Adding a second server to SBS Domain 1

[TimRegester]

My client has asked me to add a second server to the network, I am under explicit orders that it should be non microsoft, so I am thinking Linux/Unix/OS X running Samba with opendirectory and full AD compatibility (which I know works with Server 2003) the main reason is to take away some of the heat off the overloaded SBS server.

But all I read on here is that you cannot add a second SBS server, Certainly not one running all the services as they would conflict, but would SBS object to another server in the forest and are there any other gotchas I might face.

 

[PHV]

would SBS object to another server in the forest
No, provided that you don't want trusts nor child domains and that the SBS holds all the FSMO roles.

Source:

http://www.microsoft.com/windowsserver2003/sbs/evaluation/faq/setup.mspx

9th question.

Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886

 

[TechSoEasyMVP]

Who came up with this idea? That adding a NON-Microsoft server to the domain would take away some of the heat off your SBS?

What are the specs of the SBS's hardware?

What is the basic topology of your network? (ie, how many users, computers, etc)?

Because throwing an unproven, unpopular fix at a very broadly adopted product such as SBS makes little sense. Your client is not alone in their experience... it would make sense to look at other success stories before making such a restriction on the best possible solution for the problem!


Jeffrey B. Kane
TechSoEasy

http://www.techsoeasy.com

 

[TimRegester]

The idea is partly the clients and partly mine. I have clients who use SBS and all have similar problems, the server is underpowered to achieve the kind of service it needs, it is unreliable and problematic. All the problems stem from someone following the Microsoft suggested approach and setting up all the services without asking why they are needed.

The key problems have been that the processor cycles are eaten up by too many processes running simultaneously. PDC, DHCP, DNS, ISA, Exchange, SQL Server, Sharepoint oh and file and print. In a corporate network these roles would always be taken by seperate servers so it makes little sense to have one piece of hardware struggling to cope with all of them.

Samba is proven, reliable technology, more proven than SBS and in my experience infinitely more reliable. The only downtime I have ever seen on a Unix/Linux server running Samba is when you pull the plug. Besides Linux is easier and simpler to manage and shell scripting is a breeze on these platforms.

Oh and since when does network topology come into the equation since the bottleneck is the compromise OS and the compromised processors on the server, not ethernet nor IP.

I will retain the SBS to run AD and all necessary roles as well as Exchange and SQL the rest of the roles a unix/linux box will cope with much better. Best practice in my 20 years experience.

An open mind in IT works wonders and allows you to use the best available technology.

 

[TechSoEasyMVP]

Interesting... I've deployed over 100 SBS's and don't have any of these issues on those networks.

That is unless there was a misconfiguration somewhere -- such as not excluding the proper files/directories from antivirus scanning.

But you state it right from the start... "the server is underpowered".

What are the specs of servers you are using for SBS deployments?

Of course in a corporate network these roles would always be taken by separate servers... but this is not that environment... it's a small business which normally wouldn't have the resources to both precure and manage separate systems. This is why SBS was developed... with SPECIALIZED technologies that allow it to perform just great with all these services... as long as you deploy and configure it according to it's design.

I didn't say that Samba was unproven... what I meant was that deploying an additional Samba server to an SBS network is not a proven method of solving your problem.

I absolutely have an open mind... the fact that I've asked you some questions about your network and you persist to follow your perceived solution would suggest that maybe you are the one without the open mind?


Jeffrey B. Kane
TechSoEasy

http://www.techsoeasy.com

 

[TimRegester]

The server has twin xeon processors and 2GB of memory, it still struggles. A look at the Task manager tells you why the processor is trying to do too much at one time the same rules apply to all servers whatever the platform, if there are too many queued processes it will struggle.

It was badly set up in the first place, the data structure was copied wholesale from a windows workgroup and no security or data permissioning was done everyone can have any password they like and never has to change it and the access to all shares was via everyone. There are no GPOs apart from the domain one allowing the above.

There is no window to rebuild the server and solve these issues.

I have never bought this 'small business cannot manage seperate servers' argument, if they work and are reliable they hardly need managing. Checking the backups and monitoring AV would be the limit. I have seen servers running SAMBA that have not been logged into for six months as there was never any need to. I have had to log in to this server every week and rebooted it dozens of times. Ano

Why should some directories not be AV scanned, only the virtual memory file springs to mind every other file is potentially a target for virus/trojans. Where is this documented? (actually do not get me started on documentation on Windows systems)

All the key roles are set up properly, all the users and computers are set up properly (apart from permissioning) these roles the server can perform easily. But I take issue with the roles that are unnecessary such as ISA and Sharepoint these need to go as they are unjustified in this clients environment.

The migration of shares to another server will allow me to create a properly permissioned data structure while offline and copy the data there so the main server remains untouched.

 

[markdmac]

Tim it really seems like you are coming to the SBS forum asking SBS experts for help with a non SBS solution that you have predetermined to be your course of action. If your mind is made up I doubt any amount of reason or sharing of experience will alter your perception which appears to be rooted in a lack of SBS knowledge.

To your specific question, on ANY Windows Server running services such as Exchange there are always files and directories that should not be scanned. For example, only an Exchange compatible AV should scan the database and a file level scanner should not. You need to scan inside the database and not have AV detect the frequent changing of file sizes to be virus activity. As for documentation, every AV company has documentation on this if you read the manual or search their support site. I quickly found a sample on the Microsoft site here:

http://support.microsoft.com/kb/822158/en-us

Likewise Symantec offers a plethora of documents depending on the mail system you are using.

http://searchg.symantec.com/search?...site=symc_en_US&output=xml_no_dtd&context=gbh

Go to your AV vendors web page and do a search for "directory exclusions."

The argument that there is no time to reconfigure a server but that there is both budget and time to add a second server sounds more to me like you are unsure of the real problems with the SBS box and are looking to move to what you feel more comfortable with from a support perspective. There is nothing wrong with that course of action, but don't disguise it as something it is not.

SBS 2003 is a very mature product being utilized extensively worldwide. The product has been tweaked for optimal performance by Microsoft. If it was not setup properly, that is not the fault of the product. If known problems in the configuration have been left unresolved because of bias, or lack of knowledge that too is not the fault of the product. And finally, if hardware is not suited for the workload, that too cannot be blamed on the product. I have seen all to often Small Businesses under purchase hardware in an effort to save money, despite the fact that the server will essentially be running their entire business. More often than not it is my experience that a new server needs to be purchased, this time following the recommendations of trusted advisors and the new server is built and migrated to over a weekend.

For the question of network topology, it can have a profound effect on performance. Just like an underpowered CPU or insufficient memory can effect performance so can underpowered or intermittently bad network hardware. Problems with switches can often make it appear there are problems with the server such as Outlook saying the connection to the Exchange server has been disconnected. If you are monitoring CPU usage with Netmon the network may very well not be your problem but the question posed by TechSoEasy was certainly valid.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[TimRegester]

Why are you so keen on defending SBS, might that be because you have a vested interest in it.

I have installed and supported Windows 2003 Server and it works reliably. I have installed Linux and it works reliably but I have two sites with SBS and both are in a mess and were installed that way according to Microsoft guidelines, but this was when SBS was launched, the guidance would undoubtedly be different now.

I can add the new server, migrate the data and remap the users network shares with no SBS downtime at all. The process of rebuilding the SBS server, setting it up properly and then ensuring every programme and client PC are tested and work would take a long time and cause downtime. Downtime the client cannot afford.

I would never change the system config of a live server while in use, it is bad practice and indefensible if it all goes wrong. It should be done out of hours, but access to site is generally not possible out of hours so that is a non starter.

 

[TechSoEasyMVP]

Tim,

We are keen on defending SBS only if it's the right product for your situation.

Your assumption that the process of rebuilding the server and setting it up properly would cause a lot of downtime is not valid. There is a proven method to rebuilding an SBS with no downtime. It's the Swing Migration which is offered by

http://www.sbsmigration.com.

Their kit will provide you with the exact documentation and support necessary to successfully complete your project.

Nothing is done on the live server... and if something does go wrong it can all be rolled back to where you started without any problem.

If the client cannot afford any downtime, I doubt that they can afford to keep a malconfigured server running their network either.







Jeffrey B. Kane
TechSoEasy

http://www.techsoeasy.com

 

[LWComputingMVP]

I have to agree with the others. It sounds like you are an experienced admin from more of an Enterprise environment (Although you mentioned PDC in relation to SBS so maybe I'm wrong). I was too. And when I setup my first SBS server, I screwed it up royally. IF you know Windows Server management in the enterprise, FORGET IT. IT will hurt you more than if you go in from scratch as someone who doesn't know nearly that much. I've got a few SBS installations as well and I find it MORE than acceptable with very rare performance issues. In one case, I've got it running on a dual P3 with 2GB of RAM for 14 users and no complaints.

I also used to manage an environment of 35 servers for for 1000 users running mostly 2000 server (and NT before that) and knowing SBS is limited to 75 users, I see no reason why a good server can't handle that many users. None of my old servers running on all hardware less than 1 GHz had any problems (performance wise) servicing hundreds of users. File and Print sharing is just NOT a processor intensive thing. Nor is DNS or DHCP for 75 users (unless your lease times are 1 minute). I know 2003 raised the bar, but it didn't raise it THAT high. I'd be curious to know what your RAM utilization was, what kind of disk subsystem you were using on this server. And what other aspects performance specs are underperforming for you. About the only thing I would say to do hardware wise (without knowing more) is UPGRADE the RAM. Exchange 2003, SQL both EAT RAM and 2 GB, while usually enough, may not be on an SBS server that handles more than a dozen or two users. Double that to 4 GB and see how performance may improve.

 

[markdmac]

Exchange 2003, SQL both EAT RAM

Just to add to this, Exchange will use up as much memory as is available. It is designed to take advantage of all the memory installed and releases memory when it is needed. So seeing high memory usage on the part of Exchange is totally normal.

Like lwcomputing, my original background was in the Enterprise. I ran desktop support for Lucent Technologies and managed server farms for them as well. The only way to succeed with SBS is to use SBS as intended and configure the server with the built in Wizards and not try to apply Enterprise methods to SBS.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[TechSoEasyMVP]

"go in from scratch as someone who doesn't know nearly that much"

That would be me. Which is why I will tend to have a myopic view of how to do things in an SBS environment. But what SBS can do overall for a small business is what encouraged me to make a career change into this field. Now, after almost 4 years, I've seen many businesses that have gained tremendously from having an SBS-based IT infrastructure.

Are there other solutions out there? Sure. But if you're going to deploy any solution you should know as much about it as possible... so either take the time to learn about SBS, or whatever you want to specialize in, because no matter what you deploy the problems will be minimized if you know what you're doing from the start.



Jeffrey B. Kane
TechSoEasy

http://www.techsoeasy.com

 

[58sniper]

I, too, have installed hundreds of SBS 2003 boxes - nearly all of which are still in use. Those that aren't were replaced with enterprise solutions because the client outgrew SBS (user count, data amount, etc).

2GB of RAM, IMNSHO, is WAY too little. Max it at 4GB of RAM. There is a HUGE difference in performance when it has more RAM. Properly configuring drive arrays is also big part of performance.

PDC, DHCP, DNS, ISA, Exchange, SQL Server, Sharepoint oh and file and print. In a corporate network these roles would always be taken by seperate servers so it makes little sense to have one piece of hardware struggling to cope with all of them.

That's not true. SBS is designed for the corporate world, and works well there. That alone disproves your point. I'm not one to put ISA on the same box only because I like putting the firewall at the edge of the network - not because I don't think SBS can handle it. I have had some clients that have a ton of email, HUGE SQL databases, use lots of SharePoint, etc - and without problems.

I have never bought this 'small business cannot manage seperate servers' argument, if they work and are reliable they hardly need managing.

But if you tie them together in a nicely engineered package, they place even nicer together. We've had many many SBS boxes that get rebooted only when updates are applied and a reboot required. Other than that, it's not uncommon for us to have SBS boxes go a YEAR without rebooting. 99.99% uptime isn't a problem.

Now I'm back in the Enterprise world (current client has over a hundred racks just in THIS datacenter), and my opinion is still the same. SBS rules - when applicable.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[LWComputingMVP]

Yes, in an ideal world, you want each service on a separate box - but not so much to balance the load, more so to be able to shutdown/perform maintenance on a service without affecting others. This DOES make sense, but in a small business, this is insanely expensive to do for every little service - it's just not practical. For 5000 users+, this can make sense... for 50... nope.

SOME of these services, in a more ideal world, would be on separate servers - Exchange, ISA, SQL... but DHCP, DNS, and AD are largely VERY lightweight services and can easily reside on one box. But in terms of hardware ability for up to 75 users, its unusual for most environments to have a significant need for more than one well configured server to handle these roles. Does it happen? Sure... but it depends on overall usage and in MOST cases, it simply is unnecessary.

And the more servers, the more chance for a failure...

Anyway, that's really just an add-on to my original comment.

 

[cjelec]

Hi,

After reading your posts I can see that you are set on adding another server,

But I would add that leaving the sbs in a poor state would make your network unreliable, you would be just adding more fuel to the fire by putting another server in.

I would rebuild the sbs even if you are adding another server. I am sure that you can arrange out of hours, if it means that their system is going to be faster and more reliable...

You would have to account for down time or lag if you were going to move files/settings to the other server anyway, users would have to log off/on to correct their shares...

Why not make it right, it would save you headaches in the long run

 

[Danny28]

First of all, there is no such thing as a PDC in Windows 2003 network, and the fact that that is mentioned means that people are thinking in old mindsets. Y
Now, you may want to look into fine tuning your SQL and Exchange and Sharepoint first. Sounds like some things are running funky with possible memory leaks? Has anyone even accurately done a study on your system resources to find where the bottlenecks are exactly?

Throwing new hardware at a problem rarely fixes it if you don't know the true cause. Have someone who knows what they are doing examine your databases and how they are configured. For example, did you know that all the SQL dbs by default will attempt to consume all available RAM everytime the db is opened? But you can easily adjust this with a few simple commands as listed on the MS website.
Also, maybe you don't have your various files on the appropriate separate drives like you should, or maybe the harddrives or memory in your server aren't very good specs are quality.

After you fix your databases and identify exactly what the bottle necks are, then you may want to split off some the functions. Buy the transition pack so that you can split the Exchange and SQL off onto another box.

This issue shouldn't really be a fight about whether or not SBS is good, it should be about addressing what is the problem. Most SBS 2003 issues are the result of incorrect configuration (especially when installers bypass wizards).

 

[TimRegester]

Thanks for all your input.

Although we now have quotations for the second server, I think the original server needs to be rebuilt.

This was a client request, based on their experience. I took the request and drew up a document suggesting the second server as a way of alleviating problems with the network. I have two clients with SBS and both have problems, however I am open to the suggestions that both have been wrongly configured. Both were installed in mid-2004 and I suspect that the correct way to install SBS was not well known then, certainly I doubt the installers had had the sort of training they have now.

However problems that have since come to light lead me to be more convinced that this server is not configured correctly.

What is decided is the following:

We shall install a proper edge router/firewall/VPN endpoint device, I recall from my experiences with unix and netware how much of a load in terms of processor cycles routing placed on a server, so a dedicated device will I am certain take free up processor cycles for the rest of the roles of the server.

The SBS will act as domain controller, supplying local DNS, DHCP and controlling the AD, this is what it is good at, in the same way as a dedicated router/firewall is good at those roles and a server is poor at them.

The SBS will run sage and with it the SQL Server. I quietly assumed that the server was running at least the workgroup edition, I never had time on site (and no VPN access) so never really checked I find to my horror it is running the MSDE, this is certain to be behind the sage issues and I strongly suspect the problems with the server itself. I cannot see how the MSDE can scale to run the number of concurrent users it currently handles, I will investigate the options, whether they are running SQL Server 2005 Express, or Workgroup or standard editions is up to the Sage support company, but this will change. If I can move away from SQL Server I will, since there are better database engines on the market and certainly cheaper licensing models. I certainly need a SQl database engine I can manage not what is there now, no tools no management, troubleshooting being left to guesswork.

Backup will remain on the SBS with Veritas Backup exec and a 350GB tape streamer.

File and print though is up for grabs. The new server quote is reasonable in cost and will be seriously considered, however it will now compete against quotes from MS SBS Specialists for rebuilding the server and upgrading it, though the complication lies in that the SBS needs rebuilding anyway. The availability of a proper edge VPN will allow proper remote support by me and any other support company.

The server still has permissions issues and I am also now seeing issues with clients not connecting to the AD properly and computers having to be taken off and rejoined to the network, this convinces me that there is something wrong in the config. Allied with proper GPOs and file redirection rebuilding should make the server more stable. Whether it can then cope with the use it gets will become apparant.

The main stumbling block is the lack of available downtime, I have agreement now that every laptop and desktop will be colocated for any rebuilding rather than geographically split which would waste many hours.

Your input has broadened the options and I thank all of you.

 

[markdmac]

Tim, check if the customer has SBS Standard or Premium. With Premium comes the Full version of SQL and it may not have been installed. It is on Disk #4 of the SBS disks. Cost wise, SBS Premium is a steal. To get SQL and ISA it is about $400 more than the cost of standard SBS.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.

 

[SkreeM]

Just to add my thoughts in on this one...

I support and install loads of SBS server and have been doing so for some time.
SBS 2003 can be problematic if not installed using the wizards. Even then if it hasn't it can be still be fixed usually.

Users/computers not lgoging on properly is usually caused by problems with dns configuration or dhcp.

Firewalls; I prefer an edge firewall as i don't really get on with ISA server when trying to publish services that aren't hosted on the SBS

Extra servers: There are some situations where additional servers are required or useful. I have some companies with NAS servers to provide additional low cost storage rather than expaning the disk arrays in older hardware SBS servers a TurnKey NAS is added and some shares migrated. TOther companies install second w2003 servers with exchange on (allowed under r2 licence) to provide domain controllers for additional sites some small businesses may have 15users a site on 3 different sites.

Sage, Sage is slow .. google it sage is always slow!

 

[TechSoEasyMVP]

i don't really get on with ISA server when trying to publish services that aren't hosted on the SBS

If you haven't worked with ISA 2004 yet, it's a completely different experience. The entire UI has been redone and it's much, much, much better.

The SBS will act as domain controller, supplying local DNS, DHCP and controlling the AD, this is what it is good at, in the same way as a dedicated router/firewall is good at those roles and a server is poor at them.

Tim... you are still ignoring the fact that SBS is not your everyday server. It's specially designed to do all of the things that are part of the package, which includes being the VPN endpoint as well as having one of the best firewalls around with ISA Server integrated into it.

Before making these type of judgements, I would really recommend that you actually deploy an SBS properly letting it be everything it's designed to be. Only then will you be able to compare it to your past experiences with stand-alone servers.



Jeffrey B. Kane
TechSoEasy

http://www.techsoeasy.com

Blog:

http://techsoeasy.spaces.live.com