Brand New Active Directory Domain Best Practices

Posted on 2013-05-13
Last Modified: 2013-05-14
Hello, this is more of a general question, but I am tasked with setting up a network that has never had a domain or central networking of any kind. They've been on a workgroup for quite a while. My plan is to start small. This isn't a very big deployment, and I was thinking of doing it as follows. Two hyper V servers with VMs for the Domain Controller/DNS/DHCP/File Services. One VM for the internal MIS system (SQL and ASP.NET host), and one VM for an SFTP server. Any best practices to use when setting up a brand new network, I've really only administered existing networks before. Thanks!
Question by:indigo6
  • 3
  • 3
LVL 13

Assisted Solution

Jaihunt earned 100 total points
ID: 39164544

Install DC in a physical machine and  add the other server as member server of the domain and install Hyper-V then create VM's for DHCP/File(or you can keep it in DC it self)  and SQL and also one more Virtual DC. Document everything what you are doing. Like naming the server and IP address, accounts. If you install DC in physical and after that a member server hyper V means you can manage everything from the domain also your domain stays safely in physical machine.

LVL 26

Accepted Solution

DrDave242 earned 400 total points
ID: 39165900
Install DC in a physical machine
I'm on the fence about this.  Normally I agree with having at least one physical DC, but whether you should do this depends on how many physical servers you've got available.  You mentioned two, and if that's all you have, dedicating one to the DC role won't be very efficient.  Not that the server can't do other things too, but some roles really don't belong on a DC (Exchange, for example, or Remote Desktop Session Host).  Depending on the specs of that server, it may be better to make it a second Hyper-V host and put your second DC in a VM.  Whatever you do, don't make the mistake of putting additional roles on a Hyper-V host; that's a bad idea all around (and can be a violation of the MS licensing agreement in some situations).

If you choose to make both servers Hyper-V hosts, you have the option of clustering them so that all of your VMs will remain up and running in the event of a hardware failure on one of the hosts.  There are some additional things to consider when setting up a failover cluster, including the fact that if you've got all of your DCs in clustered VMs and the cluster goes down for some reason, you end up with a catch-22 in which you can't start the cluster because it can't find a running DC, and you can't start a DC because they're all in the cluster.  There is a way around that (you have to remove a DC from the cluster, get it running, then start the cluster), but it takes extra work.  In that situation, having a DC separate from the cluster (on different hardware, for example) definitely simplifies things.

I think most network admins would consider you fortunate that you get to set this network up from the beginning.  Along those lines, I'm definitely in agreement with Jaihunt about documenting everything.  You (and the person who eventually takes over for you after you move on) will be glad you did.

Author Comment

ID: 39166441
Ok, great, that goes along the lines of what I was thinking. Thanks for the info about clustering DCs as well! Would it be possible to have one server 2012 machine as the DC and then have it host 2 or 3 VMs? I may or may not have the budget for two servers.
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 26

Expert Comment

ID: 39166638
That's what I was referring to here:

Whatever you do, don't make the mistake of putting additional roles on a Hyper-V host; that's a bad idea all around (and can be a violation of the MS licensing agreement in some situations).
A Hyper-V host should run only that role; making it also a DC (or anything else) would be a bad idea.

If you've only got the budget for one physical server but need to run several different workloads (like a DC, SQL server, and file server, as you mentioned), my recommendation would be to purchase as powerful a server as your budget will allow and put Hyper-V on it, then run everything in VMs.  The host will be a single point of failure, but you can mitigate that somewhat with redundant hardware (RAID, redundant power supplies, teamed NICs, and that sort of thing).

Of course, don't forget backups.  In the event that it all goes wrong at some point, you're going to kick yourself hard if you don't have everything backed up (and your boss may want to get in on the kicking as well).  And don't use Hyper-V snapshots as backups; they aren't the same thing and will cause you problems if you try to use them as such.  (In fact, I'd say it's best to avoid snapshots entirely in a production environment.)

Author Comment

ID: 39166668
Ah, I see. I was thinking about other roles such as DNS DHCP and File Services. I was thinking in terms of resource usage, and I didn't think a DC for a small network would take much from a Hyper V role. I am used to working with vSphere, what good backup solutions are available for Hyper V?
LVL 26

Expert Comment

ID: 39166739
You may laugh, but the only one I have any real experience with is the native Windows Server Backup utility.  New in 2012 is the ability to back up and restore individual VMs if you wish; previously, you could only back up and restore Hyper-V as a whole.  You also had to do a little bit of manual tweaking in previous versions before you could back up Hyper-V at all (specifically, you had to register the Hyper-V VSS writer with Windows Server Backup), but that's no longer necessary in 2012.

There are plenty of other backup utilities out there that support Hyper-V.  One of the main advantages of Windows Server Backup is that it's free.

Author Closing Comment

ID: 39167131
Good insight on the hyper v role

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question