Keep 'Em Separated
Eleven of 11 admins agree that auditors don't know jack about DCs.
- By Bill Boswell
I received over two dozen replies to my
column concerning the auditors who gigged an administrator
wasting money by not putting applications and file sharing on his domain
controllers. Thanks to all of you who responded for taking the time to
send thoughtful replies.
The sentiment was 100 percent in favor of my contention that separating
DCs from other functions makes sense both from a security and logistical
"I wholehearted agree with you," writes Dion. "Several
months ago, I cautioned our company on loading Exchange 2000 on DCs being
used as GCs for voice mail storage as well as e-mail storage. My recommendation
was dismissed as 'not cost effective.' Recently, several of these servers'
mail services stopped functioning due to not being able to access the
global catalog. Reboots resolved each issue but the cost of customer satisfaction
was staggering. Now I do believe that certain appliances can co-exist
together but the DC's should remain hands-off."
Armando adds, "I live in Venezuela where there is not such a diversity,
complexity and volume of hardware and software solutions like developed
countries. But even then, Microsoft solutions are not mainframes, so it's
better having several servers (cost effective if they are cheap without
unnecessary sophistications) and not a few machines with many services
and software servers and applications installed."
Help from Bill
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
Wes insists that even governments with small budgets should have a dividing
line. "I work in a county government IT shop, which is relatively
small, we wouldn't begin to think of running other applications on our
Matthew admits that money is an issue. "In our organization, some
of the remote site file servers do double as DCs, but from a design perspective,
I agree with your analysis. As a matter of fact, I may make a budget item
for 2006 to put in the low-cost DCs at the sites where they are doing
double-duty now. Budget has been a primary factor in our decisions."
Ken, Marc, and Al see the opportunity to use some different technologies.
Quoting Marc, "A flip on this is the use of virtual machines. If
you have a couple of DCs that may only be running very low utilization,
this might be a good candidate for such if having a seperate box is an
issue. Of course you have to worry about the host OS, but the recovery
of a virtual image is unbelieveably fast. There are many ways to design
this to ensure the most uptime though."
An anonymous writer echoes the frustration expressed by many of the respondents
about auditors in general. "Auditors engaged by upper management
have to justify their cost by pointing out 'waste' in areas they know
little about, typically Information Technology. Any work-for-hire final
report must be taken with a few grains of salt as consultants/auditors
spend a few days to a few weeks doing a superficial analysis of a company's
products/procedures/structures and finally tailoring their report to please
the exec who pays the fees!"
Scott noted that avoiding potentially résumé-altering experiences
is another good reason for keeping domain controllers separate. "I
would be terribly embarrassed if my network authentication suddenly went
south because a whacky print job hit a queue or a user decided to make
his HOME directory the sharepoint for Morpheus. Nope, a domain controller
is an island unto itself."
Dale is preparing for a retro experience with regard to domain controllers.
"We'd already completed our Windows 2003 migration and now we've
been purchased. We're integrating with a company who has a dozen or so
NT domains and a Novell structure that they're just now starting to migrate
into a Win2000 AD. To paraphrase James Doohan (Scotty) from Star Trek:
The Voyage Home: "Windows 2000? How quaint!""
And finally, although Jeremy agrees with having separate DCs, he grouses
about the additional dollars for the licenses. "My company is just
too small to afford more servers and copies of Windows Server editions.
If Microsoft really wants us to have one app per server, they should change
the licensing fees so that you only buy a license that will accommodate
the functions of the box you load it onto."
Do I hear an amen?
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.