For your first question, you can find Microsoft's Branch Office Infrastructure Solution (BOIS) here: http://www.microsoft.com/technet/itsolutions/branch/default.mspx
In short, and more direct for your question, some organizations are deploying a single server solution to a branch office/remote site which, as an example, is a domain controller running VS2005 with VMs representing other local servers/services that might be required (i.e. File and Print, web caching, etc.). Using this approach, your Domain Admins continue to be responsible for the physical machine and the Domain Controller itself, however your local admin can fully administer the other servers living within VMs (via RDP or remote tools) without compromising the security of the DC. This of course assumes that VS2005 does not contain a flaw that allows a guest to host breach. :) As for performance, I do not have any concrete numbers, but you will most certainly take a performance hit on both your host and your guests when using virtualization. I think your statement of 50-60% is quite high based on my experience, but then again YMMV depending on what the environment is hosting and what the end-user demands are and what the host hardware configuration looks like. (I prefer an x64 system with a small array of disks - like the HP Proliant DL385 for ~$3500US.) Regardless, in small remote sites performance is typically not critical and nearly any server class system will perform adequately as a DC and a VS2005 host. Keep in mind the small remote office solutions often have two common single points of failure - the server (in a single server solution) and the network. The failure of either can have a significant impact on the end-users... Regards, Aric Bernard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 10:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers It'd be interesting to hear what solutions are in place in larger enterprise environments (for small remote sites). IMO, the hybrid DC/File and Print in one box, for remote sites, sounds nasty because: 1. There's no local sam .... so a 'local' administrator needs to be built-in administrator in AD.. I guess that's fine if your domain admin=F&P Admin but if not.... 2. If you're file and print server contains loads of local groups etc... that becomes part of AD database.... I know that this is less of an issue under Win2K3 versus Win2k/NT4, but if you're in a largish organisation dealing with 100+ sites, each with a hybrid FAP/DC with lots of groups and users that meet this criteria...I guess you wouldn't want to add the bloat to your AD if you can avoid it. Any other reasons? On the other side, what ort of performance hit do you get virtualising... GSX, I get around 50-60% of real life, subject to the number of Guests running and server role, and can't afford ESX so can't comment :-) Regards, Mylo Seely Jonathan J wrote: > Thanks, Brad. That is very good to hear. I also appreciate the tips. > > JJ > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad > *Sent:* Tuesday, August 09, 2005 3:09 AM > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Virtual Domain Controllers > > We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine > so far, and MS will give their best endeavours on support. Most of the > time they don't even ask us if the DC is virtual ;-) > > Also, ensure that the time sync capability is disabled in the VMWare > Tools, and that the DC boots up completely before the file and print, > so that the file and print can authorise itself against it. Otherwise > the F&P may take up to half an hour (or thereabouts) to realise it can > now contact a DC for file/print access authorisation. > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of > *Grillenmeier, Guido > *Sent:* Monday, August 08, 2005 12:16 AM > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Virtual Domain Controllers > > hehe - single DC - must have overread that - I would have called that > to be a problem in itself ;-) > But then again it's only for 10 users and likely ok. As such, I even > doubt that SID reissue is much of a problem as this environment is > likely rather static rgd. new objects in AD ;-) > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *joe > *Sent:* Sonntag, 7. August 2005 00:43 > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Virtual Domain Controllers > > Well since it is a single domain and a single DC I would say he really > doesn't have a worry about USN rollbacks but he does have a possible > concern with SID reissue. > > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of > *Grillenmeier, Guido > *Sent:* Saturday, August 06, 2005 5:47 PM > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Virtual Domain Controllers > >> Since it's a single domain server I just take ghost snapshots of the > domain and then backup the files > > not really a useful approach to backup a DC. Might be ok for FS and > other roles, but DCs are not really cool with snapshotting and being > "rolled back in time" due the distributed nature of the data they > store. You could easily cause USN rollback during recovery of a DC > stored in this fashion (at least SP1 protects the rest of your DCs now > by turning off in- and out-bount replication and disabling the > netlogon-service if it finds a DC that's has a USN rollback status). > > But for AD Backup/Restore you'd be much better off to work with normal > SystemState backup/restore. Which is another reason why it's nice to > have it on a separate box (virtual or hardware). > > /Guido > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt Brown > *Sent:* Samstag, 6. August 2005 02:47 > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Virtual Domain Controllers > > I run a single DC in a small environment... only about 10 users, and > since it's just a single server office, and single DC domain... I just > run everything on the domain controller. Domain, DNS, File, Print, > and Accounting Software on the same server... no VM ware... although I > considered it. Since it's a single domain server I just take ghost > snapshots of the domain and then backup the files. > > Seems to work pretty good, as it's been running solid for about a year > now. > > > Thanks, > > -- > > Matt Brown [EMAIL PROTECTED] > Consultant for Student Technology Fee > website: http://techfee.ewu.edu/ > +--------------------------------------+ > | 509.359.6972 ph. - 509.359.7087 fx > | 307 MONROE HALL | Cheney, WA 99004 > +--------------------------------------+ > > > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of > [EMAIL PROTECTED] > *Sent:* Friday, August 05, 2005 3:36 PM > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Virtual Domain Controllers > > Could you just do the file/print on the DC? In a small environment > you could probably get away with it. > > Al Maurer > Service Manager, Naming and Authentication Services > IT | Information Technology > Agilent Technologies > (719) 590-2639; Telnet 590-2639 > http://activedirectory.it.agilent.com > <http://activedirectory.it.agilent.com/> > ---------------------------------------------- > A good plan today is better than a perfect plan tomorrow. > > -----Original Message----- > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of *Seely Jonathan J > *Sent:* Friday, August 05, 2005 12:54 PM > *To:* ActiveDir@mail.activedir.org > *Subject:* [ActiveDir] Virtual Domain Controllers > > Hi All, > > I have a question about running DCs on GSX server. I understand that > MS does not support this configuration, but I've heard that many > people are running DCs in this fashion. Can anyone give some advice > in this arena? The idea here is to do VM for a file/print, and > another one for a DC in our remote sites. Currently, we've got > different hardware for each box, but we're trying to consolidate a bit > out there. > > Thank you. > > JJ Seely > Systems Administrator > Oregon Department of Justice > Division of Child Support > (503) 378-4500 x22277 > [EMAIL PROTECTED] > > *****CONFIDENTIALITY NOTICE***** > > This e-mail may contain information that is privileged, confidential, > or otherwise exempt from disclosure under applicable law. If you are > not the addressee or it appears from the context or otherwise that you > have received this e-mail in error, please advise me immediately by > reply e-mail, keep the contents confidential, and immediately delete > the message and any attachments from your system. > > ************************************ > > > > > This message has been scanned for viruses by MailControl > <http://bluepages.wsatkins.co.uk/?4318150> > > > > *This email and any attached files are confidential and copyright > protected. If you are not the addressee, any dissemination of this > communication is strictly prohibited. Unless otherwise expressly > agreed in writing, nothing stated in this communication shall be > legally binding.* > > *****CONFIDENTIALITY NOTICE***** > > This e-mail may contain information that is privileged, confidential, > or otherwise exempt from disclosure under applicable law. If you are > not the addressee or it appears from the context or otherwise that you > have received this e-mail in error, please advise me immediately by > reply e-mail, keep the contents confidential, and immediately delete > the message and any attachments from your system. > > ************************************ > > >----------------------------------------------------------------------- - > >No virus found in this incoming message. >Checked by AVG Anti-Virus. >Version: 7.0.338 / Virus Database: 267.10.3/66 - Release Date: 08/08/2005 > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
