0

We have a smallish web farm of < 5 Windows 2008 servers. Some do data, most do IIS hosting. Is it a good/bad idea to set up a domain controller and put all in the same "production" domain?

We want to avoid a world where we have to sync multiple admin passwords between the boxes (or share admin credentials among the team).

Presumably, the DC would be just another VM, so hardware cost doesn't enter into the discussion.

Clarifying: the DC would presumably be a standalone "ProdServers" domain all connected on a private network. The office domain would be 100% separate. So most admins would have credentials for the main office, plus a second set for the production domain.

Code Silverback
  • 253
  • 1
  • 2
  • 8

3 Answers3

1

"We want to avoid a world where we have to sync multiple admin passwords between the boxes (or share admin credentials among the team).",

I think you answer yourself your question :)

Kedare
  • 1,786
  • 4
  • 20
  • 37
1

You have to make sure you understand Active Directory and how to troubleshoot it when something goes wrong, or else you just add more complexity and more points of failure to your environment, but this is a basic skillset you're expected to have as a Windows admin anyway. In the general case, I'd go ahead and do it, because the benefits far outweigh the costs, especially when it comes to backups and other things that take big advantage of the Kerberos single sign-on functionality in a domain environment.

One thing you do want to keep in mind is network segregation -- Active Directory does require opening up a fairly substantial number of ports between your DCs and your DMZ in order to work properly. If this is a concern for you, you may want to not join your public-facing servers to the domain, or you may want to create another AD site (or even possibly another domain in the forest) for your DMZ systems. Each of these things means adding a lot more complexity to your setup.

jgoldschrafe
  • 4,395
  • 18
  • 18
0

While I understand your desire to simplify the management of these servers, at the end of the day you have to do what you have to do. I've never heard of any web server(s) accessible to the public that were members of an AD domain. Except for very specific circumstances where it would be required, I would recommend against it.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Is there a specific reason? IT at one former employer did it, another not, so I'm torn. I like not sharing "Administrator,"but I'm just not sure if there is something I haven't thought of yet. Obviously, the web servers only expose 80 and 443 to the public, and all admin traffic goes over a server side vpn through the NAT box. – Code Silverback Jan 04 '11 at 14:48