I wouldn't ride the DC on the physical hardware and the FP on the VS install. I'd ride them both on there. Lsass will steal all the memory you'd like to allocate to VS. Instead, let lsass and company in its own instance, allocate it 2/3 the memory available and then the other third to your f & p instance.
ESX IMHO Is not the tool for this type of gig. A) its expensive and b) it's suited to running dozens if not hundreds of VMs on high power hardware. GSX/VS is more for a smaller operation on a much smaller dose of hardware (e.g. a 380/385 or 2850). --brian Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the F&P element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: >For your first question, you can find Microsoft's Branch Office >Infrastructure Solution (BOIS) here: >http://www.microsoft.com/technet/itsolutions/branch/default.mspx > >In short, and more direct for your question, some organizations are >deploying a single server solution to a branch office/remote site which, >as an example, is a domain controller running VS2005 with VMs >representing other local servers/services that might be required (i.e. >File and Print, web caching, etc.). Using this approach, your Domain >Admins continue to be responsible for the physical machine and the >Domain Controller itself, however your local admin can fully administer >the other servers living within VMs (via RDP or remote tools) without >compromising the security of the DC. This of course assumes that VS2005 >does not contain a flaw that allows a guest to host breach. :) > >As for performance, I do not have any concrete numbers, but you will >most certainly take a performance hit on both your host and your guests >when using virtualization. I think your statement of 50-60% is quite >high based on my experience, but then again YMMV depending on what the >environment is hosting and what the end-user demands are and what the >host hardware configuration looks like. (I prefer an x64 system with a >small array of disks - like the HP Proliant DL385 for ~$3500US.) >Regardless, in small remote sites performance is typically not critical >and nearly any server class system will perform adequately as a DC and a >VS2005 host. Keep in mind the small remote office solutions often have >two common single points of failure - the server (in a single server >solution) and the network. The failure of either can have a significant >impact on the end-users... > >Regards, > >Aric Bernard > > > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Mylo >Sent: Monday, August 22, 2005 10:17 AM >To: ActiveDir@mail.activedir.org >Subject: Re: [ActiveDir] Virtual Domain Controllers > >It'd be interesting to hear what solutions are in place in larger >enterprise environments (for small remote sites). IMO, the hybrid >DC/File and Print in one box, for remote sites, sounds nasty because: > >1. There's no local sam .... so a 'local' administrator needs to be >built-in administrator in AD.. I guess that's fine if your domain >admin=F&P Admin but if not.... >2. If you're file and print server contains loads of local groups etc... > >that becomes part of AD database.... I know that this is less of an >issue under Win2K3 versus Win2k/NT4, but if you're in a largish >organisation dealing with 100+ sites, each with a hybrid FAP/DC with >lots of groups and users that meet this criteria...I guess you wouldn't >want to add the bloat to your AD if you can avoid it. > >Any other reasons? > >On the other side, what ort of performance hit do you get >virtualising... GSX, I get around 50-60% of real life, subject to the >number of Guests running and server role, and can't afford ESX so can't >comment :-) > >Regards, >Mylo > >Seely Jonathan J wrote: > > > >>Thanks, Brad. That is very good to hear. I also appreciate the tips. >> >>JJ >> >> >> >> >----------------------------------------------------------------------- - > > >>*From:* [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad >>*Sent:* Tuesday, August 09, 2005 3:09 AM >>*To:* ActiveDir@mail.activedir.org >>*Subject:* RE: [ActiveDir] Virtual Domain Controllers >> >>We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine >>so far, and MS will give their best endeavours on support. Most of the >> >> > > > >>time they don't even ask us if the DC is virtual ;-) >> >>Also, ensure that the time sync capability is disabled in the VMWare >>Tools, and that the DC boots up completely before the file and print, >>so that the file and print can authorise itself against it. Otherwise >> >> > > > >>the F&P may take up to half an hour (or thereabouts) to realise it can >> >> > > > >>now contact a DC for file/print access authorisation. >> >> >> >> >----------------------------------------------------------------------- - > > >>*From:* [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] *On Behalf Of >>*Grillenmeier, Guido >>*Sent:* Monday, August 08, 2005 12:16 AM >>*To:* ActiveDir@mail.activedir.org >>*Subject:* RE: [ActiveDir] Virtual Domain Controllers >> >>hehe - single DC - must have overread that - I would have called that >>to be a problem in itself ;-) >>But then again it's only for 10 users and likely ok. As such, I even >>doubt that SID reissue is much of a problem as this environment is >>likely rather static rgd. new objects in AD ;-) >> >> >> >> >----------------------------------------------------------------------- - > > >>*From:* [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] *On Behalf Of *joe >>*Sent:* Sonntag, 7. August 2005 00:43 >>*To:* ActiveDir@mail.activedir.org >>*Subject:* RE: [ActiveDir] Virtual Domain Controllers >> >>Well since it is a single domain and a single DC I would say he really >> >> > > > >>doesn't have a worry about USN rollbacks but he does have a possible >>concern with SID reissue. >> >> >> >> >> >----------------------------------------------------------------------- - > > >>*From:* [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] *On Behalf Of >>*Grillenmeier, Guido >>*Sent:* Saturday, August 06, 2005 5:47 PM >>*To:* ActiveDir@mail.activedir.org >>*Subject:* RE: [ActiveDir] Virtual Domain Controllers >> >> >> >>>Since it's a single domain server I just take ghost snapshots of the >>> >>> >>domain and then backup the files >> >>not really a useful approach to backup a DC. Might be ok for FS and >>other roles, but DCs are not really cool with snapshotting and being >>"rolled back in time" due the distributed nature of the data they >>store. You could easily cause USN rollback during recovery of a DC >>stored in this fashion (at least SP1 protects the rest of your DCs now >> >> > > > >>by turning off in- and out-bount replication and disabling the >>netlogon-service if it finds a DC that's has a USN rollback status). >> >>But for AD Backup/Restore you'd be much better off to work with normal >> >> > > > >>SystemState backup/restore. Which is another reason why it's nice to >>have it on a separate box (virtual or hardware). >> >>/Guido >> >> >> >> >----------------------------------------------------------------------- - > > >>*From:* [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] *On Behalf Of *Matt Brown >>*Sent:* Samstag, 6. August 2005 02:47 >>*To:* ActiveDir@mail.activedir.org >>*Subject:* RE: [ActiveDir] Virtual Domain Controllers >> >>I run a single DC in a small environment... only about 10 users, and >>since it's just a single server office, and single DC domain... I just >> >> > > > >>run everything on the domain controller. Domain, DNS, File, Print, >>and Accounting Software on the same server... no VM ware... although I >> >> > > > >>considered it. Since it's a single domain server I just take ghost >>snapshots of the domain and then backup the files. >> >>Seems to work pretty good, as it's been running solid for about a year >> >> > > > >>now. >> >> >>Thanks, >> >>-- >> >>Matt Brown [EMAIL PROTECTED] >>Consultant for Student Technology Fee >>website: http://techfee.ewu.edu/ >>+--------------------------------------+ >>| 509.359.6972 ph. - 509.359.7087 fx >>| 307 MONROE HALL | Cheney, WA 99004 >>+--------------------------------------+ >> >> >> >> >> >> >----------------------------------------------------------------------- - > > >>*From:* [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] *On Behalf Of >>[EMAIL PROTECTED] >>*Sent:* Friday, August 05, 2005 3:36 PM >>*To:* ActiveDir@mail.activedir.org >>*Subject:* RE: [ActiveDir] Virtual Domain Controllers >> >>Could you just do the file/print on the DC? In a small environment >>you could probably get away with it. >> >>Al Maurer >>Service Manager, Naming and Authentication Services >>IT | Information Technology >>Agilent Technologies >>(719) 590-2639; Telnet 590-2639 >>http://activedirectory.it.agilent.com >><http://activedirectory.it.agilent.com/> >>---------------------------------------------- >>A good plan today is better than a perfect plan tomorrow. >> >>-----Original Message----- >>*From:* [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] Behalf Of *Seely >> >> >Jonathan J > > >>*Sent:* Friday, August 05, 2005 12:54 PM >>*To:* ActiveDir@mail.activedir.org >>*Subject:* [ActiveDir] Virtual Domain Controllers >> >>Hi All, >> >>I have a question about running DCs on GSX server. I understand that >>MS does not support this configuration, but I've heard that many >>people are running DCs in this fashion. Can anyone give some advice >>in this arena? The idea here is to do VM for a file/print, and >>another one for a DC in our remote sites. Currently, we've got >>different hardware for each box, but we're trying to consolidate a bit >> >> > > > >>out there. >> >>Thank you. >> >>JJ Seely >>Systems Administrator >>Oregon Department of Justice >>Division of Child Support >>(503) 378-4500 x22277 >>[EMAIL PROTECTED] >> >>*****CONFIDENTIALITY NOTICE***** >> >>This e-mail may contain information that is privileged, confidential, >>or otherwise exempt from disclosure under applicable law. If you are >>not the addressee or it appears from the context or otherwise that you >> >> > > > >>have received this e-mail in error, please advise me immediately by >>reply e-mail, keep the contents confidential, and immediately delete >>the message and any attachments from your system. >> >>************************************ >> >> >> >> >>This message has been scanned for viruses by MailControl >><http://bluepages.wsatkins.co.uk/?4318150> >> >> >> >>*This email and any attached files are confidential and copyright >>protected. If you are not the addressee, any dissemination of this >>communication is strictly prohibited. Unless otherwise expressly >>agreed in writing, nothing stated in this communication shall be >>legally binding.* >> >>*****CONFIDENTIALITY NOTICE***** >> >>This e-mail may contain information that is privileged, confidential, >>or otherwise exempt from disclosure under applicable law. If you are >>not the addressee or it appears from the context or otherwise that you >> >> > > > >>have received this e-mail in error, please advise me immediately by >>reply e-mail, keep the contents confidential, and immediately delete >>the message and any attachments from your system. >> >>************************************ >> >> >>---------------------------------------------------------------------- - >> >> >- > > >>No virus found in this incoming message. >>Checked by AVG Anti-Virus. >>Version: 7.0.338 / Virus Database: 267.10.3/66 - Release Date: >> >> >08/08/2005 > > >> >> >> >> > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
