Keep in mind you can run a DC for even a moderately sized org on a typical desktop machine.
Since DC's (except the FSMO role holders) are scale-out redundant, there's no reason not to add additional capacity by using desktop class machines. -------- Roger Seielstad E-mail Geek & MS-MVP > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Wednesday, February 16, 2005 8:50 AM > To: [email protected] > Subject: RE: [ActiveDir] DC or not DC > > Yeah MS has always said best practice is not to put back > office apps or IIS on domain controllers for as long as I can > recall. Ditto file and print. > There are possible resource and security issues. > > Then they have SBS.... SBS bothers me because you take > everything MS has every said and you say, hmmm, forget about > it.... At that point, what do you and don't you listen to > from MS? My thoughts? Listen to all of it but don't trust any > of it until you have proven it yourself. I generally (there > are exceptions to make the rule) consider anything from MS as > propaganda until I have proven with my direct experience or > it has been stated to me by my very few trusted advisors. > Like if Dean tells me something, I tend to listen closely, I > may argue, but I start from a losing position because if I > don't agree it is probably because I don't understand through > no fault of Dean's explanation. Many conversations I have > with Dean start out with me thinking, oh shit, he expects I > know what I am talking about with this functionality... With > Rick, well you argue with Rick about everything because he is > a hoot to argue with. With Deji... Check it twice - all of it. > ;oP Tony... Never argue with Tony's dinner wine choice, never. > > My thoughts are that if you have a company small enough that > SBS works for you. You probably won't have too many resource > issues unless you have some serious power users. However > security concerns will *always* be there simply because you > are adding additional vectors. You can't add more services to > service users and NOT open up more possible security holes. > Additionally one of the methods for fixing replication hangs > and such in AD is a reboot because attempting to stop and > start the AD services is less than helpful. > Tougher to do that when you have people using fixed services > such as F&P, SQL, Exchange, etc as they tend to get cranky > when the server side of the equation disappears. > > My personal reaction to anything but DHCP/DNS/WINS on a DC > are sort of a blanched look and I don't even really like > DHCP/WINS/DNS on the DC because I think that also raises the > security vectors too much. Keep in mind, AD is the bastion of > your enterprise security. Why give people holes to poke at to > see if they can compromise the entire forest? > > joe > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff > Sent: Wednesday, February 16, 2005 11:24 AM > To: [email protected] > Subject: RE: [ActiveDir] DC or not DC > > If you have the resources on the box and can not afford to > purchase a new box for SQL or Exchange, then you are stuck > with the only one option. > However, I am a big believer of keeping the server roles > separate. I find that the overhead of SQL (and even > Exchange) is rather high during peek times. And, if SQL runs > on the DC, this may cause latency issues with DNS lookups, > group policy updates to clients and/or log in issues. I > believe that Microsoft's best practices said to keep things > separate. (But, I may be dreaming...Like I often do...) > However, with everything that I have said, it is just my > opinion and is dependant on how many users you have and if > your company can afford the cost. > > ***************************************** > Steve Shaff > Active Directory / Exchange Administrator Corillian Corporation > (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess > Sent: Wednesday, February 16, 2005 7:01 AM > To: [email protected] > Subject: [ActiveDir] DC or not DC > > > Last night I received the latest MCPMag email newsletter and > always read the questions that people ask. I was kind of > surprised by the opening sentence of the question. "I know > that the Microsoft gospel is never to run Exchange, SQL > Server, etc. on a domain controller." I've never seen or > heard this before. I realize having the server be a DC would > add some overhead, but what are the lists thoughts on this? > Good or Bad? > > Thanks, > Zo > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
