0

We are using Server 2008R2 IIS 7.5 with a SQL database on the backend. At the moment the system is working fine with three of the servers configured in a load balancing farm while communicating data back to the SQL DB.

All of these servers are free standing on their own subnet with a common admin username and password.

Is there an advantage for making one server a PDC and creating their own domain and joining the rest of the remember servers to the domain?

Or if its not broken then don't fix it?

2 Answers2

1

I have always had my farms in some soft of central auth setup whether that be AD or LDAP. The reason I do it is for ease of administration as far as service/access accounts. You can also use it as part of a SSO system if you need to move down that part in the future.

Basically I am lazy and I only want to go to one place to setup Auth accounts, having them as stand alone server to me is a admin over and just a pain in the ass.

I say do it but just make sure you have 2 AD controllers with each one setup as a global catalog service as if you one and it dies that you will end up in a world of hurt, I know as this has happened to me(this was the case in 2K3 ad not sure if this will be the same in 2K8).

enterzero
  • 453
  • 6
  • 15
0

Some basic thoughts based on the brief information given....

It sounds like you are using what some would call pass-through authentication (by using a common administrator account), does work, and if you're not experiencing issues then I'd agree - things that aren't broken don't necessarily require fixing.

  1. However, you are dependant in a solution like this upon MS not making adjustments to security to block this type of solution, and on your passwords across the box staying in sync at all times.

  2. You mentioned SQL. Because of the way you are running, all your authentication across your machines is effectively NTLM, which requires every request to authenticate. On the low end, this isn't really noticeable, but as your site scales up and your transaction levels increase, I would expect you to start seeing subtle bottlenecks in throughput on your sites.

Being on a domain mitigates both of these. The first point is obvious. For the second - being on a domain enables you to use (automatically I might add) kerberos authentication, where an authentication by a given user is provided in the form of a 'ticket' that lasts for minutes (if not longer). For an application taht is using SQL heavily (like mine does) - the difference is literally night and day.

Brandon Langley
  • 201
  • 2
  • 3