Does anyone have a best practice or guidelines on server role allocation.
Starting to look at planning our new virtual environment and had the realisation that I'm not really restricted as before to how many servers I have to play with. Obviously I don't want to go over board but I have the luxury of separating out roles.
My current thoughts are to have:
- domain services server (DNS, DHCP, FSMO, RADIUS)
- user server (profiles, home areas. shares)
- AntiVirus + Printers + network services
- IIS Web server
- Apache Web server
Things I'm thunking:
- Will having all users and shares on one server cause problems, should they be spread out?
- Would a secondary domain services server be a good idea for fail over even though we have Virtual failover?
- Would a dedicated printer server be a good choice or a waste?
Any thoughts, links or other ideas?
I would think that, given the light footprint of DCs, it's worth having an extra DC in case of software failure, not just hardware.
I'm intending on having a separate print server but that's mostly because I'm not getting round to my file server for a while yet and I want the old physical print server out of the way sooner rather than later. I suppose it'd be easy enough to merge it back into the file server later, seeing as the role is more or less combined in the OS anyway...
I would separate profiles from the file server or just remove profiles all together.
Get rid of the exchange server, its pointless these days with live@edu/google apps available for free for schools.
As already said get a 2nd DC but I would be careful about virtualizing it. Personally I still like physical boxes for DC's.
I would also setup a 2nd file server, just to replicate whats on the main fileserver. This means you never have to worry about that going down. Just setup a robocopy or manually back up to it all the time.
@zag by no profiles do you mean mandatory profiles?
Think we will stick with an internal mail server for now. Just because I really can't be tinkering with too many changes all at once!! We have a large SAN so no worries about needing to replicate file server.
But good points. Ta both.
Ah yes - missed the fact that your first planned DC is virtual already as mine is physical and my backup will be virtual... worth having a DC outside the virtual infrastructure to remove the SPOF there, a cheap and cheerful rack server will do the job, E5606 and 4Gb of RAM in a DL160 or similar with local storage. Just one more layer of resiliency to your design.
Originally Posted by zag
Agreed on spreading the load, but we use DFS-R for this (no scripts needed, redundancy then possible).
Originally Posted by zag
No WSUS server? How do you push out microsoft updates?
"Will having all users and shares on one server cause problems, should they be spread out?" - It's the disk access thats the killer if you are running a lot of apps / media from the server but you later say your using a SAN? so I cant see it making any difference.
First off: lol @ thunking :D
Originally Posted by TechMonkey
Depends entirely on how you do your profiles, personally with around 95% of my users on mandatory profiles i have the profiles on a DFS-R share between our DCs (of which we have 8 - 1 per building and a backup to the pdc, and one for the wireless vlan, the clients in each building then pull from their local dc) EDIT: if you meant users STOREs rather than profiles, then no should be fine having them all on one server, that comes down to your network storage solution as to what you do with that though.
yes to secondary domain services, always good to have a failover in this respect.
No need to dedicate a whole server purely to printing, it should be fine sharing AV etc. Wouldn't give it any heavily resource hungry services though just in case.
I would also agree to the 2nd DC. I have 3 as a just in case. Apart from that I have pretyy much the same breakdown.
Thanks again all.
WSUS - We are going to be using KACE boxes to hopefully cover all our deployment and patching needs. Will let you know about that.
DC's - Currently looking at 2 maybe 3 of the servers being made DC's. The domain services one, the network services one and then maybe the Exchange or print server box if it becomes it's own box.
Print Server - Tempted to have it as it's own as we have had cases of Art sending HUGE print jobs by accident/cluelessness and slowing down the server for other services.
Profiles - I need a longer look at mandatory profiles.
File server - my main concern was if having all home directories AND shares AND profiles (unless we go mandatory) could cause too much server load or disk access from one server say at change over. Currently we have staff on one server and students on another but that is purely because it is a CC3 system and it was suggested as a good idea.
Thunking - I love me a good old thunk.
In the case of the art printer, why not set that one to "render print jobs on client" or whatever it was called, so all the processing work is done on the client rather than the server for that particular piece?
Originally Posted by TechMonkey
I still like the idea of having the profiles, even if they are roaming, on the DCs as they're essentially a part of logon process not unlike the DCs, and if you ever go down the route i've done it, the load is always low as only people local to the DC ever load from it (and so long as it's a DFS-R with one of the locations being the file server, it still gets backed up safetly without having to backup from each DC) DC per building or school section works really well, though just one of many ways you could do it :) That route obviously requires that you probably have more DCs than you want for your particular setup though.
Out of interest how many client pc's are we talking?
I may be getting my profile terminology all confuddled then. Currently we have profile folders with settings on the server as well as home directories. This was how I was thinking it would work but had assumed that mandatory profiles were a single template each user used which would be simpler I guess.
Only 300 clients at the moment but hoping to start increasing that with the new system and the possibility of thin clients on BYOD in the near future. Quite a compact site as well so hadn't considered a DC per school area.
The profile directories you're talking about sound like roaming profiles, where all the desktop, searches, etc. folders live and are pulled down by the client on logon and saved back on logoff. A mandatory profile is a single one of these that replaces all of them with an unwritable template, everything that was previously saved to the roaming profile can then be redirected to the users home folder, so no more pulling down files and folders on logon as everything stays sat in one place all the time.
Also means any details contained in the ntuser.dat (which would now be ntuser.man) are no longer writen by the user, they remain as a set template so every user logon is identical.
Probably better explanations than that, but that's how i understand it and how i implement it :)
Worth considering all options and ways of doing things, mine is just one of many, though i must admit....it works very very well! :p /end blowing own trumpet
Well I think RM may have done something right then as they do appear to be roaming but only certain things get downloaded to the client, most lives in the home directory. Mandatory looks the way to go then as that is roughly what we are used to.
If you don't blow your own trumpet, no one else will :becky:
Personally I would
2 x- domain services server (DNS, FSMO, RADIUS) - No DHCP Supposedly this is a risk and not advised on a DC. Personally I use a linux box (could then run on apache server)
2 x - user server (profiles, home areas. shares) - Split this up. I currently have 5 file servers so the load is evenly balanced. Although its excessive I have 900 desktops which are used widely. I tend to evenly spilt years in half so that when an entire year has IT/using a computer room you don't have a slow down.
- Exchange - how many mailboxes? I have around 1000 per server (12.5Gb ram 4 CPU's)
- AntiVirus + Printers + network services - Possibly Add DHCP with Spilt Zone
- IIS Web server - Possibly Add DHCP with Split Zone
- Apache Web server
EDIT: I would go with Dedicated Print Servers - they can be a pain sometimes so I always keep them separate.