Multi-Role Domain Controllers for Small Offices (< 50 clients)

active-directory domain-controller

Warning: I'm a Linux/*NIX admin so this is all new to me.

I understand that it's not considered a good idea to have only a single domain controller, and that it is also probably a good idea for a domain controller to only do AD/DHCP/DNS (Here). We have two offices, location A with 30 users and location B with 10 users. Our two offices are separated by a WAN that is not particularly robust so I have be instructed that we need to have standalone services in each office. This means that according to "best practices" we will need to build a domain controller and a separate file server in each office. Again, I am not knowledgeable in the ways of Windows but this seems a little unnecessary for an organization of 40 users.

People have commented that I could "get away with" running file services on the domain controller as long as the "load is light". That just seems to generate more questions than it answers.

  1. What constitutes light load?
  2. What are the potential consequences of mixing these roles?

Ideally I would prefer to only have one physical machine at each location. The one in location A (the location with IT staff) can act as the primary domain controller and the one in the smaller office can act as the backup domain controller. If either domain controller fails we can still use the other one for authentication (albeit with some latency) and if the WAN connection fails each office still has access to their respective "local" domain controller. If the file services are ALSO run on each server (and synchronized with something like DFS), a similar arrangement in terms of redundancy can be had without having to purchase, build and install two additional separate servers. It's not that I'm adverse to that (well, any more adverse than I am to whole thing to begin with) but to my simple mind it just seems, well a bit overkill. I can definitely see the benefits of functional separation when we're talking larger organizations, but I need to consider the additional overhead too.

None of this excludes having a DRP setup for the domain controller/s. I assume you can lose two domain controllers just as easily as one.

EDIT: The answers I have gotten are really quite good but I would like a look at the other side of the coin if that is possible. What could potentially go wrong by mixing the roles? What am I risking with this kind of setup that I'm not risking with each controller doing Active Directory and only Active Directory?


Solution 1:

The 'Must be up' constraint does strongly indicate that a DC needs to be in the second site. Unfortunately. In order to better handle 'net outages and conserve bandwidth, an AD Site needs to be declared in each location and a DC at each.

Also, Microsoft sells their Small Business Server which is a kind of all-in-one machine. DC, Exchange, files. One machine. I don't remember the size of office they pitch it at, but you're pretty close to that size. So...

What constitutes light load?

Considering you have a domain with 40 users, you're probably not going to be incurring a lot of domain-sync related load on your DC machines. This leaves more overhead for file-and-print serving. Happily, file-and-print (file, more than print) is a relatively lightweight service for an office of only 10. So long as the machine is sufficiently server-class and modern, I would run both DC and File roles without a second thought.

Disclaimer: I'm a big-shop admin, and we have smaller-shop admins who frequent here. I may be off base :)

Solution 2:

About the only real risk here is that you complicate things - problems with the AD side of things could potentially impact on the file server side (or vice versa) in unexpected ways. This isn't to be under-estimated but neither is it the end of the world. Even this can be mitigated against by using virtualisation to run two virtual servers on one box to keep roles separate - of course there's a cost to that too in terms of complexity but nothing is free in this world.

You're absolutely right that ideally people would only run AD and related roles on a domain controller, but lots of people in the 'real world' add other roles, and most of those people at the 'small business/branch office' end of things do so without too many problems.

You have to be practical after all - Microsoft even have a product that is designed to share lots of roles specifically aimed at small businesses.

Related

"Send As" Permission and "You do not have permission to send to this recipient" Error
Public Amazon RDS database?
Windows Server 2012 and Ubuntu 12.04.1 under Hyper-V
Do proxies really provide anonymity?
AD Group and Distribution Group with O365
Postfix Add Custom Header Based on MySQL Result
DHCP Configuration for Windows Deployment Services
Different postfix relayhost based on system user?
Mail server - DNS question
How to handle centralized user authentication without LDAP?
Alternative to multiple WordPress installs (and not using WordPress-mu)
RHEL: Errata Explained