Brand New Active Directory Domain Best Practices

Posted on 2013-05-13
Last Modified: 2013-05-14
Hello, this is more of a general question, but I am tasked with setting up a network that has never had a domain or central networking of any kind. They've been on a workgroup for quite a while. My plan is to start small. This isn't a very big deployment, and I was thinking of doing it as follows. Two hyper V servers with VMs for the Domain Controller/DNS/DHCP/File Services. One VM for the internal MIS system (SQL and ASP.NET host), and one VM for an SFTP server. Any best practices to use when setting up a brand new network, I've really only administered existing networks before. Thanks!
Question by:indigo6
  • 3
  • 3
LVL 13

Assisted Solution

Jaihunt earned 100 total points
ID: 39164544

Install DC in a physical machine and  add the other server as member server of the domain and install Hyper-V then create VM's for DHCP/File(or you can keep it in DC it self)  and SQL and also one more Virtual DC. Document everything what you are doing. Like naming the server and IP address, accounts. If you install DC in physical and after that a member server hyper V means you can manage everything from the domain also your domain stays safely in physical machine.

LVL 26

Accepted Solution

DrDave242 earned 400 total points
ID: 39165900
Install DC in a physical machine
I'm on the fence about this.  Normally I agree with having at least one physical DC, but whether you should do this depends on how many physical servers you've got available.  You mentioned two, and if that's all you have, dedicating one to the DC role won't be very efficient.  Not that the server can't do other things too, but some roles really don't belong on a DC (Exchange, for example, or Remote Desktop Session Host).  Depending on the specs of that server, it may be better to make it a second Hyper-V host and put your second DC in a VM.  Whatever you do, don't make the mistake of putting additional roles on a Hyper-V host; that's a bad idea all around (and can be a violation of the MS licensing agreement in some situations).

If you choose to make both servers Hyper-V hosts, you have the option of clustering them so that all of your VMs will remain up and running in the event of a hardware failure on one of the hosts.  There are some additional things to consider when setting up a failover cluster, including the fact that if you've got all of your DCs in clustered VMs and the cluster goes down for some reason, you end up with a catch-22 in which you can't start the cluster because it can't find a running DC, and you can't start a DC because they're all in the cluster.  There is a way around that (you have to remove a DC from the cluster, get it running, then start the cluster), but it takes extra work.  In that situation, having a DC separate from the cluster (on different hardware, for example) definitely simplifies things.

I think most network admins would consider you fortunate that you get to set this network up from the beginning.  Along those lines, I'm definitely in agreement with Jaihunt about documenting everything.  You (and the person who eventually takes over for you after you move on) will be glad you did.

Author Comment

ID: 39166441
Ok, great, that goes along the lines of what I was thinking. Thanks for the info about clustering DCs as well! Would it be possible to have one server 2012 machine as the DC and then have it host 2 or 3 VMs? I may or may not have the budget for two servers.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

LVL 26

Expert Comment

ID: 39166638
That's what I was referring to here:

Whatever you do, don't make the mistake of putting additional roles on a Hyper-V host; that's a bad idea all around (and can be a violation of the MS licensing agreement in some situations).
A Hyper-V host should run only that role; making it also a DC (or anything else) would be a bad idea.

If you've only got the budget for one physical server but need to run several different workloads (like a DC, SQL server, and file server, as you mentioned), my recommendation would be to purchase as powerful a server as your budget will allow and put Hyper-V on it, then run everything in VMs.  The host will be a single point of failure, but you can mitigate that somewhat with redundant hardware (RAID, redundant power supplies, teamed NICs, and that sort of thing).

Of course, don't forget backups.  In the event that it all goes wrong at some point, you're going to kick yourself hard if you don't have everything backed up (and your boss may want to get in on the kicking as well).  And don't use Hyper-V snapshots as backups; they aren't the same thing and will cause you problems if you try to use them as such.  (In fact, I'd say it's best to avoid snapshots entirely in a production environment.)

Author Comment

ID: 39166668
Ah, I see. I was thinking about other roles such as DNS DHCP and File Services. I was thinking in terms of resource usage, and I didn't think a DC for a small network would take much from a Hyper V role. I am used to working with vSphere, what good backup solutions are available for Hyper V?
LVL 26

Expert Comment

ID: 39166739
You may laugh, but the only one I have any real experience with is the native Windows Server Backup utility.  New in 2012 is the ability to back up and restore individual VMs if you wish; previously, you could only back up and restore Hyper-V as a whole.  You also had to do a little bit of manual tweaking in previous versions before you could back up Hyper-V at all (specifically, you had to register the Hyper-V VSS writer with Windows Server Backup), but that's no longer necessary in 2012.

There are plenty of other backup utilities out there that support Hyper-V.  One of the main advantages of Windows Server Backup is that it's free.

Author Closing Comment

ID: 39167131
Good insight on the hyper v role

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question