I would have a couple of concerns with this but if you know what you are getting yourself into I am all for it.
The concerns would be 1. Desktop class hardware usually doesn't have the really high quality disk systems. I really do like a good hardware RAID for domain controllers. 2. If the desktop machine is too low level and starts to get bogged it can have impact upstream on your hub bridgeheads. Keep in mind that every DC has to pull from their partners. When it does that, it is stuck with a single thread doing that pulling. If the partner it is pulling from is bogged down, the hub bridgehead will bottleneck up. I have seen some extreme cases of this with remote sites having serious network issues and the hub bridgehead getting into a near hung state for the inbound replication thread. It allows other DCs to pull from it but isn't getting any new changes from any other DCs (only changes mastered directly on it) so the downstreams pulling from it really aren't getting updates. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, February 17, 2005 11:05 PM To: [email protected] Subject: RE: [ActiveDir] DC or not DC Keep in mind you can run a DC for even a moderately sized org on a typical desktop machine. Since DC's (except the FSMO role holders) are scale-out redundant, there's no reason not to add additional capacity by using desktop class machines. -------- Roger Seielstad E-mail Geek & MS-MVP > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Wednesday, February 16, 2005 8:50 AM > To: [email protected] > Subject: RE: [ActiveDir] DC or not DC > > Yeah MS has always said best practice is not to put back office apps > or IIS on domain controllers for as long as I can recall. Ditto file > and print. > There are possible resource and security issues. > > Then they have SBS.... SBS bothers me because you take everything MS > has every said and you say, hmmm, forget about it.... At that point, > what do you and don't you listen to from MS? My thoughts? Listen to > all of it but don't trust any of it until you have proven it yourself. > I generally (there are exceptions to make the rule) consider anything > from MS as propaganda until I have proven with my direct experience or > it has been stated to me by my very few trusted advisors. > Like if Dean tells me something, I tend to listen closely, I may > argue, but I start from a losing position because if I don't agree it > is probably because I don't understand through no fault of Dean's > explanation. Many conversations I have with Dean start out with me > thinking, oh shit, he expects I know what I am talking about with this > functionality... With Rick, well you argue with Rick about everything > because he is a hoot to argue with. With Deji... Check it twice - all > of it. > ;oP Tony... Never argue with Tony's dinner wine choice, never. > > My thoughts are that if you have a company small enough that SBS works > for you. You probably won't have too many resource issues unless you > have some serious power users. However security concerns will *always* > be there simply because you are adding additional vectors. You can't > add more services to service users and NOT open up more possible > security holes. > Additionally one of the methods for fixing replication hangs and such > in AD is a reboot because attempting to stop and start the AD services > is less than helpful. > Tougher to do that when you have people using fixed services such as > F&P, SQL, Exchange, etc as they tend to get cranky when the server > side of the equation disappears. > > My personal reaction to anything but DHCP/DNS/WINS on a DC are sort of > a blanched look and I don't even really like DHCP/WINS/DNS on the DC > because I think that also raises the security vectors too much. Keep > in mind, AD is the bastion of your enterprise security. Why give > people holes to poke at to see if they can compromise the entire > forest? > > joe > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff > Sent: Wednesday, February 16, 2005 11:24 AM > To: [email protected] > Subject: RE: [ActiveDir] DC or not DC > > If you have the resources on the box and can not afford to purchase a > new box for SQL or Exchange, then you are stuck with the only one > option. > However, I am a big believer of keeping the server roles separate. I > find that the overhead of SQL (and even > Exchange) is rather high during peek times. And, if SQL runs on the > DC, this may cause latency issues with DNS lookups, group policy > updates to clients and/or log in issues. I believe that Microsoft's > best practices said to keep things separate. (But, I may be > dreaming...Like I often do...) However, with everything that I have > said, it is just my opinion and is dependant on how many users you > have and if your company can afford the cost. > > ***************************************** > Steve Shaff > Active Directory / Exchange Administrator Corillian Corporation > (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess > Sent: Wednesday, February 16, 2005 7:01 AM > To: [email protected] > Subject: [ActiveDir] DC or not DC > > > Last night I received the latest MCPMag email newsletter and always > read the questions that people ask. I was kind of surprised by the > opening sentence of the question. "I know that the Microsoft gospel is > never to run Exchange, SQL Server, etc. on a domain controller." I've > never seen or heard this before. I realize having the server be a DC > would add some overhead, but what are the lists thoughts on this? > Good or Bad? > > Thanks, > Zo > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
