Announcement

Collapse
No announcement yet.

DNS on DC or member server?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS on DC or member server?

    Evening all.

    A colleague of mine is planning on a total flatten and reinstall of the system at his workplace over the holiday, and we are currently planning on the best strategy.

    There are 12 servers to play with, all but one of which are hefty beasts - twin Xeon quads with 8 or 16 GB each. The other is an older machine - a single dual core Xeon with 2 GB.

    We are generally agreed that certain services should be installed onto member servers rather than DCs - particularly WAN-facing machines like the gateway and Exchange servers. However, we differ in opinion over 'core' services such as DNS (without which AD can't function) and DHCP (can do without, but still pretty important).

    My colleague wants to setup one server as the DC, and run DNS on a member server. His planned setup looks a bit like this:

    1 - DC
    2 - DNS
    3 - DHCP
    4 - WINS
    5 - WSUS
    6 - Exchange
    7 - File
    8 - Apps
    9 - SharePoint
    10 - ISA
    11 - SQL
    12 - Print (the old low-spec box)

    I on the other hand would usually opt to install DNS and DHCP on the domain controllers - my plan looks more like this:

    1 - DC, DNS, DHCP
    2 - DC, DNS, WINS
    3 - WSUS
    4 - Exchange
    5 - File, Print
    6 - SharePoint
    7 - ISA
    8 - SQL
    9 - Apps
    10
    11
    12

    Now I am all in favour of separating services out onto different machines, but I can't help think that running DNS on a member server is asking for trouble. Sure, if you *never* reboot the servers, then it could work out fine. But if you do reboot, which do you boot up first?

    Switch the DC on first, then it complains that there's no DNS. But the DNS server comes up fine, gets group policies applied, etc.

    Switch the DNS server on first, then it complains that there's no domain controllers. But the DC comes up fine.

    Put simply, I see little logic in my colleague's suggested plan. Plus, my design requires 3 fewer servers (maybe even less if certain servers are virtualised), would allow the older machine to be decommissioned and would leave 2+ servers 'spare' for expansion or to cover him against a server failure. Or the older server could run WSUS leaving yet another more powerful server free.

    So what I'm wondering is, is there any advantage you can think of to running DNS on a member server rather than on a DC?

    Edit: Little more detail:

    - Every server will run Server 2003 R2 x64 Standard
    - Exchange is 03 Standard
    - SharePoint is 2003
    - ISA is 2006 Standard
    - SQL is 2005 Standard
    - 'Apps' includes licence servers for various applications, NOD32 console, etc etc - it is not a terminal server
    - 10 of the newer servers have a 160GB RAID 1 array for the OS and a terabyte RAID 5 array for data, on a single RAID controller, five have an LTO3 tape drive.
    - The other newer server has the same, with an additional terabyte RAID 5 array on a separate controller (this will be the SQL server), this also has an LTO3 tape drive.
    - The older server has a single 500GB RAID 5 array.
    Last edited by gforceindustries; 7th December 2008, 03:43.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

  • #2
    Re: DNS on DC or member server?

    I agree with your plan (for too many reasons to list) with one exception:

    I would put WINS on both DC's in order to provide fault tolerance and name resolution without relying on just one DC for WINS.

    Comment


    • #3
      Re: DNS on DC or member server?

      Yes that's a good point. I'd rather setup DHCP on a single server to begin with though, or if it is installed on 2 machines to only authorise it on one.

      Anyone else think my colleague is an absolute <pick an appropriate word> for being allowed to spend that much on servers? He's only supporting 120 users

      Originally posted by joeqwerty View Post
      for too many reasons to list
      Ah go on, it'll pass the time reading them while I wait for the servers I'm working on to do their thing (spending this weekend at another colleague's site - 7 servers, starting from scratch, with a requirement to be up and running by 8:30 Monday morning).
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: DNS on DC or member server?

        I didn't mean to imply that DHCP should be on both DC's, only DNS and WINS. As for the list, here it is:

        1. You're a genius
        2. I'm a genius, which explains why we both agree on your plan
        3. Anyone who disagrees with your plan is not a genius

        LOL

        Comment


        • #5
          Re: DNS on DC or member server?

          Originally posted by joeqwerty View Post
          I didn't mean to imply that DHCP should be on both DC's
          I realise. There's arguements for and against, of course.

          Originally posted by joeqwerty View Post
          As for the list, here it is:

          1. You're a genius
          2. I'm a genius, which explains why we both agree on your plan
          3. Anyone who disagrees with your plan is not a genius
          Yeah that's a pretty good list
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: DNS on DC or member server?

            Have to say I would agree with your plan too.
            If nothing else, the other plan only has 1 DC!

            Only DNS servers that run on domain controllers can load Active Directory–integrated zones.

            I would chuck DC, WINS, DNS and DHCP on both DCs too at that spec without issue!

            http://www.microsoft.com/technet/pro....mspx?mfr=true
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: DNS on DC or member server?

              Originally posted by AndyJG247 View Post
              Only DNS servers that run on domain controllers can load Active Directory–integrated zones.
              Did not know that... that could have been a major erra Thanks for the heads up

              Originally posted by AndyJG247 View Post
              Only DNS servers that run on domain controllers can load Active Directory–integrated zones.

              I would chuck DC, WINS, DNS and DHCP on both DCs too at that spec without issue!
              I think at that spec we could chuck quite a bit on these machines (they're lovely beasts). Would you agree with only authorising one of the DHCP servers to begin with? Can easily restore the config from a backup if necessary onto the backup server, if it's even necessary to do that.
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: DNS on DC or member server?

                I would split the scope between the two, that way you get resilience
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: DNS on DC or member server?

                  I'd go with all critical roles mirrored on both DCs as well I.e DC, DNS, DHCP, WINS. Split the DHCP scope on the 80/20 rule or something similar for some fault tolerance. Running single servers or running DCs without DNS is just asking for trouble IME. And as you've got some extra servers you've got a degree of future proofing if another DC is required or you need a WDS server or anything else.

                  12 servers for 120 users? If he's got that sort of budget can you give me his name so we can sell him some stuff?
                  BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                  sigpic
                  Cruachan's Blog

                  Comment


                  • #10
                    Re: DNS on DC or member server?

                    WDS would go on the Apps server in his plan, I neglected to include that one in my summary before.

                    Yup, 12 servers. Absolute git. I'm supporting 50 users with 2 servers here.

                    Ah well. Set myself up a new lab last week to try something out, and may have gone a bit overboard... 23 servers.

                    Because I can.

                    ESXi is a geeky lifesaver sometimes.

                    I know, my coworkers already tell me I need to get out more. Even the ones in IT
                    Gareth Howells

                    BSc (Hons), MBCS, MCP, MCDST, ICCE

                    Any advice is given in good faith and without warranty.

                    Please give reputation points if somebody has helped you.

                    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                    Comment


                    • #11
                      Re: DNS on DC or member server?

                      I've to agree with the second setup.
                      First of all, 2 DC's which gives you some fault tolerance.
                      DNS can be AD integrated which is more secure.

                      WSUS and Sharepoint might be consolidated on the same server. Their is enough power on the new servers.
                      If I would design this network then my recommendation about DC's would look like this:
                      DC, DNS, WINS, DHCP
                      DC, DNS, WINS, DHCP
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: DNS on DC or member server?

                        Would you split the DHCP scope between the two servers, or only authorise one leaving the other as a backup? I should probably point out that my colleague and I are both in favour of reserving IP addresses in DHCP for pretty much everything on the network.

                        What I don't quite get is how splitting the DHCP scope 'works' - it is my understanding that a machine broadcasts a request which is serviced by the first DHCP server that sees it... or more realistically, the client accepts an address from the first server to respond. If Client1 requests an IP, and has a reservation defined on ServerA, it is quite possible that ServerB will respond instead - the client would therefore be assigned the wrong address.
                        Gareth Howells

                        BSc (Hons), MBCS, MCP, MCDST, ICCE

                        Any advice is given in good faith and without warranty.

                        Please give reputation points if somebody has helped you.

                        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                        Comment


                        • #13
                          Re: DNS on DC or member server?

                          IMHO I would go for "split scope" where if one server fails, requests are still granted without any action by the admin.

                          As you say, the first server to answer gives out the IP, so you divide your scope between the two, either "80/20" or "50/50"
                          e.g. (50/50 split)
                          Server A: 192.168.1.1-128
                          Server B: 192.168.1.129-254

                          (OK, should have excluded some for routers, printers, servers etc, but you get the idea)
                          At the end of the day, the client gets an IP in the correct range, but it could come from either server

                          Having an "unauthorised" DHCP server means you must authorise the second server before it grants leases -- normally one of the first signs of a problem is that users cannot get a lease
                          Tom Jones
                          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                          PhD, MSc, FIAP, MIITT
                          IT Trainer / Consultant
                          Ossian Ltd
                          Scotland

                          ** Remember to give credit where credit is due and leave reputation points where appropriate **

                          Comment


                          • #14
                            Re: DNS on DC or member server?

                            How would you ensure that machines get the IP address they have reserved for them though? You could add the reservation on both servers, but that just increases the admin workload. Granted, not by much, but still.
                            Gareth Howells

                            BSc (Hons), MBCS, MCP, MCDST, ICCE

                            Any advice is given in good faith and without warranty.

                            Please give reputation points if somebody has helped you.

                            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                            Comment


                            • #15
                              Re: DNS on DC or member server?

                              If you go down the split scope route then, the reservations must be configured in all the DHCP servers.
                              If you have (or plan to)setup some sort of notification for any DHCP related malfunction, then going for a split scope could be ok.
                              IMO, given the size of your network, I'd go for a standby DHCP as you mentioned.
                              That way when a user gets an APIPA it could be a sign of a DHCP problem and you could start the troubleshooting and or deploy the standby one.
                              It all depends on the org setup though.
                              Caesar's cipher - 3

                              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                              SFX JNRS FC U6 MNGR

                              Comment

                              Working...
                              X