Link to home
Start Free TrialLog in
Avatar of eaglerod
eaglerodFlag for United States of America

asked on

Server 2003 Virtual Machines

Is it wise to be setting up each server feature on 1 single server(Active Directory, DNS, Web etc) on a seperate virtual machine in the same server? What kind of problems security wise can this cause?
Avatar of coolsport00
coolsport00
Flag of United States of America image
You can combine some server 'features' (roles), but for a DC, it should be minimal and non-obtrusive. For example, I wouldn't have much anything else on a DC besids maybe DNS. Your web server can be solely that. Part of it is due to to security implications, but for DCs is more about potential of disrupting your domain, as well as opening 'holes' for the outside to see your internal structure (if combining DC with Web server).

Regards,
~coolsport00
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image
It depends, you need to be careful, of what we call server sprawl, creating virtual servers, for the sake of virtual servers.

Active Directory and DNS are usually services that are integrated together, that you would use on one server.

Web Server, you would want to install Web Services on a seperate Member server, to prevent any security issues accessing your Domain Controller, so I would recommend a Web Server has it's own server as well in the examples you give.

We have the  same security issues in virtual machines we have in physical so ensure you have firewalls enabled on the servers, regulalry patch servers with security updates. Try not to use the servers interactively, to browse the Internet, use good Anti-Virus, and have a Security Policy in place to reduce malaware, virus, trojan attacks.
Avatar of be_free
be_free
This is perhaps a "philosophical" question to some extent, but it's also dependent on your environment. The bigger the environment, the more sense it makes to divide functions between many servers. Using small foot virtual servers, it's also more economical to accommodate for redundancy. AD and DNS go on the same server, Exchange and SQL on a member server, File servers and DFS servers can be separated for scalability, other application and print servers can be separated. It's hard to answer your question wisely without knowing the details. If you have a small environment you definitely don't want to make things more complicated than necessary, and you can safely get away with one or two servers. However you decide to build it, I do recommend using virtual servers and invest in a good VM backup product.
Avatar of coolsport00
coolsport00
Flag of United States of America image
Also, keep in mind some things when considering virtualizing DCs, from a technical standpoint. VMware & MS both have KBs that discuss things to consider:

VMware KB:
http://kb.vmware.com/kb/1006996

Microsoft KB:
http://support.microsoft.com/kb/888794

Regards,
~coolsport00
Avatar of eaglerod
eaglerod
Flag of United States of America image

ASKER

I have been asked to check out this server that has 6 virtual servers in it all running a different feature of server 2003 standard edition.  They are running over 100 users.  I have my own feelings on what they should do but wanted a group of opinions as to get a birds eye view of the situation. I don't feel its such a good idea to have all of that on one server.
Avatar of coolsport00
coolsport00
Flag of United States of America image
You are correct...you shouldn't have it all on 1 VM. At minimum 2, maybe 3 depending on what other apps/services will be run/needed.

~coolsport00
Avatar of be_free
be_free
Now that you've revealed your environment, no, it's not a good idea to run 6 VMs on one physical server for such a small environment, with the sole purpose of providing standard Win 2003 type services. For 100 users, I'd run max two and divide the services between the two or even mirror them,. Just make sure they're on a snapshot type backup that's continuously running. You're not mentioning Exchange, but if that's involved the recommendation would be different.
ASKER CERTIFIED SOLUTION
Avatar of coolsport00
coolsport00
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of be_free
be_free
We're moving away from what the OP asked about, but since it's been mentioned more than once, I need to clarify on the issue of "snapshots". I did not say use VMware snapshots instead of backups. I did not reference VMware's built-in snapshot procedure at all -- which other posters rightfully want to point out that it's not a backup solution -- and I full agree. But as far as a snapshot function in itself goes, it's certainly used and integrated in many products targeting both the physical and virtual backup market.What I recommended in passing was to use a "snapshot type backup" which admittedly may have been a vague term. Since the topic isn't backups I choose not to elaborate. Specifically, I thought about VMX Trilead VM Explorer. Their FAQ is here which in part explains how their backups work using "snapshot technology": http://www.trilead.com/FAQ/. There is also a YouTube video here: http://youtu.be/6jWCP8ZP7SQ