Solved

Brand New Active Directory Domain Best Practices

Posted on 2013-05-13
7
418 Views
Last Modified: 2013-05-14
Hello, this is more of a general question, but I am tasked with setting up a network that has never had a domain or central networking of any kind. They've been on a workgroup for quite a while. My plan is to start small. This isn't a very big deployment, and I was thinking of doing it as follows. Two hyper V servers with VMs for the Domain Controller/DNS/DHCP/File Services. One VM for the internal MIS system (SQL and ASP.NET host), and one VM for an SFTP server. Any best practices to use when setting up a brand new network, I've really only administered existing networks before. Thanks!
0
Comment
Question by:indigo6
  • 3
  • 3
7 Comments
 
LVL 13

Assisted Solution

by:Jaihunt
Jaihunt earned 100 total points
Comment Utility
Hi

Install DC in a physical machine and  add the other server as member server of the domain and install Hyper-V then create VM's for DHCP/File(or you can keep it in DC it self)  and SQL and ASP.net also one more Virtual DC. Document everything what you are doing. Like naming the server and IP address, accounts. If you install DC in physical and after that a member server hyper V means you can manage everything from the domain also your domain stays safely in physical machine.

Thanks
Jai
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 400 total points
Comment Utility
Install DC in a physical machine
I'm on the fence about this.  Normally I agree with having at least one physical DC, but whether you should do this depends on how many physical servers you've got available.  You mentioned two, and if that's all you have, dedicating one to the DC role won't be very efficient.  Not that the server can't do other things too, but some roles really don't belong on a DC (Exchange, for example, or Remote Desktop Session Host).  Depending on the specs of that server, it may be better to make it a second Hyper-V host and put your second DC in a VM.  Whatever you do, don't make the mistake of putting additional roles on a Hyper-V host; that's a bad idea all around (and can be a violation of the MS licensing agreement in some situations).

If you choose to make both servers Hyper-V hosts, you have the option of clustering them so that all of your VMs will remain up and running in the event of a hardware failure on one of the hosts.  There are some additional things to consider when setting up a failover cluster, including the fact that if you've got all of your DCs in clustered VMs and the cluster goes down for some reason, you end up with a catch-22 in which you can't start the cluster because it can't find a running DC, and you can't start a DC because they're all in the cluster.  There is a way around that (you have to remove a DC from the cluster, get it running, then start the cluster), but it takes extra work.  In that situation, having a DC separate from the cluster (on different hardware, for example) definitely simplifies things.

I think most network admins would consider you fortunate that you get to set this network up from the beginning.  Along those lines, I'm definitely in agreement with Jaihunt about documenting everything.  You (and the person who eventually takes over for you after you move on) will be glad you did.
0
 

Author Comment

by:indigo6
Comment Utility
Ok, great, that goes along the lines of what I was thinking. Thanks for the info about clustering DCs as well! Would it be possible to have one server 2012 machine as the DC and then have it host 2 or 3 VMs? I may or may not have the budget for two servers.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
That's what I was referring to here:

Whatever you do, don't make the mistake of putting additional roles on a Hyper-V host; that's a bad idea all around (and can be a violation of the MS licensing agreement in some situations).
A Hyper-V host should run only that role; making it also a DC (or anything else) would be a bad idea.

If you've only got the budget for one physical server but need to run several different workloads (like a DC, SQL server, and file server, as you mentioned), my recommendation would be to purchase as powerful a server as your budget will allow and put Hyper-V on it, then run everything in VMs.  The host will be a single point of failure, but you can mitigate that somewhat with redundant hardware (RAID, redundant power supplies, teamed NICs, and that sort of thing).

Of course, don't forget backups.  In the event that it all goes wrong at some point, you're going to kick yourself hard if you don't have everything backed up (and your boss may want to get in on the kicking as well).  And don't use Hyper-V snapshots as backups; they aren't the same thing and will cause you problems if you try to use them as such.  (In fact, I'd say it's best to avoid snapshots entirely in a production environment.)
0
 

Author Comment

by:indigo6
Comment Utility
Ah, I see. I was thinking about other roles such as DNS DHCP and File Services. I was thinking in terms of resource usage, and I didn't think a DC for a small network would take much from a Hyper V role. I am used to working with vSphere, what good backup solutions are available for Hyper V?
0
 
LVL 25

Expert Comment

by:DrDave242
Comment Utility
You may laugh, but the only one I have any real experience with is the native Windows Server Backup utility.  New in 2012 is the ability to back up and restore individual VMs if you wish; previously, you could only back up and restore Hyper-V as a whole.  You also had to do a little bit of manual tweaking in previous versions before you could back up Hyper-V at all (specifically, you had to register the Hyper-V VSS writer with Windows Server Backup), but that's no longer necessary in 2012.

There are plenty of other backup utilities out there that support Hyper-V.  One of the main advantages of Windows Server Backup is that it's free.
0
 

Author Closing Comment

by:indigo6
Comment Utility
Good insight on the hyper v role
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now