I have to second that - I don't see much performance issues when admininterface and the vs-host are seperated. The mgmt traffic should be pretty low, the higher traffic is when connecting onto a machine via RDP, VSRC or the webbased VSRC. Either or they will cause the traffic between the VS-host and the machine where the admin is sitting, no matter where the webpage runs. And I'd usually recommend using RDP here - provides a higher performance (than VSRC) and the admin doesn't need to worry if he's connecting to a real or virtual machines - same interface.
Propably the transfer of the webpage causes way more traffic than managing the VS-guest with it. So you might get a better performance / less WAN-Traffic if you put the webpage in your hub and only the VS-host w/o admin-webpage in the Branch-Office. Ulf |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |[EMAIL PROTECTED] |Sent: Thursday, October 20, 2005 7:55 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Virtual Servers in Branch Offices | |Other than to set up the Virtual instances themselves, you |will not ordinarily use the admin site to do much. After they |are up and running, you will bring out either RDP or VMRC for |doing all administration of the guest OS, and at that point |the performance is very much independent of where the admin |website is located. | |To directly answer your question (:)), I have not measured the |performance personally. I have not had a reason to, given that |my typical use for the admin website is as I have described above. | |Hope I make sense. | | |Sincerely, | |Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I |Microsoft MVP - Directory Services |www.readymaids.com - we know IT |www.akomolafe.com |Do you now realize that Today is the Tomorrow you were worried |about Yesterday? -anon | |________________________________ | |From: [EMAIL PROTECTED] on behalf of Phil Renouf |Sent: Wed 10/19/2005 10:35 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Virtual Servers in Branch Offices | | |Yeah, I was just wondering if you saw any issues with putting |it on a box across a WAN link. I have never looked into that |before so I was just wondering your opinion on it for my own curiosity. | |Phil | | |On 10/19/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: | | I don't get your drift. There is no requirement for the |web server to be in | the same location as the virtual server. | | | Sincerely, | | Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I | Microsoft MVP - Directory Services | www.readymaids.com - we know IT | www.akomolafe.com | Do you now realize that Today is the Tomorrow you were |worried about | Yesterday? -anon | | ________________________________ | | From: [EMAIL PROTECTED] on behalf of |Phil Renouf | Sent: Wed 10/19/2005 8:07 PM | To: ActiveDir@mail.activedir.org | Subject: Re: [ActiveDir] Virtual Servers in Branch Offices | | | Would you put the admin site on a server not at that location? |Because if you | wouldn't then that won't help much since if you had |another server to put the | admin site on at the remote location then that would be |a good place to put | the f/p services. | | Phil | | | On 10/19/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: | | You can separate the 2 roles. You can put the |admin site on a non-dc | server. | | | Sincerely, | | Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I | Microsoft MVP - Directory Services | www.readymaids.com - we know IT | www.akomolafe.com | Do you now realize that Today is the Tomorrow |you were worried about | Yesterday? -anon | | ________________________________ | | From: [EMAIL PROTECTED] on |behalf of Al Mulnick | Sent: Wed 10/19/2005 6:32 PM | To: ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] Virtual Servers in |Branch Offices | | | Strange, I was just having this conversation |today with a co-worker. | :) | | My thoughts? I'd say make it a GC and put the |f/p in the virtual. | Why? | because you still need to protect the physical, |but the virtual you | can give | out access to. The downside is that the virtual |machine requires IIS | (in | Microsoft products) meaning you have a vector |for attack. But nothing | that | requires changing the security otherwise for the GC. | | I prefer not to put IIS on a GC for security |reasons, but if you can | get away | without it then I should think that this method |would provide greater | ability | to secure it. Keep in mind that physical access |is still warranted. | It's | just that you wouldn't have to worry about |somebody taking the GC | home on a | USB key like they otherwise could ;) | | It's not pretty no matter which way you turn |IMHO. Could be better. | | Al | | | -----Original Message----- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On |Behalf Of Noah Eiger | Sent: Wednesday, October 19, 2005 11:42 AM | To: ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] Virtual Servers |in Branch Offices | | | I assume you are refering to the fact |that the the host could | be | compromised over the network and the virtual |hard drive or virtual | machine | itself simply copied. (Just for the record, this |is covered in the | white | paper. Did not mean to imply that it is not. |Security in this respect | is | refered over to NTFS permissions). | | So given that you could have a single |physical machine at a | branch | office and that you must have a DC and F/P |service, what is the | prefered | configuration? | | -- nme | | P.S. thanks for keeping this thread going. | | | ________________________________ | | From: Dean Wells [mailto: |[EMAIL PROTECTED] ] | Sent: Tuesday, October 18, 2005 8:42 PM | To: Send - AD mailing list | Subject: RE: [ActiveDir] Virtual |Servers in Branch | Offices | | | "Does placing the DC inside a |virtual machine add any | security? Would it be harder for someone with |physical access to | compromise | the DC? The white paper does not really make |this clear. Also, I am | assuming | that a host machine would be a domain member, |right? Does it | authenticate off | the virtual DC?" | | <Dean> | Virtual DCs effectively weaken |the broader-definition | of | security in a number of ways including the |context of physical access | ... | this is due primarily to the relative ease with |which the entire DC's | state | can be duplicated, subsequently, becoming |portable and reproduced in | a | running state elsewhere with little to no effort. | | The host machine has no bearing |... it's rather like | saying | "the rack in which the server is physically |housed has to be a domain | member" | (or any further extension of that particular |metaphor). Keep in mind | the VM | (for the most part) doesn't even realize it's virtual. | </Dean> | -- | Dean Wells | MSEtechnology | * Email: [EMAIL PROTECTED] | <mailto: [EMAIL PROTECTED] |<mailto:[EMAIL PROTECTED]> > | http://msetechnology.com |<http://msetechnology.com/> | | | | ________________________________ | | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] ] On |Behalf Of Noah Eiger | Sent: Friday, October 14, 2005 12:01 PM | To: ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] Virtual |Servers in Branch | Offices | | | Thanks for the thoughts. And |thanks Tony for the | reference -- | just finished reading it. | | Unfortunately, deploying the DC |at HQ or simply | | authenticating over the WAN is not really an |option. The WAN links | are ok | (and getting better) but are located in places |where environmental | (as in the | weather) conditions often cause short interruptions. | | Does placing the DC inside a |virtual machine add any | security? Would it be harder for someone with |physcial access to | compromise | the DC? The white paper does not really make |this clear. Also, I am | assuming | that a host machine would be a domain member, |right? Does it | authenticate off | the virtual DC? [1] | | Thanks again. | | -- nme | | [1] This sort of reminds me of |the scene in Animal | House when | they talk about the "whole universe as we know |it existing under the | fingernail of some other giant being..." Whoa, dude! | | | ________________________________ | | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] | Sent: Thursday, October |13, 2005 12:48 AM | To: ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] |Virtual Servers in | Branch | Offices | | | Other important factors |in this scenario must | be the | physical and logical security of the server |housing the DC role. | | 1. Will the server be |securely locked away in | the | branches? If not, do not deploy a DC. | 2. Do you trust the file |server admins to have | physical access to the server hosting the DC role? | 3. Who administers the |server that hosts the | file and | DC roles? Are they also trusted? | | When designing the branch |office, I would | always ask | the questions below, too: | 1. Is a local DC |required? i.e. what are the | drawbacks if a DC is not deployed? | 2. Is logon/startup |traffic over the WAN | larger than | replication traffic over the WAN? If not, |consider not deploying a | local DC. | 3. Does a local DC offer |redundancy in the | event of a | WAN failure? If other apps are accessed over the |WAN, then consider | deploying | the DC at a central location and not at the branch. | | hth, | neil | | | ___________________________ | Neil Ruston | Global Technology Infrastructure | Nomura International plc | | | ________________________________ | | From: |[EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On |Behalf Of Tony Murray | Sent: 13 October 2005 01:12 | To: ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] |Virtual Servers in | Branch | Offices | | | Here's a link to a |Microsoft document that | covers | what you need to do to run a production DC on |Virtual Server 2005. | | http://tinyurl.com/5enjd | | Tony | | ________________________________ | | From: |[EMAIL PROTECTED] | [mailto: [EMAIL PROTECTED] |<mailto:[EMAIL PROTECTED]> ] On Behalf Of Noah Eiger | Sent: Thursday, 13 |October 2005 11:30 a.m. | To: ActiveDir@mail.activedir.org | Subject: [ActiveDir] |Virtual Servers in Branch | Offices | | | Hi - | | Just to follow up on the |design thread.... | Since I am | placing DCs in small branch offices is there a |value in using Virtual | Server | 2005 to create separate virtual boxes (DC & file |server) running on | the same | physical box? Some users have administrative |access to the file | server, and | I'd love to keep them off the DCs. I am also |curious about optimal | physical | and virtual drive configurations for such a box. | | I reviewed the thread |here about Virtual | Domain | Controllers but it seemed to focus on using them |as backups. I am | talking | about production. | | Any thoughts most welcome. | | -- nme | | | ________________________________ | | | | | This communication, |including any attachments, | is | confidential. | If you are not the |intended recipient, you | should not | read it - | please contact me |immediately, destroy it, and | do not | copy or | use any part of this |communication or disclose | anything about it. | Thank You. | | | Please note that this |communication does not | designate an information system for the purposes |of the NZ Electronic | Transactions Act 2002.. | | | This e-mail message has |been scanned for | Viruses and | Content and cleared by NetIQ MailMarshal at Gen-i | ________________________________ | | | | | PLEASE READ: The |information contained in this | email | is confidential and | intended for the named |recipient(s) only. If | you are | not an intended | recipient of this email |please notify the | sender | immediately and delete your | copy from your system. |You must not copy, | distribute | or take any further | action in reliance on it. |Email is not a | secure | method of communication and | Nomura International plc |('NIplc') will not, | to the | extent permitted by law, | accept responsibility or |liability for |(a) the | | accuracy or completeness of, | or (b) the presence of |any virus, worm or | similar | malicious or disabling | code in, this message or any |attachment(s) to | it. If | verification of this | email is sought then |please request a hard | copy. | Unless otherwise stated | this email: (1) is not, |and should not be | treated or | relied upon as, | investment research; (2) |contains views or | opinions | that are solely those of | the author and do not |necessarily represent | those of | NIplc; (3) is intended | for informational |purposes only and is not a | recommendation, solicitation or | offer to buy or sell |securities or related | financial | instruments. NIplc | does not provide |investment services to | | private | customers. Authorised and | regulated by the |Financial Services Authority. | | Registered in England | no. 1550505 VAT No. 447 2492 35. |Registered | Office: 1 | St Martin's-le-Grand, | London, EC1A 4NP. A |member of the Nomura group | of | companies. | | List info : http://www.activedir.org/List.aspx | List FAQ : http://www.activedir.org/ListFAQ.aspx | List archive: | http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | | List info : http://www.activedir.org/List.aspx | List FAQ : http://www.activedir.org/ListFAQ.aspx | List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/