By Nancy Hand
Several people have noticed the bottle of aspirin at my desk. When they ask, I can provide any number of reasons why I have the large size bottle. People seem to assume I know all about their last umpteen hours of frustration and experimentation and start their questions in the middle, expecting me to pick up without further explanation. Occasionally, when I finally figure out the real question, my head starts to pound.
"Yes, of course, I've abused domain controllers on my test networks. They generally pay me back in spades."
For example: someone was having trouble getting their Notes client to connect to Domino. Sounds simple enough. But what she really wanted to know was why Domino shouldn't be installed on a Windows domain controller. After several drinks to chase down a handful of aspirin, I recited Microsoft's admonitions on the subject. I memorized a number of such warnings while studying for my Microsoft Systems Engineer certification hoping they'd provide nice snippets of conversation at parties.
Domain controllers, by design, grab as many system resources as they deem fit for their own processes. They don't release resources. To domain controllers, there are no un-needed resources. It doesn't matter if you have 15 or 50,000 objects in Active Directory, the domain controller won't reconsider its position. It may request more resources but it will never release any.
Yes, of course, I've abused domain controllers on my test networks. They generally pay me back in spades. Right now I have a Windows domain controller under my desk running DHCP, DNS, WINS, and Remote Installation Services. It's linked by a cross-over cable to a single workstation. The server would be much happier if I removed all the extra services, even though there is only one workstation on its network. And, no, I'm not going to test its patience by adding a major application to its drives.
What about small networks? What kind of applications can you put on a Windows domain controller when you have 10 or 20 workstations? My suggestion would be to ALWAYS have at least 2 servers. Make the first one the domain controller then add DHCP, DNS, and WINS so you can use Active Directory. Make the second machine a member server and install your applications, like Domino, on it. That way, if the application dies, it doesn't take out your domain and if the domain dies your applications may still be recoverable.
Finally -- a domain controller is just a member server running some additional services. Until the server is properly configured, a domain controller is every bit as vulnerable to unauthorized access as any other machine.
Where to get some help
But, if you want to get it from the horse's mouth, you can start at the Microsoft Windows Server 2003 help and support page.