Optimal configuration for Windows 2003 server

I have been contracted to create a domain for a small non-profit organization using windows 2003 server standard edition.  beside the main location (HQ) there are four remote sites that all would need to access data on the server.

1. I have purchased the following equipment for the job:
WD WorldBook Edition II (1 TB) with remote file access for the remote offices so that i could avoid creating a vpn and placing a load on the server.  
2. I have a 24 port switch "mostly for the 18 users in HQ
3. 4 port Linksys VPN router X 5 "1 for each location
4. High bandwidth DSL

My question is this as I am predominantly a Linux enthusiast, once I have installed the server OS which of the mini servers should I install? Based on my understanding, I was only going to install and configure:
File & Printer server
Application server
Domain Server (active directory)
Terminal Server

I know for a fact that I will not need the  Web server, DHCP server.

I am not certain about the DNS server

What configuration would be optimal to allow in performance while allowing access to remote users?

Oh yea the server is a Dell SC 420, 1 GB Ram, Raid 1 70 GB HDD, dual 1 gig nics

Who is Participating?
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
I disagree with some of the technical points made by KCTS, though in general, I agree with the overall point.

1.  WINS is still used by some less than ancient software - there can be issues in certain environment if using Exchange and NOT using WINS.  In a small environment like this, you'll probably be ok, but strictly speaking, WINS isn't quite dead yet (though we all hope it will be soon).

2.  Using an ISPs DNS servers as secondary resolvers CAN still get used if the main server is busy enough not to answer quickly enough or if there are network issues.  Using an ISPs DNS to resolve addresses from the clients is the best way to get annoying, intermittent problems with authentication and accessing network resources.  It will seem to work fine in most cases, but every now and then it won't and that will just annoy the users and you if you don't remember why this can happen.

In more direct response to your questions:
1.  Not entirely true.  While there are restrictions, TechSoup.com has Small Business Server 2003 Standard R2 available for $31.  So while I agree, they already have it and it DOES require an additional purchase, it's VERY affordable from this source.  In fact, it may be even cheaper if the client can return the server (Dell, for example, will usually accept returns within 30 days) and if they return it for a server without an OS, they could save over $500 -or put that money towards a second terminal server.
2.  I've already suggested I don't recommend using the router's DHCP.  It's not generally as friendly to configure and it MAY not allow custom settings for DNS.
3.  Agreed with Laura - learn about AD, if you are billing clients for your work, the clients deserve to have it setup properly - and even if you're not billing them, a proper setup will prove more reliable and overall perform better.
4. Thin clients for what?  Web browsing?  What kind of thin clients?  While they can be useful, they also can be expensive from an initial cost perspective - long term management tends to be far less expensive, but most small businesses don't understand or consider long term costs - it's always a "how much do I have to spend now" and rarely a "how much can I save later?"  Important Note: SBS CANNOT be a terminal server for applications - it's limited to two conncetions for management purposes and will not allow itself to be changed into a regular terminal server specifically for security considerations - a second server would be required.
5.  Be creative.  As I said, if they can return the server, they might be able to recoup $500 or more on licenses by buying from TechSoup instead (assuming they are eligible). Again, they need to consider long term costs as well.  Even if that means purchasing through a financing or leasing deal.  In most areas, I believe financing can be paid off with no prepayment penalties, so interest can be minimized.  SBS is FAR easier for a non-Windows and/or non-technical person to manage.  So while doing things right up front might cost them an extra $2000, it could save them money in terms of time and resources over the life of the server, money that adds up to far more than $2000 initially spent over budget.
LauraEHunterMVPConnect With a Mentor Commented:
Active Directory cannot function without a DNS server; if you do not already have a DNS server configured for your environment, you will not be able to install AD without installing the DNS role on the local server. Additionally, what functionality are you trying to offer your client by configuring the File & Print and Terminal Server roles on the server if you've purchased a separate network-attached device to allow for remote file access? From a security standpoint, it is sub-optimal to configure your domain controller to perform double-duty as a file&print and/or Terminal Server device.

It sounds as though you might be at least somewhat unfamiliar with administering an Active Directory environment; if this is the case I would strongly recommend that you take a look at some or all of the webcasts in the Technet "Active Directory: Learn the Basics and Master Advanced Concepts" series before you attempt to implement an AD design that may or may not be appropriate for your client: http://www.microsoft.com/events/series/adaug.mspx.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
Brian PierceConnect With a Mentor PhotographerCommented:
I agree with the previous comment. You need to do some background reading/research or you could end up in a bit of a mess. DNS is absolutly essential and Active Directory Integrated DNS offers the best solution both in terms of security and performance. Clients need to use your Windows DNS server as their Preferred (only) DNS server and the DNS Server itself needs to be set up with a forwarder if you want to resolve external DNS lookups.

You have ruled out DHCP. Why? It offers the most efficient way of allocating IP address information, including DNS servers and Default Gateway info to clients.

Terminal Services can be especially demanding of resources so it is a good idea to keep this on a seperate server away from the cdomain contoller for this and for security reasons.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
As Laura says, DNS is vital to a functional AD environment.  While technically, you don't need the Windows Server to run DNS, you MUST run a DNS server that supports Dynamic updates.  Further, you must make sure that all clients and the server point to the same DNS server and ONLY that DNS server (or another one that replicates with it).  Using secondary DNS servers that are not specifically part of your network can cause intermittent problems.

I agree with the Terminal Services point made by Laura.  I would add that if you can purchase another server OR do without the terminal Services (what would you be using them for?) then you would be MUCH better off installing Small Business Server 2003 instead of plain Server.  It's cheaper (though TechSoup.com/org does provide fantastic prices for most non-profits) and much easier to manage for non-Windows people (in fact, Windows people without experience in SBS will often have problems managing it).  Note: if you do go with SBS, DO NOT modify the installation based on what you think they will and won't need - SBS is a VERY integrated product and if you don't install ALL components you could break several others.

As for not using DHCP, you CAN do that... but if you do, make sure whatever DHCP server you do use supports specifying DNS settings.  I prefer and generally recommend using the Windows DHCP because it works just fine and is generally much easier to configure and manage (note: if you use SBS you very much should allow Windows to be the DHCP server - it will configure itself to be).

globaltekitAuthor Commented:
Team you responses definitely give me good reason to re-think my strategy.
First the client is a non profit organization and has already purchased Win2003 server standard edition, so I don't have a choice on the OS.
Second, I was going to use the router to provide the DHCP services needed as appose to installing and configuring DHCP server. "What do you think?"

Third, I have setup Active Directory before and did not install DNS for 15 users. I added all of the users to AD as well as their computers and was able to successfully add them to the domain without the DNS server. I listed the server IP address as the first DNS server for all of the clients and listed the ISP's DNS as the second DNS and then added the server IP in the WINS. I was going to reuse this strategy, but based on your responses, it seems that that was not a suitable nor robust solution. "If I install the DNS would you suggest setting up both Forward and Reverse lookup?

"Do you think that I should go back to the previous client and install DNS server as this may be the reason why some of the clients are getting kicked off of and/or losing their mapped network connection to the server. ?"

Fourth, The client is contemplating on installing thin clients in 2 of the four site, it this is the case, I will need to install terminal services and file & print. "Do you agree?"

Fifth, the client has a set budget and can not afford to purchase another server specifically for TS. " what other alternatives do you suggest?"

LauraEHunterMVPConnect With a Mentor Commented:
To address your third point: if you do not have a DNS server that is configured to house the DNS SRV records for your Active Directory domain, your clients will experience authentication failures, i.e., getting "kicked off". An ISP's DNS server does not house any information relating to AD, and so if a client queries that server when attempting to authenticate, they will not be successful. The WINS server that you installed at your previous client is providing a certain level of name resolution which is preventing you from seeing more issues than you already are, but Active Directory requires DNS to function, full stop. One of the webcasts in the link I provided earlier covers the steps needed to configure and manage DNS for Active Directory; I would again strongly recommend that you gain a better familiarity with Active Directory fundamentals before deploying it for your clients.
Brian PierceConnect With a Mentor PhotographerCommented:
Switch off DHCP on the router and use Windows based DHCP instead it integrates into Windows and DNS. It is easier to manage (its all in one place) and can provide functionality above that which router based DHCP can deliver.

Clients must use the Windows based DNS so you MUST configure this, without it thay cannot locate the domain controller and other resources properly - in sone cases thay can broadcast to find reources but this is very inefficient and leeds to long log on delays and all manner of other problems relating to name resolution issues including some of those you mention.

If all machines are Windows 2000/2003/XP or Vista forget about WINS it is not required DNS is used for name resolution in a domain. WINS is only required for Windows NT/98/95 Machines and ancient programs which need to resolve NetBIOS names across subnets.

If you install the ISPs DNS server as the Alternate DNS it will never get used (at least not if the Windows based DNS is working properly). The Alternate DNS ia only ever used if the Preferred DNS is down or does not respond within the timeout period. The alternate DNS is not used if the Preferred DNS server cannot resolve the name - thats what a forwarder is for - so you certainly need to set up the forwader. See http://www.petri.co.il/configure_dns_forwarding.htm

Do not confuse a forwarder with a forward lookup zone - they are different. When you set up the Active Directory Domain a foward lookup zone will have been created automatically. Reverse looup zones can be useful in some circumastances. but I cannot see why you would need one here. Set one up if you like - it will do no harm.
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
You could even upgrade the server's RAM and CPUs, order another couple of licenses from TechSoup, and run a couple of virtual servers as terminal servers (in general I wouldn't recommend this, but for a FEW users doing BASIC office stuff, web browsing, and e-mail, a Virtual server Terminal Server may be able to handle the load (figuring 5-10 users, 1 GB of RAM allocated to the server on at least a dual core system with at least 3 GB of RAM physically installed).
globaltekitAuthor Commented:
Team thank you for you comments as they have been very helpful to me.

The client had win 2003 server previously installed but the system crashed, this is why they asked me to rebuild it along with the newly purchased hardware. They are limited in funds and may not be able to purchase additional hardware and due to timing constraints, I am not sure it they can return the Win 2003 server after having used it for at least six months to a year

The server was purchased 2 years ago so they are stuck with it and it only has a 2 gig or ram limit, which I have already advised them to max out

As for the thin client, it is for a lab environment for junvenille hall residents just for internet and basic computer use. I will a different machine just for this purpose and not burden the server. I was really trying to get the client to go with Linux thin clients as they are very inexpensive to maintain

WIZARD, I plan on returning to the previous client and installing the DNS server, but you indicated that the Fordward lookup zone will be created automatically. I thought after the DNS was installed that you had to actually configure the DNS by created the Fordward lookup zone. Is this correct?
 Also, will it harm the environment adding the DNS after the fact?

As for learning more about active directory, I have been reading/referencing windows server 2003 published by microsoft press. please tell me where i go to get better resource/reading materials on how to setup active directory correctly
I'd recommend a 3-way split if the OP doesn't close it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.