Boswell's Q&A

Keep 'Em Separated

Eleven of 11 admins agree that auditors don't know jack about DCs.

• By Bill Boswell
• 01/04/2005

The sentiment was 100 percent in favor of my contention that separating DCs from other functions makes sense both from a security and logistical perspective.

"I wholehearted agree with you," writes Dion. "Several months ago, I cautioned our company on loading Exchange 2000 on DCs being used as GCs for voice mail storage as well as e-mail storage. My recommendation was dismissed as 'not cost effective.' Recently, several of these servers' mail services stopped functioning due to not being able to access the global catalog. Reboots resolved each issue but the cost of customer satisfaction was staggering. Now I do believe that certain appliances can co-exist together but the DC's should remain hands-off."

Armando adds, "I live in Venezuela where there is not such a diversity, complexity and volume of hardware and software solutions like developed countries. But even then, Microsoft solutions are not mainframes, so it's better having several servers (cost effective if they are cheap without unnecessary sophistications) and not a few machines with many services and software servers and applications installed."

Wes insists that even governments with small budgets should have a dividing line. "I work in a county government IT shop, which is relatively small, we wouldn't begin to think of running other applications on our domain controllers."

Matthew admits that money is an issue. "In our organization, some of the remote site file servers do double as DCs, but from a design perspective, I agree with your analysis. As a matter of fact, I may make a budget item for 2006 to put in the low-cost DCs at the sites where they are doing double-duty now. Budget has been a primary factor in our decisions."

Ken, Marc, and Al see the opportunity to use some different technologies. Quoting Marc, "A flip on this is the use of virtual machines. If you have a couple of DCs that may only be running very low utilization, this might be a good candidate for such if having a seperate box is an issue. Of course you have to worry about the host OS, but the recovery of a virtual image is unbelieveably fast. There are many ways to design this to ensure the most uptime though."

An anonymous writer echoes the frustration expressed by many of the respondents about auditors in general. "Auditors engaged by upper management have to justify their cost by pointing out 'waste' in areas they know little about, typically Information Technology. Any work-for-hire final report must be taken with a few grains of salt as consultants/auditors spend a few days to a few weeks doing a superficial analysis of a company's products/procedures/structures and finally tailoring their report to please the exec who pays the fees!"

Scott noted that avoiding potentially résumé-altering experiences is another good reason for keeping domain controllers separate. "I would be terribly embarrassed if my network authentication suddenly went south because a whacky print job hit a queue or a user decided to make his HOME directory the sharepoint for Morpheus. Nope, a domain controller is an island unto itself."

Dale is preparing for a retro experience with regard to domain controllers. "We'd already completed our Windows 2003 migration and now we've been purchased. We're integrating with a company who has a dozen or so NT domains and a Novell structure that they're just now starting to migrate into a Win2000 AD. To paraphrase James Doohan (Scotty) from Star Trek: The Voyage Home: "Windows 2000? How quaint!""

And finally, although Jeremy agrees with having separate DCs, he grouses about the additional dollars for the licenses. "My company is just too small to afford more servers and copies of Windows Server editions. If Microsoft really wants us to have one app per server, they should change the licensing fees so that you only buy a license that will accommodate the functions of the box you load it onto."

Do I hear an amen?