Link to home
Create AccountLog in
Avatar of jruder
jruder

asked on

using a isa or fileserver as backup dc

Hello...

Just need some solid advice here - out network is configured as follows:  3 server - Dell Poweredge 2800 - 2 meg ram 3 Ghz Xeon - 1as GC/DC, 1 as ISA and 1 as file server - 25 users - low to med network load.

I was wanting to setup either the isa or fileserver as a backup DC - and was told the following (this is a copy from a email I recieved) -- Is this correct?
----Begin email-----
Hi Joe,

Remember way back when we first started to create this server, and I stated that you would need to use a SECOND domain controller to move off the FSMO roles, and to act as a backup domain controller.

I suggested at that time that we use a PC, install Windows 2003 and create the second DC.  The Server copy was not purchased, so we did not do the second server.

You CAN NOT USE AN ISA SERVER OR A FILE AND PRINT SERVER for a Domain Controller.  I have said this multiple times.  

The DC will take over these servers, and their processes will take the back seat to whatever Active Directory thinks is more important.  That means that if AD thinks talking to the DC is more important than Grantham connecting to the Internet, then it will speak to AD and do whatever it wants, and later when it is finished, will turn control back to the ISA server.  Needless to say ISA does not like that, and will promptly crash and burn.....Same with the File and Print server.....if you happen to have a user saving a file, and the DC process on the File and Print server decides that this is the time that it needs to replicate with the AD server, or if a user decides to log into the network and it decides to authenticate this user, the file save process thread will be shut down without any warning given to the user.  It will not start this thread back up when it completes whatever it wants to do.
 So....following the logic, there will be a file that is corrupt on the network, completely unusable, and no one will know until they try to use the file again and it does not open....Sure, you can bring it back from backup....but just exactly when did it corrupt so you know which file to bring back, or if it happened to be a new file, just started....there will not be a backup.

Cure for this is simple.  Purchase a copy of Windows 2003 R2, install it on a PC with the specifications I sent over, use DCpromo to promote it to a DC in the domain, replicate, and then move the two FSMO roles that are most important over to it.  The users will authenticate to the network just fine without a DC using cached credentials, and should be able to get their other server files as well.  They would not be able to work though, if they were in a different office, or were a new user on this network.  
-----end email ------

What do you guys think?
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

I think this guy needs to relearn a few things about windows.  By that logic Windows Small Business Server would have MAJOR problems because it runs as a File Server, Print Server, AD server, Exchange Server, SQL Server, ISA Server, and Web Server, among other functions - ALL on one server (SQL & ISA only on Premium version).  

I routinely make file servers DCs in small environments with ZERO problems.  I would NOT make ISA server a DC, but not for the fictitious reasons this guy says - I'd not do it for security reasons - always better to NOT mix your domain account info with a server exposed to the internet directly.
ASKER CERTIFIED SOLUTION
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of jruder
jruder

ASKER

"if you happen to have a user saving a file, and the DC process on the File and Print server decides that this is the time that it needs to replicate with the AD server, or if a user decides to log into the network and it decides to authenticate this user, the file save process thread will be shut down without any warning given to the user.  It will not start this thread back up when it completes whatever it wants to do."

Just wondering here...he sounds pretty convincing (like this has happened to him before)  Have you EVER heard of something like this happening?

I have not heard of windows "shutting down threads with no warning" before.  I could see a pause or something if the network was VERY saturated but to just *toss* the tread out the windows?

Anybody else out there have fileservers doubling as a DC?

I understand about Small Business Server, but this same person has made the statement that "as everyone knows, you cannot have anything but the smallest network, say 10 or fewer users with just one server.  Small Business Server will bog down with anymore users than this"  I simply got tired of pointing out the thousands of companies all over the world with 50 or more users running SBS, so we now have a network with 3 servers and are probably going to have to buy another copy of server 2003 and a machine to run it on to service 25 users.  Frustrating at best.
Giving enough money I would foolow this guys recommendation and install a small/cheap server (not PC) to spread the FSMO's and be a 2nd DC. However, for your company and the number of users, this would be a waste of money !!

I have used F&P servers as DC's in W2k environments with no issues at all for many years. In your 3 server environment, having the File server as a DC will not impact it's performance, or make it more unstable than it currently is (or isn't). I also have a client that has 2 servers. One W2k3 which is DC, F&P and Exchange (but he didn't buy SBS  but seperate licences!) with the other being Firewall/Proxy running ClearSwift. Again, no issues at all.

As LeeW says above, I would not put it on ISA for security reasons alone. It will happily function on there (I have it in a test lab with zero problems. And this is not using SBS but standard W2K server).

I think your 'friend' is either getting a markup on the products or is thinking purely from the ideal world point of view.

Hope this helps
Barny
IPKON Networks Ltd
jruder,
> "if you happen to have a user saving a file, and the DC process on the
> File and Print server decides that this is the time that it needs to
> replicate with the AD server, or if a user decides to log into the
> network and it decides to authenticate this user, the file save process
> thread will be shut down without any warning given to the user.  It
> will not start this thread back up when it completes whatever it wants to do."

> Just wondering here...he sounds pretty convincing (like this has happened
> to him before)  Have you EVER heard of something like this happening?

This is COMPLETELY untrue.  Windows does not shut down threads.  It gives priority to other threads, but it does NOT shut down threads.  That's absolutely wrong.  Things MAY slow down, but that's it - they will pick right up when the server is done doing what it needs to do.  And again, AD, especially for a network that small should never take more than a second or two to complete it's synchronization.  Adding a new DC, it might take a few seconds... but once it's setup, the amount of data to sync is TRIVIAL.

> I have not heard of windows "shutting down threads with no warning"
> before.  I could see a pause or something if the network was VERY
> saturated but to just *toss* the tread out the windows?

Again, it won't "pause" anything and it certainly doesn't shut anything down.  BUT if the CPU is taxed, then it MIGHT SLOW things down and give the server service less CPU cycles, but it WILL NOT "pause" the service and it certainly will not "shut it down"


> Anybody else out there have fileservers doubling as a DC?

> I understand about Small Business Server, but this same person has made
> the statement that "as everyone knows, you cannot have anything but
> the smallest network, say 10 or fewer users with just one server.  
> Small Business Server will bog down with anymore users than this"
> I simply got tired of pointing out the thousands of companies all over
> the world with 50 or more users running SBS, so we now have a network
> with 3 servers and are probably going to have to buy another copy of
> server 2003 and a machine to run it on to service 25 users.  Frustrating at best.

Hire someone else.  ANYONE Else.  www.craigslist.org - look for your city, then post a request for a part time tech or something.  This guy does not know what he's talking about.  He's simply trying to sell more equipment to anyone he can get to believe it.

Do a baseline on your systems to know their usage.  If the CPU is not constantly at 80%, they are not overloaded.  (By Microsoft's definition - by mine, halve that.  But note, there are MANY different reasons a server or network can seem slow... poor disk configuration (not using RAID, using slow disks, not replacing a failed RAID disk), poor networking (using hubs instead of switches, using a 100 Mb NIC in a heavily used server or not using a gigabit capable switch with a gigabit capable NIC in the server), doing disk intensive tasks during business hours (Defrag, Backups, etc).  These are all things that might slow a system down and people might mistake as a server being not powerful enough when it's actually more power than they need in the forseeable future.

By all means, feel free to wait for others to chime in, but rest assured, I know what I'm talking about here.  Read my profile and note my certifications.

I'll tell you, I want to know who this guy out of curiosity - but PLEASE, DO NOT POST HIS NAME or company name.  It's a curiosity that I do not NEED to know and we do want to keep people from harassing this guy (as much as I also want to keep people from using his services - guys like this create problems for the honest people and cause your business to way overspend on services and hardware).
Yes, in an ideal world, for redundancy and seperation of services, yes, one machine per service.  But that would be extremely expensive and impractical for your company's size.  Having 2 servers DEDICATED to DNS, 2 servers clustered, dedicated to DHCP, 2 DCs per site, two file servers (mirrored)... but I disagree with IPKON_Networks on ONE of his points:  Spreading the FSMO roles doesn't make much sense unless you have multiple sites.  THEN it can be a good idea.
Avatar of jruder

ASKER

Thats the same way I felt.  If it was the way he stated then how could you have ANY network with a single server running server 2003 (even leaving the SBS out of it)  I have insurance companies, law firms, autobody places, not to mention my own in house network all running off one server (obviously with the DC role active.) and have never had any problems (you know what I mean...as far as this issue is concerned!)

I am going to leave the question open for a bit just to see if we get any more comments, but Lee, as normal you have gone over and above and I REALLY appriciate the depth and quality of your posts.  No, I would not post any personal info on someone on here.  In reality this guy is not a bad guy - he works for a different company in the IT department and does not have an agenda to sell equipment or anything like that - he just truly believes what he is saying.  He is in a farily large enviroment and just seems to have a single way of doing things.  The only thing that really gets me is if you suggest doing something different his response tends to be condensending and worded in such a way that he makes it clear that anybody doing it different than him is an idiot.  That type of attitude simply pushes my buttons ALL wrong.

Barney - Thank you for your input as well, I have looked into some used servers on ebay already - We have a nice rack put together, last thing I want is a workstation sitting on the floor next to it!

BTW - the following link is a great read - we are getting ready to go up to the new version of server 2003 and this is a great reminder that there is no such thing as a "simple" change!  (I really love the one where contractors "shrink wrapped" the server rack to keep dust out (with them on still!)
http://redmondmag.com/features/article.asp?editorialsid=565

Joe Ruder
Onsite Computers, Inc

You can drop me a line at joe@joeruder.com if you want.

Joe Ruder