?
Solved

How many DC's should we have?

Posted on 2007-07-24
35
Medium Priority
?
419 Views
Last Modified: 2010-04-18
How many domain controllers should we have. We have 150 users and 5 servers. Which ones should I make the domain controllers? We are running Server 2003. Here is what we have:

Server1 - ISA server (I know that this one should not be a DC)
Server2 - Exchange Server
Server3 - Great Plains Server
Server4 - File server (will be running DNS, DHCP and Blackberry enterprise server)
Server5 - File Server (will be running backup exec and Symantec Antivirus corporate)
0
Comment
Question by:Wyandotte
  • 10
  • 8
  • 4
  • +5
35 Comments
 
LVL 23

Expert Comment

by:TheCleaner
ID: 19558160
I'd have 2...and if possible on new hardware.  If not then the below are my choices:

Choice #1 - new servers

Choice #2 - use workstations at your office (deploy 2 DCs)

Choice #3 - use Server #4 as your PDC emulator/first DC, then Server 5 as your 2nd

Choice #4 - use Server #4 as your PDC emulator/first DC, then on Server 5 install Vmware Server and run a 2nd DC in a virtual server

Choice #5 - just use a single DC...running on Server #4.  With only 5 servers, I'm guessing that you are pretty quick to respond to issues.  Just make sure you backup the server nightly

Choice #6 - run 2 DCs, both in a virtual environment like VMWARE...stick them on Server 4 and Server 5...then backup the VMs...
0
 

Author Comment

by:Wyandotte
ID: 19558181
these are all brand new servers, currently all of the servers are DCs except the ISA server. We are replacing all the servers and im trying to decide which one of the 5 new ones that I listed, I want to make a DC and which one a member.
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 19558183
Server2 should not be a DC either.

You need at least 2 DCs, so your best bet are server4 and server5.

Regards
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19558186
         Hi Wyandotte
               *The server which has the DNS, assuming that you run AD integrated, must be a DC (PDC)
               *Also Exchange server must be a DC
               *And the 3rd DC is up to you, I prefer srv4 or srv5  
                  !Make sure that All thre servers are Global Catalogs
                  !Install DHCP to one of the DCs, set scope to x.x.x.1-128 and in other DHCP, set scope to x.x.x.128-254. Now if one DHCP fails, your computers will still acquire IP addresses. Also set the DNS scope options as in the following accepted answer of mine
     http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_22712478.html

Regards
0
 

Author Comment

by:Wyandotte
ID: 19558207
wpadron and mrhusy you are conflicting on whether Exchange should be a DC. Please specify your reasons why or why not and if anyone else has any comments please respond.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 19558298
MrHusy - you are incorrect in stating that an Exchange server must be a DC.  In fact, if Exchange is already installed on Server 2, you CANNOT run dcpromo to change its domain controller status without seriously damaging Exchange - it's also unsupported by Microsoft.  Once you install Exchange on a member server, you cannot promote it to DC status without first removing Exchange; likewise if you install Exchange on a DC, you cannot demote it to member server status.

Of the 5 server you list, I'd go with Server 4 and Server 5, though I don't know much about BES and any dependencies it might have that would rule out Server 4 in that respect.
0
 
LVL 11

Expert Comment

by:mohdabsar
ID: 19558314
It's recommended to Install Exchange on Member Server, however in your case you already has Exchange on DC so let it be and DONT try to demote it  pls make it GC also (it's recommended by MS)

For 150 users 2 DC's are enuough and adding more no harm..
Dont play with server which has Exchange on it.
Additionally you can keep Server 4 as DC/GC (b'z you are gonna install Blackberry also) and Server 5 as DC only.

0
 
LVL 23

Accepted Solution

by:
TheCleaner earned 1000 total points
ID: 19558321
Exchange and other important roles (DC, ISA, SQL, etc.) should be separated out to separate hardware and OS's.  Not only can there be interop issues with them on the same box, but you don't want to have multiple critical business functions failing because of one thing failing and you needing to fix it or take it offline.

2 DC's in your environment makes the most sense.  Whether you put them on old hardware or new, I would really make them "DC's only" and at the most DC+File Server.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 19558347
Ah. mohdabsar brings up a point that I'm not clear on from the OP.  Are any (or all) of these 5 servers already configured as DCs?  If so, and if your Exchange Server is already a DC, then it must remain a DC for the reasons I listed above.  (This may be what MrHusy was referring to, if so, I misunderstood and apologise.)
0
 
LVL 11

Expert Comment

by:mohdabsar
ID: 19558418
LauraEhunterMVP pls see the comment of wyandotte (ID 19558181)

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19558495
            I already know that dc demotion/promotion of a serving Exchange server is fatal and ends up with inoperable exchange. It was my mistake that I was unclear, would be better if I said "Exchange must stay DC". But things are still unclear that I assumed that Excahnge was already a DC, and wyandotte assume Exchange is not a DC. Thats why we conflicted. And Laura's comment 19558298 explains it. We both do not want to ruin your Exchange.
             If your Exchange is a DC at the moment, ignore wyandotte's comment. If your Exchange is not a DC at the moment, please ignore my comment.

Regards
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 19558625
Wyandotte are replacing old servers with new ones, so the new Exchange server is a new installation and must not be on a DC (http://www.petri.co.il/problems_with_exchange_2003_installed_on_domain_controllers.htm)

Regards
0
 
LVL 104

Expert Comment

by:Sembee
ID: 19558738
Presuming no additional hardware is available, I don't see any choice other than the two file server.

From experience with Great Plains consultants, they want full access to the server. I don't want them having full access to a domain controller.
Not on an ISA, not on Exchange.
That only leaves two.

Simon.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19558986
       Yes he is replacing old servers with new ones but he is not starting from scratch. Starting from scratch with all these services above (new installation/configuration of Blackberry,exchange,ISA, domain,join clients one by one,GPS, broken maps and etc) is not a preffered/logic way in my opinion. In this case, I would choose migration or imaging.
       
            1)What you at least should do, install server OS to one of the new server then join it to domain, transfer FSMOs from server5, and set as PDC. Set global catalog.
            2)Then if you like, you can go on Install backup exec, symantec.            
            *If you do not want to join 150 clients one by one to domain, you should do at least first step above. I assume that your server5 is PDC and has the FSMOs, follow above. If not, transfer the FSMOs first to server5, take a full backup at that state, transfer the FSMOs to new brand server, follow step 2 above, then restore the full backup here. Then demote old server5, new server5 is ready with same IP and name

             And I assume Simon has article about exchange migration.

Regards
0
 
LVL 104

Expert Comment

by:Sembee
ID: 19559137
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 19559299
MrHuzy i never suggest start a new domain from scratch, if the current Exchange server is a DC (which is not a good idea) and have a brand new server IMHO he must make a fresh Exchange installation on a member server, move mailboxes and decommission the old server.

Regards
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 19559475
      It would be great if Exchange was not a DC, I agree with that. But I never had personal experience with migrating exchange from a DC to non DC, I assume there may be more things than moving mailboxes, setting global catalog. Thats why my attitude is in the way of keeping things intact about exchange and do the migration process. But if you had experiences and able to aid the asker in exchange migration, I respect that, sit here and begin learning:)
     @Wyandotte : If you prefer migrating Exchange, doesnt matter in which way, from where to where, Simon's article is a must to read in my opinion.

      And about ISA migration, take a backup of isa configuration and restore on the ISA installed on the new brand machine.
      http://www.microsoft.com/technet/isa/2004/plan/exportimportsettings.mspx

0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 19559686
I miss to explain that Wyandotte wants to upgrade to Exchange 2007 which only runs on x64 and this is why he must install a new Exchange server.

Regards
0
 

Author Comment

by:Wyandotte
ID: 19559722
we are replacing all servers, they are way too old to do any upgrades to, Exchange will be 2007 on a x64 OS. We currently have all 2000 servers and will be going to all 2003 servers
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 1000 total points
ID: 19567708
Might be worth pointing out that this is a follow on from a previous question.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22705299.html?cid=238#a19558140

I agree that a minimum of two DC's should be promoted so that the FSMO roles can be spread appropriately - I would also make them both Global Catalogs. I am old fashioned though and would put in seperate machines to host the AD, the DNS, dhcp scopes. I have never liked using infrastructure servers for anything above those roles however, machine 4 & 5 look they should be OK. The thought of using work stations for the job does not appeal either but thats just my view.

In addition, you still have the possible option of reusing some of the equipment that you are replacing.....

Regards
Keith
MVP
0
 

Author Comment

by:Wyandotte
ID: 19568525
So you would bring in a server 6, make it a DC and run DHCP and DNS from it and then make server 4 and 5 as additonal DCs?

Purchasing an additional server is out of the question but using one of the old ones is a possibility. What kind of performance is needed for server 6? The best one we have is a cheap 2.4 P4 with 512mb RAM, would that be enough to do it without putting more money into it?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19568599
Alternatively only use one of either 4 or 5 (preferably 4) and use one of the older boxes that you will be decommisioning and bring that on as the secondary DC. The Blackberry BES is quite a small load so that could be moed to box 5 leaving box 4 and the older spare do perform the Infrastructure roles such as dns, dhcp, wins if you are still using it, replication, log on scripts and policy etc.

512MB RAM is small but will do the job.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19568621
Maybe I am just tight-fisted as well as getting old but I hate to see kit thrown out that can still be used.
0
 

Author Comment

by:Wyandotte
ID: 19568733
Just to make sure I understand this correctly:

Run backup exec and BES on server 5 and make is just a member server.
make server 4 a DC and run DHCP and DNS and everything else on it
Setup server 6 (the older and smaller server) as a secondary DNS and as a secondary DC?

Would it really be much of an advantage having the smaller server be the second DC instead of server 5. I do realize there is other stuff running on server 5 but it is a much better machine. I guess I'm just not understanding the benefits of setting up the 6th server.
0
 

Author Comment

by:Wyandotte
ID: 19568754
the servers will not be thrown out, they will be used somewhere else, we are just wanting to get this project done before we decide where the old servers are going.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19568800
Then its not an issue. Use machine 4 & 5.

Don't forget the simple things such as splitting your dhcp scope(s) across both boxes etc. Just for my own interest, how are you handling the transition to EX2007?

0
 

Author Comment

by:Wyandotte
ID: 19568838
You mentioned splitting the scope, this is kind of off the topic a bit, but what do you think about setting one server up with the scope in the 192.168.0.0 network and the other one with a scope in the 192.168.1.0 network?

As far as exchange goes, I haven't started on that one yet, I believe that will be the last server that we switch over. I will let you know then.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19568879
192.168.0.0 is not a scope I would use. This is doubly (is that a word?)  a no-go especially if you are likely to want to use VPN's later on.

pick something out of the way such as 192.168.100.0
then split both scopes across both servers.

192.168.100.10 - 126  and another scope of 192.168.101.10 - 192.168.101.126 on server 4
192.168.100.128 - 254 and 192.168.101.128 - 254 on server 5
If either server breaks you have both scopes available from the other server still.

You mention two ip ranges here. Are you building the network with a 255.255.254.0 subnet mask to give yourself 1024 addresses?
0
 

Author Comment

by:Wyandotte
ID: 19568998
I would like to get away from 192.168.0.0.. Unfortunately that becomes a big issues as we have a casino and the gaming vendors have servers at the casino. The servers are on their own network but have an interface on our network so that user can log into them for reports and such. All of the users have static IP's and the system only allows connection from those IP's. We also have Micros machines with static IP's along with ticket cashing Kiosks with static IPs. We don't have access to any of this equipment and would need to get the vendors to make the changes (and they would need to be here at the switch over to ensure that there is no downtime. That is way more work than I even know how to coordinate. If I had control of it all then it wouldn't be a big deal but now we are depending on other vendors which scares me a little. If there is some way to leave them on the 192.168.0.0 and not cause any problems with the remote network, I am all ears!!!!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19569614
Again, if this is what you already have then fine, leave it alone. To be honest, you have enough opportunities at the moment to cause issues without introducing additional ones. It is just good practice to try and keep the 192.168.0.0 and the 192.168.1.0 networks empty as so many dsl routers etc use this as their standard.  
0
 

Author Comment

by:Wyandotte
ID: 19569639
i see, so I just need to make sure the ISP that we go with doesn't use that subnet and we should be ok. Thank you everyone for your help.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19569694
The ISP won't be using it. The issue is more in the event that you have remote users who may VPN into your site. If they were using at their location a 192.168.0.0 subnet also then it would cause problems. This is why it is best-practice not to use them generally; it is not a mandatory thing though.

In addition, without boring you, the early standards for subnetting state that you should not use the first subnet but should start at the second. In your case that would have meant using the 192.168.1.0 subnet. (This was called the subnet zero RFC)

Regards
Keith
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19569705
Thanks :)
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 19569988
Thanks for the points...what was your final decision?
0
 

Author Comment

by:Wyandotte
ID: 19570065
Server 4 will be a DC running DHCP and DNS
Server 5 will be BES, Backup server and Antivirus server and will also be a DC

I will possibly put in one of the older servers as server 6 and it will be a third DC, a secondary DNS and wiill run BES instead of Server 5

That depends on whether we need the server somewhere else on the network.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
In this post, we will learn to set up the Group Naming policy and will see how it is going to impact the Display Name and the Email addresses of the Group.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question