Remove From My Forums

Multi-Role Domain controller

Question
0

Sign in to vote

Hi All,

I am designing and building a new active directory infrastructure for my company.

I have a server ready and we need AD DS, DNS, File Service, Print Service, Network Policy service and WSUS on one server.

I have heard it is bad practise to install more than one role on a Domain Controller and they should only have the AD DS and DNS roles to provide the best security and performance.

Is this true?

I have looked all over the Microsoft site but cannot find any reference to this.

Can anyone provide me with a reference to this, or any advantages or disadvantages to installing more than one role on a server.

Thanks in advance.

Tim

Monday, October 24, 2011 4:28 PM

Answers

0

Sign in to vote
It actually depends on the specific roles. It's not advised to install additional NICs, IP addresses, and/or RRAS/NPS on a DC due to the additional records that will get registered into DNS. This is problematic:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters -
A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly. (Microsoft does not recommend or support machines with teamed NICs, DCs or not.)
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

As for DNS, DHCP, WINS, being a file and print server, and WSUS, that's doable, but you'll need to spec it up a bit with RAM, faster or multi processors, gigabit NICs (switch to handle it), etc, to handle the additional CPU load, disk and network activity (WSUS, Print and file services).

If you have a company with less than 75 users, and budgeted for only one server, I would suggest looking into SBS 2011, which is specifically designed for, and can handle everything you want on one server, as you've described.

www.microsoft.com/sbs

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.
- Proposed as answer by Patris_70 Monday, October 24, 2011 5:51 PM
- Marked as answer by Elytis Cheng Monday, October 31, 2011 3:09 AM
Monday, October 24, 2011 4:46 PM
0

Sign in to vote
Hi,

I have heard it is bad practise to install more than one role on a Domain Controller and they should only have the AD DS and DNS roles to provide the best security and performance.

Is this true?
In short, can you do it? Yes, you can and it works.

There are no hard and fast rules it comepletely depends upon your environment.

SBS is exception it works well up to 75 users. For other versions std, ent...etc ADDS, DHCP, WINS and DNS is fine on one box, you can also turn your domain controller into a file and print server but in larger environment installing the file and print services on the Domain Controller is considered as the Security threat.

My personal opinion is-
I would generally run DNS and DHCP on Domain Controller(s), and have at least two DCs.which allows you to split the operation master roles, and you should always have at least two global catalogues - but taking into account that the infrastucture master shouldn't be a GC.

Also I would highly discourage anyone from running more demanding services, such as a web server (IIS or Apache, etc) or Databases of any sort which uses by WSUS.

Hope this helps.

Regards,
Abhijit Waikar.
-------------------------------
MCSA|MCSA:Messaging|MCTS|MCITP:SA
My Blog: http://abhijitw.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.
- Proposed as answer by Ace Fekay [MCT] Monday, October 24, 2011 8:41 PM
- Marked as answer by Elytis Cheng Monday, October 31, 2011 3:09 AM
Monday, October 24, 2011 5:03 PM
0

Sign in to vote
I also agree about running ANY services requiring the use of IIS on a DC, such as WSUS.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.
- Marked as answer by Elytis Cheng Monday, October 31, 2011 3:08 AM
Monday, October 24, 2011 8:42 PM
0

Sign in to vote
HI,

That is the good option to virtualize the domain controller and Files/Print server seperate on Hyper-V.

As Ace suggested, Domain controllers should have 1 NIC and 1IP address.
Make sure that:
1. Each DC / DNS server points to its private IP address as primary DNS server and other internal DNS servers as secondary ones
2. Each DC has just one IP address
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting.
4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.

Also check the below blog entry by Jorge, Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations. At the end of page there are some additional links for time configuration.

http://jorgequestforknowledge.wordpress.com/2011/09/14/time-sync-recommendations-for-virtual-dcs-on-hyper-v-change-in-recommendations/

Hope this helps.

Regards,
Abhijit Waikar.
-------------------------------
MCSA|MCSA:Messaging|MCTS|MCITP:SA
My Blog: http://abhijitw.wordpress.com.3
This posting is provided AS IS with no warranties, and confers no rights.
- Marked as answer by Elytis Cheng Monday, October 31, 2011 3:09 AM
Tuesday, October 25, 2011 11:12 AM

All replies

0

Sign in to vote
It actually depends on the specific roles. It's not advised to install additional NICs, IP addresses, and/or RRAS/NPS on a DC due to the additional records that will get registered into DNS. This is problematic:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, and/or PPPoE adapters -
A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly. (Microsoft does not recommend or support machines with teamed NICs, DCs or not.)
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

As for DNS, DHCP, WINS, being a file and print server, and WSUS, that's doable, but you'll need to spec it up a bit with RAM, faster or multi processors, gigabit NICs (switch to handle it), etc, to handle the additional CPU load, disk and network activity (WSUS, Print and file services).

If you have a company with less than 75 users, and budgeted for only one server, I would suggest looking into SBS 2011, which is specifically designed for, and can handle everything you want on one server, as you've described.

www.microsoft.com/sbs

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.
- Proposed as answer by Patris_70 Monday, October 24, 2011 5:51 PM
- Marked as answer by Elytis Cheng Monday, October 31, 2011 3:09 AM
Monday, October 24, 2011 4:46 PM
0

Sign in to vote
Hi,

I have heard it is bad practise to install more than one role on a Domain Controller and they should only have the AD DS and DNS roles to provide the best security and performance.

Is this true?
In short, can you do it? Yes, you can and it works.

There are no hard and fast rules it comepletely depends upon your environment.

SBS is exception it works well up to 75 users. For other versions std, ent...etc ADDS, DHCP, WINS and DNS is fine on one box, you can also turn your domain controller into a file and print server but in larger environment installing the file and print services on the Domain Controller is considered as the Security threat.

My personal opinion is-
I would generally run DNS and DHCP on Domain Controller(s), and have at least two DCs.which allows you to split the operation master roles, and you should always have at least two global catalogues - but taking into account that the infrastucture master shouldn't be a GC.

Also I would highly discourage anyone from running more demanding services, such as a web server (IIS or Apache, etc) or Databases of any sort which uses by WSUS.

Hope this helps.

Regards,
Abhijit Waikar.
-------------------------------
MCSA|MCSA:Messaging|MCTS|MCITP:SA
My Blog: http://abhijitw.wordpress.com
This posting is provided AS IS with no warranties, and confers no rights.
- Proposed as answer by Ace Fekay [MCT] Monday, October 24, 2011 8:41 PM
- Marked as answer by Elytis Cheng Monday, October 31, 2011 3:09 AM
Monday, October 24, 2011 5:03 PM
0

Sign in to vote
I also agree about running ANY services requiring the use of IIS on a DC, such as WSUS.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.
- Marked as answer by Elytis Cheng Monday, October 31, 2011 3:08 AM
Monday, October 24, 2011 8:42 PM
0

Sign in to vote

Thanks for the replies.

When researching I found this: Increase File Server Performance

This references to SMB packet replay attacks and man in the middle attacks.

It also states that the Domain Controller will serialize the network traffic which will impact of the performance of the server.

But I cannot find any other reference of this.

The server I have already has a full licence of Windows Server 2008 R2 Enterprise.

Maybe a better solution would be to install Hyper-V on the server and virtualized the Domain Controllers and Files/Print server. This way I can even out the load on the server and utilize the multiple NIC without the interference highlighted by Ace Fekay.

Would this be a better path or am I going to over complicate a relatively simple deployment.

Tuesday, October 25, 2011 10:35 AM
0

Sign in to vote
HI,

That is the good option to virtualize the domain controller and Files/Print server seperate on Hyper-V.

As Ace suggested, Domain controllers should have 1 NIC and 1IP address.
Make sure that:
1. Each DC / DNS server points to its private IP address as primary DNS server and other internal DNS servers as secondary ones
2. Each DC has just one IP address
3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting.
4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.

Also check the below blog entry by Jorge, Time Sync Recommendations For Virtual DCs On Hyper-V – Change In Recommendations. At the end of page there are some additional links for time configuration.

http://jorgequestforknowledge.wordpress.com/2011/09/14/time-sync-recommendations-for-virtual-dcs-on-hyper-v-change-in-recommendations/

Hope this helps.

Regards,
Abhijit Waikar.
-------------------------------
MCSA|MCSA:Messaging|MCTS|MCITP:SA
My Blog: http://abhijitw.wordpress.com.3
This posting is provided AS IS with no warranties, and confers no rights.
- Marked as answer by Elytis Cheng Monday, October 31, 2011 3:09 AM
Tuesday, October 25, 2011 11:12 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Multi-Role Domain controller

Question

Answers

All replies