1

I am trying to work out how to set up a new DC and File Server on one piece of hardware. I want to know what the best practice way would be and if I am likely to hit any major pitfalls in doing it in these ways.

My options are as follows (as far as I can tell)

  1. I could virtualise both the DC and File Server using Esxi installed on a SD card
  2. I could install Windows Server on the hardware, running this as the file server and install Hyper V on this machine which would then be the DC
  3. I could install Windows Server on to the hardware and just install both the DC and file server roles on one machine

I think my best option is 2, as this will also be the easiest to set up - but will this cause problems in the future? I believe option 3 might give some security problems?

The hardware is a HP Proliant DL360 Gen 9

Improve this question
2
  • 2
    So you would delay the start of the DC which you will probably need to authenticate yourself against the server which is running Hyper-V? Could you give some more information about the scenario and your requirements for both systems?
    – Seth
    Commented Dec 12, 2016 at 12:46
  • 1
    Separating the DC (aka the thing which controls your keys to the network) from any other roles seems a very good thing. Thus I would rule out option 3. Options 1 and 2 both might work, but 1 feels cleaner. That is not a technical term, but it feels much much cleaner. Also it will allow for easier migration of the DC if you ever get new/more hardware.
    – Hennes
    Commented Dec 12, 2016 at 13:07

2 Answers 2

Reset to default
0

Depending on where you're more comfortable you could expand option 1 (which would be my preference) to 3 different variants:

  • a) As your option 1
  • b) Install Hyper-V Server and your DC and File server in separate VM's (No on-server gui, like VMWare ESXi hypervisor, but can be managed with RSAT)
  • c) If you want a gui, install Windows Server and install the Hyper-V Role. Install your DC and File servers in separate VM's.

In my experience its much easier to back-up and restore in case of emergency with for example Veeam then if you have either role directly on the hardware. Also when you get another host some time in the future, you are much more flexible in moving either VM to the new host.

Improve this answer
0

In order to have a Server 2012 DC or 2016 DC run properly the DC needs access to the TPM on the real hardware.
That isn't going to work with ESXi I'm afraid.

What you need is to install a minimal Windows Server (not domain integrated) with only the Hyper-V role directly on the hardware.
In Hyper-V you can then setup a VM (with the TPM pass-through) for the DC (you'll will probably want to run AD integrated DNS and DHCP on this one as well).
And you will create additional VM's for file-server, sql-server, exchange serfer and whatever other thing you might need.

This is actually also the setup that Microsoft uses for their lab-environments for training-courses.

Improve this answer
2
  • For what reason is access to the TPM required by a Server 2012 DC?
    – I say Reinstate Monica
    Commented Mar 1, 2017 at 2:49
  • @Twisty. I didn't formulate it very well in the answer. It isn't strictly required, but you need the TPM in order to be able to really secure your AD environment. (The really important domain security keys can be stored in the TPM/tied to the TPM.) Without a hardware TPM your security level is 1 level below the maximum level. It's still pretty good and may be all you need, but the general consensus these days is that you really need the TPM to "do it right". (I seem to recall hearing somewhere 2016 actually requires the TPM for a DC, but I'm not certain about that. For 2012R2 it is optional.)
    – Tonny
    Commented Mar 1, 2017 at 10:02

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .