68 replies to this topic

[htcz]

Hey

Just to train (and play around), I'm looking to build a PC to use as a Active Directoy domain controller (among other things) This will be its only use and frankly only 2 PCs in my home can connect to a domain. So key here is budget. The only thing I see really is 2 ethernet ports. That's it.

Thanks!

[+Fus10n]

You shouldn't need two Ethernet ports for a DC. Also, it might be good to use VirtualBox to play around with

[htcz]

Fus10n, on 26 April 2012 - 16:22, said:

You shouldn't need two Ethernet ports for a DC. Also, it might be good to use VirtualBox to play around with

In a proper DC setup you do..



ETH1 ETH2
Modem -------- > DC ---------> Switch/Router


This way my DC acts also as a firewall.

Virutalbox (VMWare) isnt the same thing.

[PGHammer]

htcz, on 26 April 2012 - 16:20, said:

Hey

Just to train (and play around), I'm looking to build a PC to use as a Active Directoy domain controller (among other things) This will be its only use and frankly only 2 PCs in my home can connect to a domain. So key here is budget. The only thing I see really is 2 ethernet ports. That's it.

Thanks!

For a lab-type DC, here's the spec skinny (my take):

CPU - Intel Core i5 (LGA1155) - Quad-core makes way too much sense for any sort of domain controller (even one for a micro-domain); however, you don't need HT for a lab-based DC (and you wouldn't overclock a server, let alone a DC, therefore no K-series). Safe bets - i5-2300 or i5-2310 (either is $179.99 @ Newegg)
Motherboard - BIOSTAR TZ77A - A Z chipset for a server sounds nuts; however, hear me out. Intel Rapid Storage Technology is certainly usable by a server (especially a low-end server) when you have an SSD (used as cache) and a RAID boot array. Also, you can completely forgo a discrete graphics card altogether. It's also a mere $109.99 at Newegg. Alternative - BIOSTAR TZ77B (6-phase PWM, vs. 8-phase PWM in the TZ77A, and $20 less at Newegg).
RAM - TEAM 16 GB (4GB x4) DDR3-1333 - Sandy Bridge can't normally use faster-speed memory than DDR3-1333 - in fact, it will actually underclock it in normal operation; why pay more for a faster speed you will never use? Hence my going bargain here - $69.98 at Newegg (use promo code EMCNFHF44 by April 30th to save an additional fifteen percent)
Secondary Ethernet - Intel EXPI9301 PCIe X1 gigabit adapter - Surprisingly, Intel gigabit is cheaper standalone than at the PHY level, and this is as solid (and as inexpensive) as Intel gigabit gets. $29.99 at Newegg.
Storage (internal SSD) - SAMSUNG 830 Series 64GB 2.5" SSD - When it comes to SSDs, there's Samsung, Intel - and everyone else. If Intel is too pricey, then Samsung is your only real choice. $104.99 at Newegg (MZ-7PC064B/WW)
Storage (RAID) - Western Digital Caviar Green WD15EARS x2 - These are the non-IntelliPower members of the Caviar Green family in this size (1.5 TB each) - $219.98 for the pair at Newegg.
OS - Windows Server 8 beta - The beta version of Microsoft's next Windows Server (Windows Server 2012); thus perfect for a lab. Cost - none (download from Microsoft TechNet or MSDN).

[+sc302]

htcz, on 26 April 2012 - 16:31, said:

In a proper DC setup you do..



ETH1 ETH2
Modem -------- > DC ---------> Switch/Router


This way my DC acts also as a firewall.

Virutalbox (VMWare) isnt the same thing.

no you don't. the dc belongs behind the switch/router. The only time that you would have something that assinine is if you had a proxy server (isa server or forefront server). For a proper dc setup 1 network card is more than enough. I have been setting up proper Domain Controllers for years and I have never ever done or seen anything like this.

You can pick up a cheap supermicro server and do what you need to. dual nics is more for redundancy than anything else, if one nic fails the other is there to continue on. This is known as nic teaming. Nic teaming is the proper way to setup a DC, plugging the nics into two different switches so that even if a switch fails completely the other switch still has access to the dc. It is about redundancy not whatever you did there. The DC does not act as a firewall, it is not meant to and this creates a security risk by putting your user db on the outside of the firewall...might as well give the hacking community the keys to your house too.

[htcz]

sc302, on 26 April 2012 - 17:15, said:

no you don't. the dc belongs behind the switch/router. The only time that you would have something that assinine is if you had a proxy server (isa server or forefront server). For a proper dc setup 1 network card is more than enough. I have been setting up proper Domain Controllers for years and I have never ever done or seen anything like this.

You can pick up a cheap supermicro server and do what you need to. dual nics is more for redundancy than anything else, if one nic fails the other is there to continue on. This is known as nic teaming. Nic teaming is the proper way to setup a DC, plugging the nics into two different switches so that even if a switch fails completely the other switch still has access to the dc. It is about redundancy not whatever you did there. The DC does not act as a firewall, it is not meant to and this creates a security risk by putting your user db on the outside of the firewall...might as well give the hacking community the keys to your house too.

Im not sure what you understood so Ill put it downwards.


(Internet)
|
|
|
[MODEM]
|
|
|
|
V
[DC]
|
|
|
|
V
[SWITCH/ROUTER]
|
|
|
|
V
[PC]


I need dual NICs to control (or analyze if you might want to call it like that) what comes into the network (from external sources) to what comes out ONTO the network (the switch/router). Since there are only 2 possible PCs here that can connect to a domain, Ill trust everything inside the network.

[htcz]

If using the DC as also a firewall is not a good/wise idea, the router Ill be using has DD-WRT so I can use that as the firewall instead...

[+sc302]

Let me put it to you like this. Your dc has a trusted and untrusted interface. Your dc with your AD database that includes your user information in the SAM, passwords as well as usernames, group info, share rights, etc...and you are OK with this? This is about as secure as leaving your car running, keys in the ignition, door wide open, in the bad area in town with your pants around your ankles and a sign asking for a guy named bubba to come and ram a stick in your rear then take your car.

If you want it to be secure, dc behind the firewall, and a forefront threat management gateway server to handle your traffic monitoring with 2 nics for an unsecure and secure side. That is the proper way to do it, Microsoft wise. The forefront server becomes the firewall, not the DC.

[htcz]

PGHammer, on 26 April 2012 - 17:10, said:

For a lab-type DC, here's the spec skinny (my take):

CPU - Intel Core i5 (LGA1155) - Quad-core makes way too much sense for any sort of domain controller (even one for a micro-domain); however, you don't need HT for a lab-based DC (and you wouldn't overclock a server, let alone a DC, therefore no K-series). Safe bets - i5-2300 or i5-2310 (either is $179.99 @ Newegg)
Motherboard - BIOSTAR TZ77A - A Z chipset for a server sounds nuts; however, hear me out. Intel Rapid Storage Technology is certainly usable by a server (especially a low-end server) when you have an SSD (used as cache) and a RAID boot array. Also, you can completely forgo a discrete graphics card altogether. It's also a mere $109.99 at Newegg. Alternative - BIOSTAR TZ77B (6-phase PWM, vs. 8-phase PWM in the TZ77A, and $20 less at Newegg).
RAM - TEAM 16 GB (4GB x4) DDR3-1333 - Sandy Bridge can't normally use faster-speed memory than DDR3-1333 - in fact, it will actually underclock it in normal operation; why pay more for a faster speed you will never use? Hence my going bargain here - $69.98 at Newegg (use promo code EMCNFHF44 by April 30th to save an additional fifteen percent)
Secondary Ethernet - Intel EXPI9301 PCIe X1 gigabit adapter - Surprisingly, Intel gigabit is cheaper standalone than at the PHY level, and this is as solid (and as inexpensive) as Intel gigabit gets. $29.99 at Newegg.
Storage (internal SSD) - SAMSUNG 830 Series 64GB 2.5" SSD - When it comes to SSDs, there's Samsung, Intel - and everyone else. If Intel is too pricey, then Samsung is your only real choice. $104.99 at Newegg (MZ-7PC064B/WW)
Storage (RAID) - Western Digital Caviar Green WD15EARS x2 - These are the non-IntelliPower members of the Caviar Green family in this size (1.5 TB each) - $219.98 for the pair at Newegg.
OS - Windows Server 8 beta - The beta version of Microsoft's next Windows Server (Windows Server 2012); thus perfect for a lab. Cost - none (download from Microsoft TechNet or MSDN).

PGHammer, on 26 April 2012 - 17:10, said:

For a lab-type DC, here's the spec skinny (my take):

CPU - Intel Core i5 (LGA1155) - Quad-core makes way too much sense for any sort of domain controller (even one for a micro-domain); however, you don't need HT for a lab-based DC (and you wouldn't overclock a server, let alone a DC, therefore no K-series). Safe bets - i5-2300 or i5-2310 (either is $179.99 @ Newegg)
Motherboard - BIOSTAR TZ77A - A Z chipset for a server sounds nuts; however, hear me out. Intel Rapid Storage Technology is certainly usable by a server (especially a low-end server) when you have an SSD (used as cache) and a RAID boot array. Also, you can completely forgo a discrete graphics card altogether. It's also a mere $109.99 at Newegg. Alternative - BIOSTAR TZ77B (6-phase PWM, vs. 8-phase PWM in the TZ77A, and $20 less at Newegg).
RAM - TEAM 16 GB (4GB x4) DDR3-1333 - Sandy Bridge can't normally use faster-speed memory than DDR3-1333 - in fact, it will actually underclock it in normal operation; why pay more for a faster speed you will never use? Hence my going bargain here - $69.98 at Newegg (use promo code EMCNFHF44 by April 30th to save an additional fifteen percent)
Secondary Ethernet - Intel EXPI9301 PCIe X1 gigabit adapter - Surprisingly, Intel gigabit is cheaper standalone than at the PHY level, and this is as solid (and as inexpensive) as Intel gigabit gets. $29.99 at Newegg.
Storage (internal SSD) - SAMSUNG 830 Series 64GB 2.5" SSD - When it comes to SSDs, there's Samsung, Intel - and everyone else. If Intel is too pricey, then Samsung is your only real choice. $104.99 at Newegg (MZ-7PC064B/WW)
Storage (RAID) - Western Digital Caviar Green WD15EARS x2 - These are the non-IntelliPower members of the Caviar Green family in this size (1.5 TB each) - $219.98 for the pair at Newegg.
OS - Windows Server 8 beta - The beta version of Microsoft's next Windows Server (Windows Server 2012); thus perfect for a lab. Cost - none (download from Microsoft TechNet or MSDN).

Overkill for a pet project with only 2 clients.

[+Fus10n]

Why did you even ask for help if all you are doing is arguing?

[htcz]

Fus10n, on 26 April 2012 - 19:48, said:

Why did you even ask for help if all you are doing is arguing?

Im not arguing. PGHammer's specs were WAY over the line/budget for a simple physical test. Ive player around with a Virutalbox but it is not the same. sc302 misunderstood me in the first post he made and now I read his second (did not notice it)

Thanks to all for the help.

[REM2000]

I suppose one of the questions is what version of Windows are you using for the AD? If it's windows 2003 you could get by on a P4 and 512MB RAM, if it's Windows 2008R2 you'll need a 64bit processor and 1GB RAM, that is if all your doing is AD, you've only got a couple of potential machines connecting to it so your not going to tax it. So really any processor you buy will be fine, as it's a pet project just buy the cheapest machine you can.

Also in a production environment i wouldn't have the domain controller connected directly to anything apart from the switch with one nic, two if you want fall over.

[+ShMaunder]

You can use any old PC hardware for just an AD. I run my home network on an Intel Atom and this runs a Linux VM, AD/DNS/DHCP, file serving and a PS3 media server. The only thing it doesn't do that well at is the PS3 media server when it has to re-encode a big file on the fly.

I agree with sc302 with the double NIC thing. You don't want to be exposing your AD to the external web. Suppose instead you could do a ESXi setup but I would guess the network routing configuration would be complicated to say the least.

[htcz]

sc302, on 26 April 2012 - 17:59, said:

Let me put it to you like this. Your dc has a trusted and untrusted interface.

By interface, I understand (once again) 2 NICs....

sc302, on 26 April 2012 - 17:59, said:

Your dc with your AD database that includes your user information in the SAM, passwords as well as usernames, group info, share rights, etc...and you are OK with this?

This implementation will not be a production area. It will be at my home with 2 PCs that contain nothing "important" to the public eye.

sc302, on 26 April 2012 - 17:59, said:

This is about as secure as leaving your car running, keys in the ignition, door wide open, in the bad area in town with your pants around your ankles and a sign asking for a guy named bubba to come and ram a stick in your rear then take your car.

Vast exaggeration. The car is not running because you need a password to run it. The door may be unlocked but the town only has about 10 citizens, none what so ever tech orientated (all the wifi signals in my neighboorhood are WEP ) so there is no bubba, no sign, and no stick.

Would I even consider implementing a system like this in a production system? No way. I would consider my options (obviously you have given great advice so thank you) and then implement it another way.

sc302, on 26 April 2012 - 17:59, said:

If you want it to be secure, dc behind the firewall, and a forefront threat management gateway server to handle your traffic monitoring with 2 nics for an unsecure and secure side. That is the proper way to do it, Microsoft wise. The forefront server becomes the firewall, not the DC.

So your setup would be something like { Things in () are software/non existing/virtual/etc components and things in [] are hardware components } :

(Internet)
|
|
|
[MODEM]
|
|
|
|
V
(Firewall)
|
|
|
|
V
[DC]
|
|
|
|
V
[SWITCH/ROUTER]
|
|
|
|
V
[PC]

There is something a bit bugging me which maybe is my fault of lack of knowledge. On the DC, I can simply put a firewall for incoming connections and on the switch/router (which runs DD-WRT) I can put another firewall, making the DC be in a DMZ zone. I THINK what you are trying to get it is using another piece of equipment before the DC to use as a more secure firewall, which obviously is not the topic at hand

After all this conversation (and of course learning a thing or two), lets stick to the topic: Building a PC to be used as a Active Directory domain controller. Lets forget about security, setup, etc. for now. I just want to build a PC to be used as a Active Directory domain controller (hence why in the hardware section of Neowin)

The most I want out of this PC is probably getting the clients on the domain and Group Policy. After that, I really don't want much else out of it. Thats why it has to be budget

[xendrome]

sc302, on 26 April 2012 - 17:15, said:

no you don't. the dc belongs behind the switch/router. The only time that you would have something that assinine is if you had a proxy server (isa server or forefront server). For a proper dc setup 1 network card is more than enough. I have been setting up proper Domain Controllers for years and I have never ever done or seen anything like this.

You can pick up a cheap supermicro server and do what you need to. dual nics is more for redundancy than anything else, if one nic fails the other is there to continue on. This is known as nic teaming. Nic teaming is the proper way to setup a DC, plugging the nics into two different switches so that even if a switch fails completely the other switch still has access to the dc. It is about redundancy not whatever you did there. The DC does not act as a firewall, it is not meant to and this creates a security risk by putting your user db on the outside of the firewall...might as well give the hacking community the keys to your house too.

All of this is correct, you don't need 2 NICs for a DC unless like he says you are worried about redundancy... I am not sure why you would put a DC between your Modem and Router. The only box that should be there in a normal network if you are using one would be a Proxy/Firewall system...