Last year I wrote an article called Virtualizing your Domain Controllers. I called out some of the best practices from my own experience, as well as from conversations with hundreds of IT Pros around the world. This week I received a very well thought-out response to that article from a reader named Andrew. I set out to respond to him in the Comments section, then decided that the response needs its own article.
His comment (in full and unedited) reads as follows:
I don’t entirely agree with the advice here. It does sound a little like the person who wrote it has done too much reading and not enough network infrastructure. More than one dc? Really? Are you serious talking of a business of 25 people, running on a tight budget, that they spend 1000 or so on a server just to replicate? And what if the AD database becomes corrupt, this could be months before you notice, replication would have taken place and now you have to rebuild anyway. So no, nice advice, but in the real world, in a small business, one DC with system state backed up will suffice. Only run DC on a server? Are you serious? On the whole domain controllers don’t actually do a lot, they authenticate, replicate, but once the log on/log off process has taken place they sit there, till the next replication. wow! what a waste of resources! contrary to belief dhcp and dns don’t require a lot. And what if you virtualise the other roles anyway? You still have it all running on one system, so whether it’s virtualised or not the effect is the same. Snapshots are great, but if the mainboard fails the system fails – virtual or not.
I recently went in to rebuild a network than had one server running ad, dhcp, dns, file server etc for over 200 people. Not one person ever complained the network was slow – this server was running 4gb of ram! I simply added another server and shared resources. In this example I did replicate, and there’s the problem, I only have two servers both acting as dc’s, I have to put the other roles somewhere! – even if I have a san attached it will still run through the server.
More than one server is great. Replication is great. Virtualisation is great. But budgets come first.
Everything that Andrew says is true… for real-world SMALL businesses. The problem is with what I call the SBSer Mindset, which I discussed in an article I wrote in 2007 (Why I am not an SBSer). I can assure you I was not very popular in certain circles for that article, and if I had to rewrite it again today I likely would not. However the basic premise holds true.
IT Best Practices are almost always deprecated in small- and midsized IT environments to the detriment of security and functionality in exchange for simplicity and usability. I have been telling small business IT Pros for years that they should learn the enterprise best practices… even if they are not going to always implement them, they should know what they are.
As silly as it may sound, you should know what the laws are before you break them, By knowing what Enterprise Beast Practices are and how they benefit the environment you can then make an informed decision when you decide to break one of them… because you understand the reasons and consequences behind them.
I have been telling people for years that Enterprise Best Practices scale down a lot better (and more securely) than Small Business ‘Common Practices’ scale up. As a small businesses grow it is easier for them to do so properly if the infrastructure was properly planned out… so if you have 200 users and think you might grow to 260 you should not use the standard 192.168.0.0/24 IP range. Thinking outside the ‘small business’ may not be important for some, but it is if you want growth, security, high availability, and such.
When I said that “Your Domain Controllers should be just that… and not much else!” I was serious, but I also added a compromise in there; DNS and DHCP can easily co-exist on your DCs… especially in smaller organizations, but even in the Enterprise space DNS is a core requirement of Active Directory, and indeed the DNS Server role is installed automatically when you create a Domain Controller. However by then expanding that to File Server role breaks a huge tenet of Enterprise Best Practice, that the only people who should be able to authenticate to a Domain Controller is a Domain Administrator. By putting the File Server onto the DC you are automatically letting the entire organization authenticate to it. Bad Bad Bad.
Andrew is right by the way… “…I recently went in to rebuild a network than had one server running ad, dhcp, dns, file server etc for over 200 people. Not one person ever complained the network was slow – this server was running 4gb of ram!” I will not argue that the resources discussed will not have any effect on the speed of your network… but you will notice that if you leave all of your doors and windows open it is much quicker for you to get into your house. Security does not mean speed.
Virtualization, of course, will allow you to solve a lot of these issues. However he is right, there are replication issues and if you are not monitoring your domain you may not realize that one is down, or that replication is broken. This is true… but it is also why it I important to have monitoring in place for your organization. I am not saying that a small business should be implementing a complete System Center environment, but there are definitely monitoring tools available that will allow you to keep an eye on it… starting with the Server Manager Dashboard in Windows Server 2012.
And what if the AD database becomes corrupt, this could be months before you notice, replication would have taken place and now you have to rebuild anyway.
Monitoring your environment is part and parcel of your job as a system administrator; no IT Pro should ever have to say ‘One component was broken for months and I didn’t notice.’ That should be a true RGE for an IT Pro. It is a rookie mistake – monitor your environment and you will never have that problem.
Andrew is right… budgets are hugely important, more so to small businesses where every penny spent on IT means money out of the pocket of the business owner. However balancing the budgets versus potential risks is important, and that is where proper planning comes into play.
It does sound a little like the person who wrote it has done too much reading and not enough network infrastructure.
My IT pedigree is well known, but I do acknowledge that I do much less SMB-IT than I used to, and definitely understand where you are coming from. I hope that you are willing to acknowledge that at least some of my points are valid