RE: [ActiveDir] Virtual Servers in Branch Offices

[Noah Eiger]

The assumption for us is that there is also a file and print server there.   The solitaire thing is a whole angle I did not consider. Is a DC required for solitaire? What about a virtual MP3 player running in cached mode? Ok. I'm clearly ready for the weekend ;-) Thanks for all the thoughts, folks. I will churn this over in my little brain and spend some quality time curled up with a few good white papers.   Have a great weekend.   -- nme From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 12:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices I’m curious, you said the WAN links can have interruptions so you wouldn’t want to authenticate over the WAN… but if all you have in a branch is a DC, what do you gain by having the DC locally if the link is down – unless you have additional servers there too (i.e. Exchange, F/P).  Assuming you don’t turn off cached credentials, the users could still log on even without a DC there.  If there are other servers there, you would want a DC because you couldn’t auth against them without seeing a DC.  But users could still listen to CDs and MP3s, play solitaire, and all the other things users like to do when connectivity is down. J  With Exchange in cached mode, you’d hedge somewhat against needing local Exchange servers too.  So the question is, will you have resource servers out there.  If so, and your links are unreliable to the point of forcing your design, then you’d want a DC there.  If not, then a DC will not make a practical difference.   Rich   ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, October 14, 2005 2:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices   Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it.   Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions.   Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1]   Thanks again.   -- nme   [1] This sort of reminds me of the scene in Animal House when they talk about the "whole universe as we know it existing under the fingernail of some other giant being..." Whoa, dude!   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 12:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Other important factors in this scenario must be the physical and logical security of the server housing the DC role.   1. Will the server be securely locked away in the branches? If not, do not deploy a DC. 2. Do you trust the file server admins to have physical access to the server hosting the DC role? 3. Who administers the server that hosts the file and DC roles? Are they also trusted?   When designing the branch office, I would always ask the questions below, too: 1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed? 2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC. 3. Does a local DC offer redundancy in the event of a WAN failure? If other apps are accessed over the WAN, then consider deploying the DC at a central location and not at the branch.   hth, neil     ___________________________ Neil Ruston Global Technology Infrastructure Nomura International plc   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 13 October 2005 01:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Here's a link to a Microsoft document that covers what you need to do to run a production DC on Virtual Server 2005.   http://tinyurl.com/5enjd   Tony   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, 13 October 2005 11:30 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Servers in Branch Offices Hi -   Just to follow up on the design thread.... Since I am placing DCs in small branch offices is there a value in using Virtual Server 2005 to create separate virtual boxes (DC & file server) running on the same physical box? Some users have administrative access to the file server, and I'd love to keep them off the DCs. I am also curious about optimal physical and virtual drive configurations for such a box.   I reviewed the thread here about Virtual Domain Controllers but it seemed to focus on using them as backups. I am talking about production.   Any thoughts most welcome.   -- nme This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or  use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002.. This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.