Ouch... we had a company suggest that to us (when I was contracting for
the Navy)... yeah it's cheaper up front but really, what does a server
cost compared to the admin cost, potential lost productivity cost, and
security risks inherent in that (false efficiency)??  If they're having
you review it at all, then you should have SOME pull anyway, and I think
your inclinations are correct - stack everything else if you HAVE to but
pull the DCs off, or at least use VS or VMWare to keep them separate.

I've seen them suggest one big cluster at each site with everything
stacked on it.  Somehow they miss that if you have to reboot for
anything, everything goes down.  Plus the fact everyone and their
Hungarian cousin needs admin rights on the DC, and you might as well,
um, ok non-pc simile omitted.

BTW I think Susan or Brian pointed out that trusts are disabled on
SBS...

Rich

------------------------------------------------------------------------
---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
------------------------------------------------------------------------
---
"I am always doing that which I can not do, in order that I may learn
how to do it." - Pablo Picasso

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Thursday, October 06, 2005 1:44 PM
To: [email protected]
Subject: [ActiveDir] Server Roles

Hi All,

It's a well trodden path (in these forums anyway) that I'm about to 
discuss but I'd like to get our resident experts 10 cents worth on a 
rather interesting issue I've run into.. I'm working at a client, 
reviewing an AD design,  where 2 support providers are providing a 
migration path to an AD2003/Exchange 2003 solution (from NT4/Ex5.5). One

of the providers is responsible for AD (desktop/SMS/File and Print) 
design and the other E-Mail design/deployment.  This is a single 
forest/single domain solution where both have agreed to work in concert,

together in the spirit of harmony and SLA's... There's a possibility 
that proxy tools may be used (e.g. Aelita/Quest type tooling) to 'limit'

or delegate AD activities for each party, with these interfaces largely 
limited to managing AD delegation of OU/user/group/machine objects  ... 
resource management (AV/Backup/SMS/DHCP/DNS/WINS etc) still requires 
native or 3rd party tooling.

The problem lies in the fact that the client (on the advice of the 
support provider)  has opted for consolidating File and print / SMS/ AD 
roles onto a single server at sites of up to around 200 users. Above 
this size the solution scales out to multiple servers, but continues to 
adhere to the principal of dual role, namely placing File and Print 
together with domain controllers and/or SMS and IIS together with a 
domain controller. In the legacy solution these roles were separated 
onto different serves and the file and print locally managed (also 
meaning that there's an awful lot of crap that will be migrated into AD 
as a result of combining these roles into one box) ... The combined role

approach was given the green light largely for (I believe) cost reasons,

but I do have *ahem* a number of concerns with this approach.

Security
=====
- multiple roles on a single server and no-no's such as placing IIS and 
SMS on a DC
- it tends to look at security from a 'top down' perspective (i.e. it's 
a single AD provider therefore we're safe)... i don't think this flies 
simply because of the implications of using 3rd party s/w such as 
anti-virus and backup on dual-role servers where local admin rights are 
required, which equates to domain admin rights;  providing a rather 
scary escalation path to being able to doing anything to anybody in the 
domain. Scenarios where the AD provider outsources to another party  
(e.g. in smaller countries)....if A (the client) trusts B (the support 
provider) who trusts C (outsourcee), should A trust C? ... I knew trusts

would come in handy one day :-)

Stability
=====
- Print Services on domain controllers
- Migrating clutter off the legacy file and print into AD (10,000's 
local/global groups)
- If there's a mail server on-site with a combined server then e-Mail 
availability is linked to the whim and stability of file and print 
services/IIS/SMS etc.
- Backup/Restore .. increased chance of human error where day-to-day 
restore operations associated with File and Print may result in key 
files being overwritten (relating to DC operations)

Availability
=======
- Reboots during the day are likely to be more numerous through bulking 
up roles... affecting the whole office (e.g. AD  replication gets stuck,

BITS kills IIS etc.)

Accountability
=========
- Difficult to prove anything was done by anybody at any time.

Performance
=========
- Means enabling write caching on a DC for the benefit of file and print

services (i.e. read-optimised RAID versus write-optimised RAID)

Possible solutions
============
1. Use VS2005 and virtual machines
2. Place File and Print alone on smaller sites with no DC, say up to 25 
users and above that use separate DC and File and Print/SMS  roles on 
separate servers .
3. Buy SBS for each smaller site and setup x number of trusts to the 
central sites  :0)
4. Live with it and stop worrying

Am I being overly paranoid with this dual/triple role thing or is this 
really as bad as it looks ? Does anyone actually advocate this as a 
solution if they were given a greenfields choice?
I'd appreciate your candour and feedback...

Thanks,
Mylo
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED 
/ 
CONFIDENTIAL INFORMATION may be contained in this message or any attachments. 
This information is strictly confidential and may be subject to attorney-client 
privilege. This message is intended only for the use of the named addressee. If 
you are not the intended recipient of this message, unauthorized forwarding, 
printing, copying, distribution, or using such information is strictly 
prohibited and may be unlawful. If you have received this in error, you should 
kindly notify the sender by reply e-mail and immediately destroy this message. 
Unauthorized interception of this e-mail is a violation of federal criminal 
law. 
Applebee's International, Inc. reserves the right to monitor and review the 
content of all messages sent to and from this e-mail address. Messages sent to 
or from this e-mail address may be stored on the Applebee's International, Inc. 
e-mail system.
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to