We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Domain Controller NLB

Donnie4572
Donnie4572 asked
on
Medium Priority
1,084 Views
Last Modified: 2012-06-27
Hi,

Please tell me if I can setup two webservers in my DMZ in a Network Load Balance group and make these servers both Domain Controllers.

The reason I'm considering this is I have several hundred FTP user accounts to setup and it could help to have Active Directory.

Thanks,
Donnie
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2006
Commented:
i would put webservers as DC's, i would have a separate DC in the DMZ and load balance your webservers

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Donnie4572IT Manager

Author

Commented:
Do you mean you would not promote the webservers to DC?
Why?
Donnie4572IT Manager

Author

Commented:
Sorry Jay, I do not understand. You would have three DC's in the DMZ? Two as webservers and one seperate?

Thanks
Donnie
CERTIFIED EXPERT
Top Expert 2006

Commented:
Thats ok, what i mean is that webservers are accessed heavily, thus i wouldnt have them as domain controllers at all for security reasons
Donnie4572IT Manager

Author

Commented:
Ok, so security/performance is the only reasons you wouldn't?

Here is the setup:
Both servers are Identical (HP Integrity Itanium 4640's )
4 - 1.6 9MB cache proc's
4GB ram each.
I don't think performance would be an issue here?

Active Directory will only be used by these two servers for FTP deployment.

Actually, I would perfer two additional servers to provide AD but I am having a hard time Justifying the additional cost.

Thanks for your help!
CERTIFIED EXPERT
Top Expert 2006

Commented:
yeah i can understand costs.....your specs are fine, i just worry about having a DC as a webserver, just doesnt sit right!
Web servers are one of the most easily vulnerable systems on the Internet.  Putting one of those out there on the web is risk enough... but to make it a DC on top of that is just asking for trouble.  

CERTIFIED EXPERT
Top Expert 2005
Commented:
I would recommend NOT making them DCs.  You can use the freely available ADAM (Active Directory Application Mode) instead.  This will give you credential management while not exposing more than necessary.

http://www.microsoft.com/downloads/details.aspx?FamilyID=9688f8b9-1034-4ef6-a3e5-2a2a57b5c8e4&DisplayLang=en

You can't install it on Server 2003 Web Edition, but you can install it on a workstation (XP) inside the DMZ so web clients can access it.  If you use Standard 2003 then there is no issue installing it on there.

CERTIFIED EXPERT
Top Expert 2005

Commented:
As for load balancing - this is where NLB comes into play.  Use the Help in Server 2003.  There's a ton of good stuff in there.

Donnie4572IT Manager

Author

Commented:
Netman
Good solution!
However, I got approval for two additional servers to use as "DMZ domain controllers"

Thanks to all
CERTIFIED EXPERT
Top Expert 2006

Commented:
Nice work! much more secure
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.