using a isa or fileserver as backup dc
Posted on 2006-03-22
Just need some solid advice here - out network is configured as follows: 3 server - Dell Poweredge 2800 - 2 meg ram 3 Ghz Xeon - 1as GC/DC, 1 as ISA and 1 as file server - 25 users - low to med network load.
I was wanting to setup either the isa or fileserver as a backup DC - and was told the following (this is a copy from a email I recieved) -- Is this correct?
Remember way back when we first started to create this server, and I stated that you would need to use a SECOND domain controller to move off the FSMO roles, and to act as a backup domain controller.
I suggested at that time that we use a PC, install Windows 2003 and create the second DC. The Server copy was not purchased, so we did not do the second server.
You CAN NOT USE AN ISA SERVER OR A FILE AND PRINT SERVER for a Domain Controller. I have said this multiple times.
The DC will take over these servers, and their processes will take the back seat to whatever Active Directory thinks is more important. That means that if AD thinks talking to the DC is more important than Grantham connecting to the Internet, then it will speak to AD and do whatever it wants, and later when it is finished, will turn control back to the ISA server. Needless to say ISA does not like that, and will promptly crash and burn.....Same with the File and Print server.....if you happen to have a user saving a file, and the DC process on the File and Print server decides that this is the time that it needs to replicate with the AD server, or if a user decides to log into the network and it decides to authenticate this user, the file save process thread will be shut down without any warning given to the user. It will not start this thread back up when it completes whatever it wants to do.
So....following the logic, there will be a file that is corrupt on the network, completely unusable, and no one will know until they try to use the file again and it does not open....Sure, you can bring it back from backup....but just exactly when did it corrupt so you know which file to bring back, or if it happened to be a new file, just started....there will not be a backup.
Cure for this is simple. Purchase a copy of Windows 2003 R2, install it on a PC with the specifications I sent over, use DCpromo to promote it to a DC in the domain, replicate, and then move the two FSMO roles that are most important over to it. The users will authenticate to the network just fine without a DC using cached credentials, and should be able to get their other server files as well. They would not be able to work though, if they were in a different office, or were a new user on this network.
-----end email ------
What do you guys think?