Wednesday, June 19, 2019

active directory - Windows: Can domain controllers also serve other functions?



This question was a discussion about whether Active Directory is necessary to run Terminal Services. But a chain of answers and comments (mostly by me) brought up a related question around Domain Controllers.



It is clearly poor practice to have only one Domain Controller in an AD environment. It is also clearly best practice to have each domain controller on a separate (physical or virtual) single function server. However, not everyone can follow best practices all of the time.




Is it OK to use servers filling other roles as domain controllers?



What things should be considered in determining whether to "dual-purpose" a server?



Does the domain controller role change how Windows operates the file system or on the hardware?



Are there difference between versions of Windows Server?


Answer



You can and it works. I have about 40 branch offices and - for political reasons - a management decision was made to give each a full server infrastructure. For financial reasons it was a single-server environment in each, so it's all DC/File/Exchange (this was in the Windows 2000 days).




However, management of it is a nightmare, and my preferred rule is "a DC is a DC and nothing else goes on it". These are your most important servers, and if your AD goes funny you will have a horrible time getting it back right. If you can, give yourself the best chance of avoiding this by having dedicated DC roles. If you can't, beg, scream, whimper, bribe, threaten, prophesy, or whatever it takes to put yourself in a position where you can.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...