Hi All,
It's a well trodden path (in these forums anyway) that I'm about to
discuss but I'd like to get our resident experts 10 cents worth on a
rather interesting issue I've run into.. I'm working at a client,
reviewing an AD design, where 2 support providers are providing a
migration path to an AD2003/Exchange 2003 solution (from NT4/Ex5.5). One
of the providers is responsible for AD (desktop/SMS/File and Print)
design and the other E-Mail design/deployment. This is a single
forest/single domain solution where both have agreed to work in concert,
together in the spirit of harmony and SLA's... There's a possibility
that proxy tools may be used (e.g. Aelita/Quest type tooling) to 'limit'
or delegate AD activities for each party, with these interfaces largely
limited to managing AD delegation of OU/user/group/machine objects ...
resource management (AV/Backup/SMS/DHCP/DNS/WINS etc) still requires
native or 3rd party tooling.
The problem lies in the fact that the client (on the advice of the
support provider) has opted for consolidating File and print / SMS/ AD
roles onto a single server at sites of up to around 200 users. Above
this size the solution scales out to multiple servers, but continues to
adhere to the principal of dual role, namely placing File and Print
together with domain controllers and/or SMS and IIS together with a
domain controller. In the legacy solution these roles were separated
onto different serves and the file and print locally managed (also
meaning that there's an awful lot of crap that will be migrated into AD
as a result of combining these roles into one box) ... The combined role
approach was given the green light largely for (I believe) cost reasons,
but I do have *ahem* a number of concerns with this approach.
Security
=====
- multiple roles on a single server and no-no's such as placing IIS and
SMS on a DC
- it tends to look at security from a 'top down' perspective (i.e. it's
a single AD provider therefore we're safe)... i don't think this flies
simply because of the implications of using 3rd party s/w such as
anti-virus and backup on dual-role servers where local admin rights are
required, which equates to domain admin rights; providing a rather
scary escalation path to being able to doing anything to anybody in the
domain. Scenarios where the AD provider outsources to another party
(e.g. in smaller countries)....if A (the client) trusts B (the support
provider) who trusts C (outsourcee), should A trust C? ... I knew trusts
would come in handy one day :-)
Stability
=====
- Print Services on domain controllers
- Migrating clutter off the legacy file and print into AD (10,000's
local/global groups)
- If there's a mail server on-site with a combined server then e-Mail
availability is linked to the whim and stability of file and print
services/IIS/SMS etc.
- Backup/Restore .. increased chance of human error where day-to-day
restore operations associated with File and Print may result in key
files being overwritten (relating to DC operations)
Availability
=======
- Reboots during the day are likely to be more numerous through bulking
up roles... affecting the whole office (e.g. AD replication gets stuck,
BITS kills IIS etc.)
Accountability
=========
- Difficult to prove anything was done by anybody at any time.
Performance
=========
- Means enabling write caching on a DC for the benefit of file and print
services (i.e. read-optimised RAID versus write-optimised RAID)
Possible solutions
============
1. Use VS2005 and virtual machines
2. Place File and Print alone on smaller sites with no DC, say up to 25
users and above that use separate DC and File and Print/SMS roles on
separate servers .
3. Buy SBS for each smaller site and setup x number of trusts to the
central sites :0)
4. Live with it and stop worrying
Am I being overly paranoid with this dual/triple role thing or is this
really as bad as it looks ? Does anyone actually advocate this as a
solution if they were given a greenfields choice?
I'd appreciate your candour and feedback...
Thanks,
Mylo
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
