Single 2008 R2 Server as a Domain Controller

Posted on 2013-09-17
Medium Priority
Last Modified: 2013-12-02
I have a Small Business that needs a server.  They have an application that requires Windows Server 2008.  

Would you make the 2008 server  a domain controller?
Question by:howmad2
LVL 25

Accepted Solution

Tony Giangreco earned 1500 total points
ID: 39499410
Yes, if they need a server, creating a domain on a 2008 server is a great idea. That server would also be the domain contioller (DC)

Expert Comment

by:Frank McCourry
ID: 39499413
That depends on how many computers will connect to the server and your security needs.

I recommend that anything more than 4 computers use a domain controller.  Mostly so you can use group policy and manage security from a central location.  If all users will have full access to the application and all shares on the server, then a workgroup is fine.

Keep in mind that if the company is going to grow, so will their needs.  You may want to start them on a DC just to get them used to the idea.
LVL 57

Expert Comment

by:Mike Kline
ID: 39499480
Do you know a lot about AD/DNS and setting that up?  That would be my only hesitation if you don't.

I'd also highly recommend two DCs if you go down that path.  If you run with a single DC and that goes down hard then you have a lot of work on your hands.


Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

LVL 61

Expert Comment

by:Cliff Galiher
ID: 39499525
I think I will be rather contrary to the opinions given so far and say probably not. But I figure that answer probably needs an explanation.

First, I consider the two things you brought up to be unrelated. Have a program that needs a server? Cool. Give them a server.

Does the company need a domain controller? Fine, give them a domain controller.

The two are unconnected. You give companies a domain controller when they have a need for it. That need may be centralized account management. Or it may be the desire to more strictly manage desktop computers (this is done via group policy.) But therein lies the point. You don't introduce a DC *just* because you are introducing a server. You introduce a DC to solve a problem or provide a feature that the business wants or needs. Just introducing a DC for the act of introducing a DC can actually complicate things more than it helps. As illustrated by mkline71's comment about really running *two* DC's for redundancy.

So why do I say no? Two reasons:

1) If you wanted a DC, you'd know it. So making this new server a DC will just make life more complicated.  And...

2) Running a LOB app on a DC is *never* a good idea. So even if you have decided you want a DC, you'd be better served having one server be a DC and running this LOB that the small business wants on a second server. This separation for security is one significant reason virtualization has caught on. The idea of keeping roles separate is as old as the hills (in IT terms) but that used to mean underutilized servers, and multiples of physical servers, to keep to that good security practice. Virtualization solves those problems.

So no, given the limited information you posted, I'd say skip the DC for now. Solve the immediate business need with as little complication as possible. You can always introduce a DC later if need be, and evaluate what that'd take (upgrading Windows Home editions to Pro, training users on domain sign-in, etc.)

There are a lot of good reasons to have a domain, but that change shouldn't be done while also introducing another change such as a new LOB. Most non-IT folks have a limited tolerance for change, and this would be too much at once.


Expert Comment

ID: 39500510
To be honest @Cliff given your answer.
If you have multiple  users who keep exchanging the computers, if you are going to host your own email (exchange server), if you wanna control the previligies of shared locations then you may consider to have a DC.
If you still wanna have a DC keep it as a dc only! IMO most common mistake for very small environments having 2nd or more DCs. For 10 users having 2 DCs will give you much more pain and managament risk. Instead of having 2nd DC, having daily full image backup would be more logical. More than 1 DCs scenarios are essential for large networks not for 1 or 3 rooms offices!

Expert Comment

ID: 39503563
You would need to make sure that all of the computers are running "pro" versions of windows if you want them to take advantage of A/D.  My experience with the small shops are many go to their local box retailer and purchase whatever is a decent price, which usually means home edition.
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39510333
Did you complete the install of the Domain Controller?

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, it lacks item level filtering. This article details my process of implementing firewall-as-code to reduce GPO bloat.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question