For your first question, you can find Microsoft's Branch Office
Infrastructure Solution (BOIS) here:
http://www.microsoft.com/technet/itsolutions/branch/default.mspx
In short, and more direct for your question, some organizations are
deploying a single server solution to a branch office/remote site which,
as an example, is a domain controller running VS2005 with VMs
representing other local servers/services that might be required (i.e.
File and Print, web caching, etc.). Using this approach, your Domain
Admins continue to be responsible for the physical machine and the
Domain Controller itself, however your local admin can fully administer
the other servers living within VMs (via RDP or remote tools) without
compromising the security of the DC. This of course assumes that VS2005
does not contain a flaw that allows a guest to host breach. :)
As for performance, I do not have any concrete numbers, but you will
most certainly take a performance hit on both your host and your guests
when using virtualization. I think your statement of 50-60% is quite
high based on my experience, but then again YMMV depending on what the
environment is hosting and what the end-user demands are and what the
host hardware configuration looks like. (I prefer an x64 system with a
small array of disks - like the HP Proliant DL385 for ~$3500US.)
Regardless, in small remote sites performance is typically not critical
and nearly any server class system will perform adequately as a DC and a
VS2005 host. Keep in mind the small remote office solutions often have
two common single points of failure - the server (in a single server
solution) and the network. The failure of either can have a significant
impact on the end-users...
Regards,
Aric Bernard
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Monday, August 22, 2005 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Virtual Domain Controllers
It'd be interesting to hear what solutions are in place in larger
enterprise environments (for small remote sites). IMO, the hybrid
DC/File and Print in one box, for remote sites, sounds nasty because:
1. There's no local sam .... so a 'local' administrator needs to be
built-in administrator in AD.. I guess that's fine if your domain
admin=F&P Admin but if not....
2. If you're file and print server contains loads of local groups etc...
that becomes part of AD database.... I know that this is less of an
issue under Win2K3 versus Win2k/NT4, but if you're in a largish
organisation dealing with 100+ sites, each with a hybrid FAP/DC with
lots of groups and users that meet this criteria...I guess you wouldn't
want to add the bloat to your AD if you can avoid it.
Any other reasons?
On the other side, what ort of performance hit do you get
virtualising... GSX, I get around 50-60% of real life, subject to the
number of Guests running and server role, and can't afford ESX so can't
comment :-)
Regards,
Mylo
Seely Jonathan J wrote:
Thanks, Brad. That is very good to hear. I also appreciate the tips.
JJ
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad
*Sent:* Tuesday, August 09, 2005 3:09 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Virtual Domain Controllers
We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine
so far, and MS will give their best endeavours on support. Most of the
time they don't even ask us if the DC is virtual ;-)
Also, ensure that the time sync capability is disabled in the VMWare
Tools, and that the DC boots up completely before the file and print,
so that the file and print can authorise itself against it. Otherwise
the F&P may take up to half an hour (or thereabouts) to realise it can
now contact a DC for file/print access authorisation.
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of
*Grillenmeier, Guido
*Sent:* Monday, August 08, 2005 12:16 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Virtual Domain Controllers
hehe - single DC - must have overread that - I would have called that
to be a problem in itself ;-)
But then again it's only for 10 users and likely ok. As such, I even
doubt that SID reissue is much of a problem as this environment is
likely rather static rgd. new objects in AD ;-)
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *joe
*Sent:* Sonntag, 7. August 2005 00:43
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Virtual Domain Controllers
Well since it is a single domain and a single DC I would say he really
doesn't have a worry about USN rollbacks but he does have a possible
concern with SID reissue.
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of
*Grillenmeier, Guido
*Sent:* Saturday, August 06, 2005 5:47 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Virtual Domain Controllers
Since it's a single domain server I just take ghost snapshots of the
domain and then backup the files
not really a useful approach to backup a DC. Might be ok for FS and
other roles, but DCs are not really cool with snapshotting and being
"rolled back in time" due the distributed nature of the data they
store. You could easily cause USN rollback during recovery of a DC
stored in this fashion (at least SP1 protects the rest of your DCs now
by turning off in- and out-bount replication and disabling the
netlogon-service if it finds a DC that's has a USN rollback status).
But for AD Backup/Restore you'd be much better off to work with normal
SystemState backup/restore. Which is another reason why it's nice to
have it on a separate box (virtual or hardware).
/Guido
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Matt Brown
*Sent:* Samstag, 6. August 2005 02:47
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Virtual Domain Controllers
I run a single DC in a small environment... only about 10 users, and
since it's just a single server office, and single DC domain... I just
run everything on the domain controller. Domain, DNS, File, Print,
and Accounting Software on the same server... no VM ware... although I
considered it. Since it's a single domain server I just take ghost
snapshots of the domain and then backup the files.
Seems to work pretty good, as it's been running solid for about a year
now.
Thanks,
--
Matt Brown [EMAIL PROTECTED]
Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--------------------------------------+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--------------------------------------+
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of
[EMAIL PROTECTED]
*Sent:* Friday, August 05, 2005 3:36 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Virtual Domain Controllers
Could you just do the file/print on the DC? In a small environment
you could probably get away with it.
Al Maurer
Service Manager, Naming and Authentication Services
IT | Information Technology
Agilent Technologies
(719) 590-2639; Telnet 590-2639
http://activedirectory.it.agilent.com
<http://activedirectory.it.agilent.com/>
----------------------------------------------
A good plan today is better than a perfect plan tomorrow.
-----Original Message-----
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of *Seely
Jonathan J
*Sent:* Friday, August 05, 2005 12:54 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* [ActiveDir] Virtual Domain Controllers
Hi All,
I have a question about running DCs on GSX server. I understand that
MS does not support this configuration, but I've heard that many
people are running DCs in this fashion. Can anyone give some advice
in this arena? The idea here is to do VM for a file/print, and
another one for a DC in our remote sites. Currently, we've got
different hardware for each box, but we're trying to consolidate a bit
out there.
Thank you.
JJ Seely
Systems Administrator
Oregon Department of Justice
Division of Child Support
(503) 378-4500 x22277
[EMAIL PROTECTED]
*****CONFIDENTIALITY NOTICE*****
This e-mail may contain information that is privileged, confidential,
or otherwise exempt from disclosure under applicable law. If you are
not the addressee or it appears from the context or otherwise that you
have received this e-mail in error, please advise me immediately by
reply e-mail, keep the contents confidential, and immediately delete
the message and any attachments from your system.
************************************
This message has been scanned for viruses by MailControl
<http://bluepages.wsatkins.co.uk/?4318150>
*This email and any attached files are confidential and copyright
protected. If you are not the addressee, any dissemination of this
communication is strictly prohibited. Unless otherwise expressly
agreed in writing, nothing stated in this communication shall be
legally binding.*
*****CONFIDENTIALITY NOTICE*****
This e-mail may contain information that is privileged, confidential,
or otherwise exempt from disclosure under applicable law. If you are
not the addressee or it appears from the context or otherwise that you
have received this e-mail in error, please advise me immediately by
reply e-mail, keep the contents confidential, and immediately delete
the message and any attachments from your system.
************************************
-----------------------------------------------------------------------
-
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.3/66 - Release Date:
08/08/2005
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
