Windows: Can domain controllers also serve other functions?
Solution 1:
You can and it works. I have about 40 branch offices and - for political reasons - a management decision was made to give each a full server infrastructure. For financial reasons it was a single-server environment in each, so it's all DC/File/Exchange (this was in the Windows 2000 days).
However, management of it is a nightmare, and my preferred rule is "a DC is a DC and nothing else goes on it". These are your most important servers, and if your AD goes funny you will have a horrible time getting it back right. If you can, give yourself the best chance of avoiding this by having dedicated DC roles. If you can't, beg, scream, whimper, bribe, threaten, prophesy, or whatever it takes to put yourself in a position where you can.
Solution 2:
Multi-Role Domain controllers are pretty common. Although, most roles they perform are network infrastructure roles. Good examples are File Servers, DHCP and DNS. They are poor choices for things like Terminal servers (Users do not have rights to log into a Domain Controller and giving them said rights grants requires Domain Admins), Web Application Servers, Line of Business App Servers, Firewall/Proxy/ISA servers, etc
In my environments, I prefer to have all internal DNS Servers running on Domain Controllers as well as my DHCP services. This seems to be a good mix of roles on the DCs to reduce cost and make the best use of the hardware possible.
Solution 3:
- Is it OK to use servers filling other roles as domain controllers?
"You can even cut a tin can with it, but you wouldn't want to!" - Mr. Popeil, lyrics Weird Al Yankovic
I guess the question is: do you want to? Sure, you can turn your domain controller into a file and print server, or a SQL Server box, or any number of other functions. But there's a downside to this, a price to pay in the form of degraded functionality on that box. If you have very few users (say under 25-50), or you are squeezed by budget constraints and you need to make this an "all in one" box, you could get away with doing so. But there are performance issues, security issues, and even the potential for incompatibilities between services. Doing "all in one" boxes is a function of evil budgets set forth by keepers-of-the-pursestrings that don't understand the price they'll pay.
If you can afford it, put the domain controller on a separate box. Heck, if at all possible, get a cheap yet server-grade box, probably a department-level box, and put your DC services on that; then get a twin of that box, and put DC services on that as well. This is the model that Windows would like you have, and you really, really, should have at least two domain controllers for each domain.
Buy the beefer boxes for those services that are used most - databases, email, file & print, etc. These are the "everyday" boxes that users see regularly; the domain controllers are best left rubber-stamping user credentials across the domain.
- What things should be considered in determining whether to "dual-purpose" a server?
Can you get away with degraded levels of performace? Will there be an incompatibility between the service you're installing, and any other services that may run? Will it interfere with AD authentication?
- Does the domain controller role change how Windows operates the file system or on the hardware?
No. But it will increase its workload. And if you integrate other non-windows functions (say, using a PAM stack to authenticate a linux box via Kerberos as part of an IMAP service) then expect that workload to increase.
- Are there difference between versions of Windows Server?
Each release increases the number of features, although it's safe to say that you want at least Windows 2000 if not better. Most folks are on Windows 2003 (and cousins), which includes enhancements to file services, volume shadow copy, etc. 2008 provides even more enhancements.