it is more reliable. "Austin Osuide" <austin@nowhere.com> wrote in message news:emDVfWxEIHA.4296@TK2MSFTNGP04.phx.gbl... :-) OK. Your DC is probably your most important security device on your network. It holds your account database and as such, you'd want to restrict access to it. Using it as a "File Server" obviously defeats this objective. As far as Exchange is concerned, it's a bit more complex. Even though it's supported, it's not "Best Practice" and not usually recommended. Plus, you could get yourself into all kinds of headaches if you DCpromo out a DC with Exchange running on it or subsequently take Exchange off the DC. Kind of locks you into the move. I guess it all falls down to risk analysis, funding and what your religious bias is.. Maybe that's why I don't do SBS.. Even within funding constraints, my belief is to have DCs on "well scaled" servers. They don't have to be the biggest and most expensive boxes out there. To those who believe, no explanation is necessary. To those who don't, no explanation is possible. Unfortunately, you'll get this all the time from SBSers ;-) Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23wzM1WwEIHA.1208@TK2MSFTNGP03.phx.gbl... Can you explain why? That means if I want to have two DCs in a domain (and in same site) I would have to have 2 dedicated DCs, right? In reality I see so many implementations that a DC is also a file server or an exchange server. In SBS, the DC is also everything else. Thanks, "Austin Osuide" <austin@nowhere.com> wrote in message news:TF4Si.23$K92.13@fe09.usenetserver.com... Hi Tree ;-) The answer you'll get is: YES! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:uDPcOrkEIHA.4228@TK2MSFTNGP02.phx.gbl... but this is not the only DC in the domain. do you mean a DC can not take any other roles? "Troy McClure" <n@n.com> wrote in message news:uHpkwQkEIHA.4308@TK2MSFTNGP06.phx.gbl... obviously neither. a DC should be a dc and nothing more "tree leafs" <treeleafs@hotmail.com> wrote in message news:u%23%23U4ojEIHA.4400@TK2MSFTNGP05.phx.gbl... Hi, I need to rebuild a major file server and an exchange server and then promote one of them to be a new DC, which one should I choose? the exchange server or the file server? which is better? Or neither of them? -- /kj
Back to top
kj [SBS MVP] Guest	Posted: Sun Oct 21, 2007 10:42 am    Post subject: Re: position of a new DC tree leafs wrote: Quote: Hi Austin, an AD with ~140K users and >2000 sites will certainly justify a dedicated DC or DCs. I am thinking of a site with ~50 users and currently has a file server and we want to add an exchange server. That's the question coming from. I need to decide to put AD on which of these two servers. I accept your point that AD on exchange server is supported but not recommanded. So I would opt to put the AD on the file server. When users connecting to the shares, users' credentials will be checked anyway. DC's are already file servers (sysvol/Netlogon) so there's little issue with that. Usually the objection is installing other client server software on the DC, especially third party stuff. But you should then consider your "file server" a Domain Controller and treat it as such security wise. Quote: Cheers, "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message news:uPrqdA4EIHA.4140@TK2MSFTNGP03.phx.gbl... Austin Osuide wrote: Don't think It has to do with size, Tree... We have a mid sized AD.. 140k user and >2000 sites.. There are much much larger ADs in the US and certain corp test environments but that's not the issue. If I was responsible for a small 20 user AD, I would not use the same box for my DC and Exchange server unless I was made to run SBS. I don't get a warm fuzzy secure feeling running things that way and it also adds complexities to AD Disaster Recovery procedures with DCs I have come to know and understand. At 0200hrs when the "stuff" usually hits the air circulation system, I don't want to have to figure in Exchange into that recovery procedure we need to do. And, more importantly, I don't want Exchange admins logging on to my DCs! :-) Just joking - not. Regards, Austin If you had a 20 user AD, I doubt you'd have a separate Exchange Admin. <g "tree leafs" <treeleafs@hotmail.com> wrote in message news:uF5XCZ3EIHA.4140@TK2MSFTNGP03.phx.gbl... Hi Austin, I guess you might have a very big AD. How many users, sites, and OUs etc. in your AD? "Austin Osuide" <austin@nowhere.com> wrote in message news:3FqSi.11665$dM4.2553@fe04.usenetserver.com... Hi Tree, It wasn't detailed, the explanation. Is that what your Microsoft TAM tells you? Even 3rd party AD apps on my DCs give me the hibbie jibbies! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23Y5qfpxEIHA.4628@TK2MSFTNGP02.phx.gbl... Hi Austin, thanks for the detailed explanation. So the major concern is the security. Is there anything to do with the performance? I understand your concern, but as far as the security is concerned, having access to the shares on a file server does not necessarily give users access to the server itself. By default, normal users will not be able to remotely logon into the DCs. Nor can they execute programs on the file server, unless it is also a terminal server. In reality, nowadays it's very hard to purchase a new server that just do the DC but nothing else. In reality, people tend to put DC(s) on newest and/or most powerful server(s) as it is more reliable. "Austin Osuide" <austin@nowhere.com> wrote in message news:emDVfWxEIHA.4296@TK2MSFTNGP04.phx.gbl... :-) OK. Your DC is probably your most important security device on your network. It holds your account database and as such, you'd want to restrict access to it. Using it as a "File Server" obviously defeats this objective. As far as Exchange is concerned, it's a bit more complex. Even though it's supported, it's not "Best Practice" and not usually recommended. Plus, you could get yourself into all kinds of headaches if you DCpromo out a DC with Exchange running on it or subsequently take Exchange off the DC. Kind of locks you into the move. I guess it all falls down to risk analysis, funding and what your religious bias is.. Maybe that's why I don't do SBS.. Even within funding constraints, my belief is to have DCs on "well scaled" servers. They don't have to be the biggest and most expensive boxes out there. To those who believe, no explanation is necessary. To those who don't, no explanation is possible. Unfortunately, you'll get this all the time from SBSers ;-) Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23wzM1WwEIHA.1208@TK2MSFTNGP03.phx.gbl... Can you explain why? That means if I want to have two DCs in a domain (and in same site) I would have to have 2 dedicated DCs, right? In reality I see so many implementations that a DC is also a file server or an exchange server. In SBS, the DC is also everything else. Thanks, "Austin Osuide" <austin@nowhere.com> wrote in message news:TF4Si.23$K92.13@fe09.usenetserver.com... Hi Tree ;-) The answer you'll get is: YES! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:uDPcOrkEIHA.4228@TK2MSFTNGP02.phx.gbl... but this is not the only DC in the domain. do you mean a DC can not take any other roles? "Troy McClure" <n@n.com> wrote in message news:uHpkwQkEIHA.4308@TK2MSFTNGP06.phx.gbl... obviously neither. a DC should be a dc and nothing more "tree leafs" <treeleafs@hotmail.com> wrote in message news:u%23%23U4ojEIHA.4400@TK2MSFTNGP05.phx.gbl... Hi, I need to rebuild a major file server and an exchange server and then promote one of them to be a new DC, which one should I choose? the exchange server or the file server? which is better? Or neither of them? -- /kj -- /kj
Back to top
tree leafs Guest	Posted: Sun Oct 21, 2007 12:46 pm    Post subject: Re: position of a new DC Thanks Kevin, I believe Windows has all the ways to secure a DC/file server. "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message news:e4BvzU6EIHA.4628@TK2MSFTNGP02.phx.gbl... Quote: tree leafs wrote: Hi Austin, an AD with ~140K users and >2000 sites will certainly justify a dedicated DC or DCs. I am thinking of a site with ~50 users and currently has a file server and we want to add an exchange server. That's the question coming from. I need to decide to put AD on which of these two servers. I accept your point that AD on exchange server is supported but not recommanded. So I would opt to put the AD on the file server. When users connecting to the shares, users' credentials will be checked anyway. DC's are already file servers (sysvol/Netlogon) so there's little issue with that. Usually the objection is installing other client server software on the DC, especially third party stuff. But you should then consider your "file server" a Domain Controller and treat it as such security wise. Cheers, "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message news:uPrqdA4EIHA.4140@TK2MSFTNGP03.phx.gbl... Austin Osuide wrote: Don't think It has to do with size, Tree... We have a mid sized AD.. 140k user and >2000 sites.. There are much much larger ADs in the US and certain corp test environments but that's not the issue. If I was responsible for a small 20 user AD, I would not use the same box for my DC and Exchange server unless I was made to run SBS. I don't get a warm fuzzy secure feeling running things that way and it also adds complexities to AD Disaster Recovery procedures with DCs I have come to know and understand. At 0200hrs when the "stuff" usually hits the air circulation system, I don't want to have to figure in Exchange into that recovery procedure we need to do. And, more importantly, I don't want Exchange admins logging on to my DCs! :-) Just joking - not. Regards, Austin If you had a 20 user AD, I doubt you'd have a separate Exchange Admin. <g "tree leafs" <treeleafs@hotmail.com> wrote in message news:uF5XCZ3EIHA.4140@TK2MSFTNGP03.phx.gbl... Hi Austin, I guess you might have a very big AD. How many users, sites, and OUs etc. in your AD? "Austin Osuide" <austin@nowhere.com> wrote in message news:3FqSi.11665$dM4.2553@fe04.usenetserver.com... Hi Tree, It wasn't detailed, the explanation. Is that what your Microsoft TAM tells you? Even 3rd party AD apps on my DCs give me the hibbie jibbies! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23Y5qfpxEIHA.4628@TK2MSFTNGP02.phx.gbl... Hi Austin, thanks for the detailed explanation. So the major concern is the security. Is there anything to do with the performance? I understand your concern, but as far as the security is concerned, having access to the shares on a file server does not necessarily give users access to the server itself. By default, normal users will not be able to remotely logon into the DCs. Nor can they execute programs on the file server, unless it is also a terminal server. In reality, nowadays it's very hard to purchase a new server that just do the DC but nothing else. In reality, people tend to put DC(s) on newest and/or most powerful server(s) as it is more reliable. "Austin Osuide" <austin@nowhere.com> wrote in message news:emDVfWxEIHA.4296@TK2MSFTNGP04.phx.gbl... :-) OK. Your DC is probably your most important security device on your network. It holds your account database and as such, you'd want to restrict access to it. Using it as a "File Server" obviously defeats this objective. As far as Exchange is concerned, it's a bit more complex. Even though it's supported, it's not "Best Practice" and not usually recommended. Plus, you could get yourself into all kinds of headaches if you DCpromo out a DC with Exchange running on it or subsequently take Exchange off the DC. Kind of locks you into the move. I guess it all falls down to risk analysis, funding and what your religious bias is.. Maybe that's why I don't do SBS.. Even within funding constraints, my belief is to have DCs on "well scaled" servers. They don't have to be the biggest and most expensive boxes out there. To those who believe, no explanation is necessary. To those who don't, no explanation is possible. Unfortunately, you'll get this all the time from SBSers ;-) Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23wzM1WwEIHA.1208@TK2MSFTNGP03.phx.gbl... Can you explain why? That means if I want to have two DCs in a domain (and in same site) I would have to have 2 dedicated DCs, right? In reality I see so many implementations that a DC is also a file server or an exchange server. In SBS, the DC is also everything else. Thanks, "Austin Osuide" <austin@nowhere.com> wrote in message news:TF4Si.23$K92.13@fe09.usenetserver.com... Hi Tree ;-) The answer you'll get is: YES! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:uDPcOrkEIHA.4228@TK2MSFTNGP02.phx.gbl... but this is not the only DC in the domain. do you mean a DC can not take any other roles? "Troy McClure" <n@n.com> wrote in message news:uHpkwQkEIHA.4308@TK2MSFTNGP06.phx.gbl... obviously neither. a DC should be a dc and nothing more "tree leafs" <treeleafs@hotmail.com> wrote in message news:u%23%23U4ojEIHA.4400@TK2MSFTNGP05.phx.gbl... Hi, I need to rebuild a major file server and an exchange server and then promote one of them to be a new DC, which one should I choose? the exchange server or the file server? which is better? Or neither of them? -- /kj -- /kj
Back to top
Austin Osuide Guest	Posted: Sun Oct 21, 2007 2:42 pm    Post subject: Re: position of a new DC Yes, Tree! It's called Windows Small Buisness Server Edition. Optimised to run Several roles on the same box! Rolling your own is this regards has it's issues. Thats all I'm saying. Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:enXY1Z7EIHA.3360@TK2MSFTNGP04.phx.gbl... Quote: Thanks Kevin, I believe Windows has all the ways to secure a DC/file server. "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message news:e4BvzU6EIHA.4628@TK2MSFTNGP02.phx.gbl... tree leafs wrote: Hi Austin, an AD with ~140K users and >2000 sites will certainly justify a dedicated DC or DCs. I am thinking of a site with ~50 users and currently has a file server and we want to add an exchange server. That's the question coming from. I need to decide to put AD on which of these two servers. I accept your point that AD on exchange server is supported but not recommanded. So I would opt to put the AD on the file server. When users connecting to the shares, users' credentials will be checked anyway. DC's are already file servers (sysvol/Netlogon) so there's little issue with that. Usually the objection is installing other client server software on the DC, especially third party stuff. But you should then consider your "file server" a Domain Controller and treat it as such security wise. Cheers, "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message news:uPrqdA4EIHA.4140@TK2MSFTNGP03.phx.gbl... Austin Osuide wrote: Don't think It has to do with size, Tree... We have a mid sized AD.. 140k user and >2000 sites.. There are much much larger ADs in the US and certain corp test environments but that's not the issue. If I was responsible for a small 20 user AD, I would not use the same box for my DC and Exchange server unless I was made to run SBS. I don't get a warm fuzzy secure feeling running things that way and it also adds complexities to AD Disaster Recovery procedures with DCs I have come to know and understand. At 0200hrs when the "stuff" usually hits the air circulation system, I don't want to have to figure in Exchange into that recovery procedure we need to do. And, more importantly, I don't want Exchange admins logging on to my DCs! :-) Just joking - not. Regards, Austin If you had a 20 user AD, I doubt you'd have a separate Exchange Admin. <g "tree leafs" <treeleafs@hotmail.com> wrote in message news:uF5XCZ3EIHA.4140@TK2MSFTNGP03.phx.gbl... Hi Austin, I guess you might have a very big AD. How many users, sites, and OUs etc. in your AD? "Austin Osuide" <austin@nowhere.com> wrote in message news:3FqSi.11665$dM4.2553@fe04.usenetserver.com... Hi Tree, It wasn't detailed, the explanation. Is that what your Microsoft TAM tells you? Even 3rd party AD apps on my DCs give me the hibbie jibbies! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23Y5qfpxEIHA.4628@TK2MSFTNGP02.phx.gbl... Hi Austin, thanks for the detailed explanation. So the major concern is the security. Is there anything to do with the performance? I understand your concern, but as far as the security is concerned, having access to the shares on a file server does not necessarily give users access to the server itself. By default, normal users will not be able to remotely logon into the DCs. Nor can they execute programs on the file server, unless it is also a terminal server. In reality, nowadays it's very hard to purchase a new server that just do the DC but nothing else. In reality, people tend to put DC(s) on newest and/or most powerful server(s) as it is more reliable. "Austin Osuide" <austin@nowhere.com> wrote in message news:emDVfWxEIHA.4296@TK2MSFTNGP04.phx.gbl... :-) OK. Your DC is probably your most important security device on your network. It holds your account database and as such, you'd want to restrict access to it. Using it as a "File Server" obviously defeats this objective. As far as Exchange is concerned, it's a bit more complex. Even though it's supported, it's not "Best Practice" and not usually recommended. Plus, you could get yourself into all kinds of headaches if you DCpromo out a DC with Exchange running on it or subsequently take Exchange off the DC. Kind of locks you into the move. I guess it all falls down to risk analysis, funding and what your religious bias is.. Maybe that's why I don't do SBS.. Even within funding constraints, my belief is to have DCs on "well scaled" servers. They don't have to be the biggest and most expensive boxes out there. To those who believe, no explanation is necessary. To those who don't, no explanation is possible. Unfortunately, you'll get this all the time from SBSers ;-) Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23wzM1WwEIHA.1208@TK2MSFTNGP03.phx.gbl... Can you explain why? That means if I want to have two DCs in a domain (and in same site) I would have to have 2 dedicated DCs, right? In reality I see so many implementations that a DC is also a file server or an exchange server. In SBS, the DC is also everything else. Thanks, "Austin Osuide" <austin@nowhere.com> wrote in message news:TF4Si.23$K92.13@fe09.usenetserver.com... Hi Tree ;-) The answer you'll get is: YES! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:uDPcOrkEIHA.4228@TK2MSFTNGP02.phx.gbl... but this is not the only DC in the domain. do you mean a DC can not take any other roles? "Troy McClure" <n@n.com> wrote in message news:uHpkwQkEIHA.4308@TK2MSFTNGP06.phx.gbl... obviously neither. a DC should be a dc and nothing more "tree leafs" <treeleafs@hotmail.com> wrote in message news:u%23%23U4ojEIHA.4400@TK2MSFTNGP05.phx.gbl... Hi, I need to rebuild a major file server and an exchange server and then promote one of them to be a new DC, which one should I choose? the exchange server or the file server? which is better? Or neither of them? -- /kj -- /kj
Back to top
Austin Osuide Guest	Posted: Sun Oct 21, 2007 2:42 pm    Post subject: Re: position of a new DC Hi Tree/kj. Just found this: http://support.microsoft.com/kb/555549. It describes how you move a single WS03 DC role from one server to the other in a single Domain. It also seems to infer that the DC IS running as a File and Print server and the only caveat is that the box isn't also running Exchange. So Tree, I guess that answers your question. Again, I guess it depends on what risks you are prepared to take in your environment and the cost of mitigating those you wish to prevent. HTH, Regards, Austin "Austin Osuide" <austin@nowhere.com> wrote in message news:xtHSi.5165$nJ5.1791@fe67.usenetserver.com... Quote: Yes, Tree! It's called Windows Small Buisness Server Edition. Optimised to run Several roles on the same box! Rolling your own is this regards has it's issues. Thats all I'm saying. Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:enXY1Z7EIHA.3360@TK2MSFTNGP04.phx.gbl... Thanks Kevin, I believe Windows has all the ways to secure a DC/file server. "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message news:e4BvzU6EIHA.4628@TK2MSFTNGP02.phx.gbl... tree leafs wrote: Hi Austin, an AD with ~140K users and >2000 sites will certainly justify a dedicated DC or DCs. I am thinking of a site with ~50 users and currently has a file server and we want to add an exchange server. That's the question coming from. I need to decide to put AD on which of these two servers. I accept your point that AD on exchange server is supported but not recommanded. So I would opt to put the AD on the file server. When users connecting to the shares, users' credentials will be checked anyway. DC's are already file servers (sysvol/Netlogon) so there's little issue with that. Usually the objection is installing other client server software on the DC, especially third party stuff. But you should then consider your "file server" a Domain Controller and treat it as such security wise. Cheers, "kj [SBS MVP]" <KevinJ.SBS@SPAMFREE.gmail.com> wrote in message news:uPrqdA4EIHA.4140@TK2MSFTNGP03.phx.gbl... Austin Osuide wrote: Don't think It has to do with size, Tree... We have a mid sized AD.. 140k user and >2000 sites.. There are much much larger ADs in the US and certain corp test environments but that's not the issue. If I was responsible for a small 20 user AD, I would not use the same box for my DC and Exchange server unless I was made to run SBS. I don't get a warm fuzzy secure feeling running things that way and it also adds complexities to AD Disaster Recovery procedures with DCs I have come to know and understand. At 0200hrs when the "stuff" usually hits the air circulation system, I don't want to have to figure in Exchange into that recovery procedure we need to do. And, more importantly, I don't want Exchange admins logging on to my DCs! :-) Just joking - not. Regards, Austin If you had a 20 user AD, I doubt you'd have a separate Exchange Admin. <g "tree leafs" <treeleafs@hotmail.com> wrote in message news:uF5XCZ3EIHA.4140@TK2MSFTNGP03.phx.gbl... Hi Austin, I guess you might have a very big AD. How many users, sites, and OUs etc. in your AD? "Austin Osuide" <austin@nowhere.com> wrote in message news:3FqSi.11665$dM4.2553@fe04.usenetserver.com... Hi Tree, It wasn't detailed, the explanation. Is that what your Microsoft TAM tells you? Even 3rd party AD apps on my DCs give me the hibbie jibbies! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23Y5qfpxEIHA.4628@TK2MSFTNGP02.phx.gbl... Hi Austin, thanks for the detailed explanation. So the major concern is the security. Is there anything to do with the performance? I understand your concern, but as far as the security is concerned, having access to the shares on a file server does not necessarily give users access to the server itself. By default, normal users will not be able to remotely logon into the DCs. Nor can they execute programs on the file server, unless it is also a terminal server. In reality, nowadays it's very hard to purchase a new server that just do the DC but nothing else. In reality, people tend to put DC(s) on newest and/or most powerful server(s) as it is more reliable. "Austin Osuide" <austin@nowhere.com> wrote in message news:emDVfWxEIHA.4296@TK2MSFTNGP04.phx.gbl... :-) OK. Your DC is probably your most important security device on your network. It holds your account database and as such, you'd want to restrict access to it. Using it as a "File Server" obviously defeats this objective. As far as Exchange is concerned, it's a bit more complex. Even though it's supported, it's not "Best Practice" and not usually recommended. Plus, you could get yourself into all kinds of headaches if you DCpromo out a DC with Exchange running on it or subsequently take Exchange off the DC. Kind of locks you into the move. I guess it all falls down to risk analysis, funding and what your religious bias is.. Maybe that's why I don't do SBS.. Even within funding constraints, my belief is to have DCs on "well scaled" servers. They don't have to be the biggest and most expensive boxes out there. To those who believe, no explanation is necessary. To those who don't, no explanation is possible. Unfortunately, you'll get this all the time from SBSers ;-) Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:%23wzM1WwEIHA.1208@TK2MSFTNGP03.phx.gbl... Can you explain why? That means if I want to have two DCs in a domain (and in same site) I would have to have 2 dedicated DCs, right? In reality I see so many implementations that a DC is also a file server or an exchange server. In SBS, the DC is also everything else. Thanks, "Austin Osuide" <austin@nowhere.com> wrote in message news:TF4Si.23$K92.13@fe09.usenetserver.com... Hi Tree ;-) The answer you'll get is: YES! Regards, Austin "tree leafs" <treeleafs@hotmail.com> wrote in message news:uDPcOrkEIHA.4228@TK2MSFTNGP02.phx.gbl... but this is not the only DC in the domain. do you mean a DC can not take any other roles? "Troy McClure" <n@n.com> wrote in message news:uHpkwQkEIHA.4308@TK2MSFTNGP06.phx.gbl... obviously neither. a DC should be a dc and nothing more "tree leafs" <treeleafs@hotmail.com> wrote in message news:u%23%23U4ojEIHA.4400@TK2MSFTNGP05.phx.gbl... Hi, I need to rebuild a major file server and an exchange server and then promote one of them to be a new DC, which one should I choose? the exchange server or the file server? which is better? Or neither of them? -- /kj -- /kj
Back to top
Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First

	Forum Index -> microsoft.public.windows.server.active_directory	All times are GMT
Page 1 of 1