Other than to set up the Virtual instances themselves, you will not
ordinarily use the admin site to do much. After they are up and running, you
will bring out either RDP or VMRC for doing all administration of the guest
OS, and at that point the performance is very much independent of where the
admin website is located.
To directly answer your question (:)), I have not measured the performance
personally. I have not had a reason to, given that my typical use for the
admin website is as I have described above.
Hope I make sense.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Phil Renouf
Sent: Wed 10/19/2005 10:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Virtual Servers in Branch Offices
Yeah, I was just wondering if you saw any issues with putting it on a box
across a WAN link. I have never looked into that before so I was just
wondering your opinion on it for my own curiosity.
Phil
On 10/19/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
I don't get your drift. There is no requirement for the web server to
be in
the same location as the virtual server.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Phil Renouf
Sent: Wed 10/19/2005 8:07 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Virtual Servers in Branch Offices
Would you put the admin site on a server not at that location?
Because if you
wouldn't then that won't help much since if you had another server to
put the
admin site on at the remote location then that would be a good place
to put
the f/p services.
Phil
On 10/19/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
You can separate the 2 roles. You can put the admin site on a
non-dc
server.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried
about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Al
Mulnick
Sent: Wed 10/19/2005 6:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Servers in Branch Offices
Strange, I was just having this conversation today with a
co-worker.
:)
My thoughts? I'd say make it a GC and put the f/p in the
virtual.
Why?
because you still need to protect the physical, but the
virtual you
can give
out access to. The downside is that the virtual machine
requires IIS
(in
Microsoft products) meaning you have a vector for attack. But
nothing
that
requires changing the security otherwise for the GC.
I prefer not to put IIS on a GC for security reasons, but if
you can
get away
without it then I should think that this method would provide
greater
ability
to secure it. Keep in mind that physical access is still
warranted.
It's
just that you wouldn't have to worry about somebody taking the
GC
home on a
USB key like they otherwise could ;)
It's not pretty no matter which way you turn IMHO. Could be
better.
Al
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah
Eiger
Sent: Wednesday, October 19, 2005 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Servers in Branch
Offices
I assume you are refering to the fact that the the host
could
be
compromised over the network and the virtual hard drive or
virtual
machine
itself simply copied. (Just for the record, this is covered in
the
white
paper. Did not mean to imply that it is not. Security in this
respect
is
refered over to NTFS permissions).
So given that you could have a single physical machine
at a
branch
office and that you must have a DC and F/P service, what is
the
prefered
configuration?
-- nme
P.S. thanks for keeping this thread going.
________________________________
From: Dean Wells [mailto:
[EMAIL PROTECTED] ]
Sent: Tuesday, October 18, 2005 8:42 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Virtual Servers in
Branch
Offices
"Does placing the DC inside a virtual machine
add any
security? Would it be harder for someone with physical access
to
compromise
the DC? The white paper does not really make this clear. Also,
I am
assuming
that a host machine would be a domain member, right? Does it
authenticate off
the virtual DC?"
<Dean>
Virtual DCs effectively weaken the
broader-definition
of
security in a number of ways including the context of physical
access
...
this is due primarily to the relative ease with which the
entire DC's
state
can be duplicated, subsequently, becoming portable and
reproduced in
a
running state elsewhere with little to no effort.
The host machine has no bearing ... it's rather
like
saying
"the rack in which the server is physically housed has to be a
domain
member"
(or any further extension of that particular metaphor). Keep
in mind
the VM
(for the most part) doesn't even realize it's virtual.
</Dean>
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
<mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> >
http://msetechnology.com
<http://msetechnology.com/>
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] ] On Behalf Of Noah
Eiger
Sent: Friday, October 14, 2005 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Servers in
Branch
Offices
Thanks for the thoughts. And thanks Tony for
the
reference --
just finished reading it.
Unfortunately, deploying the DC at HQ or simply
authenticating over the WAN is not really an option. The WAN
links
are ok
(and getting better) but are located in places where
environmental
(as in the
weather) conditions often cause short interruptions.
Does placing the DC inside a virtual machine
add any
security? Would it be harder for someone with physcial access
to
compromise
the DC? The white paper does not really make this clear. Also,
I am
assuming
that a host machine would be a domain member, right? Does it
authenticate off
the virtual DC? [1]
Thanks again.
-- nme
[1] This sort of reminds me of the scene in
Animal
House when
they talk about the "whole universe as we know it existing
under the
fingernail of some other giant being..." Whoa, dude!
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Thursday, October 13, 2005 12:48
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual
Servers in
Branch
Offices
Other important factors in this
scenario must
be the
physical and logical security of the server housing the DC
role.
1. Will the server be securely locked
away in
the
branches? If not, do not deploy a DC.
2. Do you trust the file server admins
to have
physical access to the server hosting the DC role?
3. Who administers the server that
hosts the
file and
DC roles? Are they also trusted?
When designing the branch office, I
would
always ask
the questions below, too:
1. Is a local DC required? i.e. what
are the
drawbacks if a DC is not deployed?
2. Is logon/startup traffic over the
WAN
larger than
replication traffic over the WAN? If not, consider not
deploying a
local DC.
3. Does a local DC offer redundancy in
the
event of a
WAN failure? If other apps are accessed over the WAN, then
consider
deploying
the DC at a central location and not at the branch.
hth,
neil
___________________________
Neil Ruston
Global Technology Infrastructure
Nomura International plc
________________________________
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony
Murray
Sent: 13 October 2005 01:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual
Servers in
Branch
Offices
Here's a link to a Microsoft document
that
covers
what you need to do to run a production DC on Virtual Server
2005.
http://tinyurl.com/5enjd
Tony
________________________________
From:
[EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ] On Behalf Of Noah Eiger
Sent: Thursday, 13 October 2005 11:30
a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Virtual Servers in
Branch
Offices
Hi -
Just to follow up on the design
thread....
Since I am
placing DCs in small branch offices is there a value in using
Virtual
Server
2005 to create separate virtual boxes (DC & file server)
running on
the same
physical box? Some users have administrative access to the
file
server, and
I'd love to keep them off the DCs. I am also curious about
optimal
physical
and virtual drive configurations for such a box.
I reviewed the thread here about
Virtual
Domain
Controllers but it seemed to focus on using them as backups. I
am
talking
about production.
Any thoughts most welcome.
-- nme
________________________________
This communication, including any
attachments,
is
confidential.
If you are not the intended recipient,
you
should not
read it -
please contact me immediately, destroy
it, and
do not
copy or
use any part of this communication or
disclose
anything about it.
Thank You.
Please note that this communication
does not
designate an information system for the purposes of the NZ
Electronic
Transactions Act 2002..
This e-mail message has been scanned
for
Viruses and
Content and cleared by NetIQ MailMarshal at Gen-i
________________________________
PLEASE READ: The information contained
in this
email
is confidential and
intended for the named recipient(s)
only. If
you are
not an intended
recipient of this email please notify
the
sender
immediately and delete your
copy from your system. You must not
copy,
distribute
or take any further
action in reliance on it. Email is not
a
secure
method of communication and
Nomura International plc ('NIplc') will
not,
to the
extent permitted by law,
accept responsibility or liability for
(a) the
accuracy or completeness of,
or (b) the presence of any virus, worm
or
similar
malicious or disabling
code in, this message or any
attachment(s) to
it. If
verification of this
email is sought then please request a
hard
copy.
Unless otherwise stated
this email: (1) is not, and should not
be
treated or
relied upon as,
investment research; (2) contains views
or
opinions
that are solely those of
the author and do not necessarily
represent
those of
NIplc; (3) is intended
for informational purposes only and is
not a
recommendation, solicitation or
offer to buy or sell securities or
related
financial
instruments. NIplc
does not provide investment services to
private
customers. Authorised and
regulated by the Financial Services
Authority.
Registered in England
no. 1550505 VAT No. 447 2492 35.
Registered
Office: 1
St Martin's-le-Grand,
London, EC1A 4NP. A member of the
Nomura group
of
companies.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
