Single 2008 R2 Server as a Domain Controller

I have a Small Business that needs a server.  They have an application that requires Windows Server 2008.  

Would you make the 2008 server  a domain controller?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tony GiangrecoCommented:
Yes, if they need a server, creating a domain on a 2008 server is a great idea. That server would also be the domain contioller (DC)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Frank McCourryV.P. Holland Computers, Inc.Commented:
That depends on how many computers will connect to the server and your security needs.

I recommend that anything more than 4 computers use a domain controller.  Mostly so you can use group policy and manage security from a central location.  If all users will have full access to the application and all shares on the server, then a workgroup is fine.

Keep in mind that if the company is going to grow, so will their needs.  You may want to start them on a DC just to get them used to the idea.
Mike KlineCommented:
Do you know a lot about AD/DNS and setting that up?  That would be my only hesitation if you don't.

I'd also highly recommend two DCs if you go down that path.  If you run with a single DC and that goes down hard then you have a lot of work on your hands.


10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Cliff GaliherCommented:
I think I will be rather contrary to the opinions given so far and say probably not. But I figure that answer probably needs an explanation.

First, I consider the two things you brought up to be unrelated. Have a program that needs a server? Cool. Give them a server.

Does the company need a domain controller? Fine, give them a domain controller.

The two are unconnected. You give companies a domain controller when they have a need for it. That need may be centralized account management. Or it may be the desire to more strictly manage desktop computers (this is done via group policy.) But therein lies the point. You don't introduce a DC *just* because you are introducing a server. You introduce a DC to solve a problem or provide a feature that the business wants or needs. Just introducing a DC for the act of introducing a DC can actually complicate things more than it helps. As illustrated by mkline71's comment about really running *two* DC's for redundancy.

So why do I say no? Two reasons:

1) If you wanted a DC, you'd know it. So making this new server a DC will just make life more complicated.  And...

2) Running a LOB app on a DC is *never* a good idea. So even if you have decided you want a DC, you'd be better served having one server be a DC and running this LOB that the small business wants on a second server. This separation for security is one significant reason virtualization has caught on. The idea of keeping roles separate is as old as the hills (in IT terms) but that used to mean underutilized servers, and multiples of physical servers, to keep to that good security practice. Virtualization solves those problems.

So no, given the limited information you posted, I'd say skip the DC for now. Solve the immediate business need with as little complication as possible. You can always introduce a DC later if need be, and evaluate what that'd take (upgrading Windows Home editions to Pro, training users on domain sign-in, etc.)

There are a lot of good reasons to have a domain, but that change shouldn't be done while also introducing another change such as a new LOB. Most non-IT folks have a limited tolerance for change, and this would be too much at once.

To be honest @Cliff given your answer.
If you have multiple  users who keep exchanging the computers, if you are going to host your own email (exchange server), if you wanna control the previligies of shared locations then you may consider to have a DC.
If you still wanna have a DC keep it as a dc only! IMO most common mistake for very small environments having 2nd or more DCs. For 10 users having 2 DCs will give you much more pain and managament risk. Instead of having 2nd DC, having daily full image backup would be more logical. More than 1 DCs scenarios are essential for large networks not for 1 or 3 rooms offices!
You would need to make sure that all of the computers are running "pro" versions of windows if you want them to take advantage of A/D.  My experience with the small shops are many go to their local box retailer and purchase whatever is a decent price, which usually means home edition.
Tony GiangrecoCommented:
Did you complete the install of the Domain Controller?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.