How do you choose to spread your server roles across VMs?

Concentric

[H]ard|Gawd
Joined
Oct 15, 2007
Messages
1,028
So, I'm interested in how others would choose to set up their Windows Servers in a virtual environment.

Which server roles would you run together on the same VM, and which do you choose to put on a separate VM of their own?


As an example, let's say I have a Windows Server 2008 Enterprise system running Hyper-V, which allows me (without having to buy extra licences) to have up to 4 virtual machines running Server 2008.

How would you choose to split up the following server roles among the 4 possible virtual machines?:
- Active Directory Domain Services
- DHCP
- DNS
- File Services
- WDS
- WSUS
- Print
- Application

I would go with something like:
- VM1 - AD-DS / DHCP / DNS / File
- VM2 - WDS / WSUS
- VM3 - Print
- VM4 - Application

Anyone disagree? Share your experience.
 
So, I'm interested in how others would choose to set up their Windows Servers in a virtual environment.

Which server roles would you run together on the same VM, and which do you choose to put on a separate VM of their own?


As an example, let's say I have a Windows Server 2008 Enterprise system running Hyper-V, which allows me (without having to buy extra licences) to have up to 4 virtual machines running Server 2008.

How would you choose to split up the following server roles among the 4 possible virtual machines?:
- Active Directory Domain Services
- DHCP
- DNS
- File Services
- WDS
- WSUS
- Print
- Application

I would go with something like:
- VM1 - AD-DS / DHCP / DNS / File
- VM2 - WDS / WSUS
- VM3 - Print
- VM4 - Application

Anyone disagree? Share your experience.

- DHCP / DNS +/- AD
- File / Print Services
- Application +/- AD
- WSUS / WDS / Secondary DNS +/- AD

I like to keep the DHCP / DNS services separate from the other services so they don't get overloaded with other operations. Typically I do these on the server core version of Windows Server. You can include AD in that, but with many of the newer advances features of AD it may get pinged on quite a bit more and use up more resources. It depends on what you are really doing with your forest and AD architecture. I like to package AD with the Application and WDS, especially if I have licenses tied into terminal services or other applications so it doesn't have to clog up network bandwidth with AD calls. And I generally always keep file and print services on the same server by habit, and I don't want read/write calls clogging up my other installations. Also the file/print server is likely going to be the most fail prone server, so I don't want other services disrupted by it. Also, you may want more than one AD server. I would generally put a backup AD and backup DNS on one of the other servers.

I have also seen for larger enterprises just one VM or server for AD alone.
 
I wouldn't make your DC a file server. I'd put ADDS, DHCP, and DNS on it and never put anything else on it, ever.

I would want at least two DCs.

In your scenario, I'd want more than 4 VMs, but sticking with only 4, I'd probably do something like:

- VM1 - AD-DS / DHCP / DNS
- VM2 - AD-DS / DHCP / DNS
- VM3 - WDS / WSUS / File
- VM4 - Application / Print

The roles on VMs 3 and 4 could move around a bit, depending on expected resource usage.

You could also argue against having a second DC on the same hardware and split the remaining roles among the other 3 VMs, but I still think I'd stick with two.

How large is the network you're supporting? If you're using WDS, I'd imagine it to be at least somewhat decently sized, in which case I'd fight hard for more than one physical machine. In fact, I'd probably do that regardless.
 
You could also argue against having a second DC on the same hardware and split the remaining roles among the other 3 VMs, but I still think I'd stick with two.

You can setup an anti-affinity rule to always make sure they are not on the same host provided you have multiple hosts. I also like to keep print services away from the ADS services as a hosed up driver install or print spooler issue can bring the server down.
 
It sounds like in his case he's looking at only having one piece of physical hardware, so having two DCs on the same physical hardware negates some of the benefit is all that I meant. But if you've got more than one piece of hardware, that's definitely something to consider.
 
Interesting that you'd choose to put the file server together with the print server, despite admitting that the print server is the most likely to cause problems (e.g. a faulty driver). Wouldn't you want to make sure users can still access files in a situation where you had to take down the print server?
 
It sounds like in his case he's looking at only having one piece of physical hardware, so having two DCs on the same physical hardware negates some of the benefit is all that I meant. But if you've got more than one piece of hardware, that's definitely something to consider.

I agree. The posting is a little vague in this area.

Interesting that you'd choose to put the file server together with the print server, despite admitting that the print server is the most likely to cause problems (e.g. a faulty driver). Wouldn't you want to make sure users can still access files in a situation where you had to take down the print server?

Generally, yes. However, their environment might be small enough where they are okay with that.
 
With one physical host and four VMs, you've got to compromise somewhere.

How do you it is going to depend on the specifics of the roles.

If your applications are finicky and require lots of updates and reboots, maybe they get their own VM.

If your print server has three queues and two stable printer drivers, maybe it doesn't warrant its own VM. If your print server has 500 queues and 50 drivers, 5 of which cause you regular issues, maybe it does.

If application A is the company's bread and butter, but they don't care as much about printing, application B or the files on the fileserver, maybe you factor that into their placement.

Basically, my rules are:
1) Nothing but DNS and DHCP goes on a domain controller, period.
2) Separate roles/applications into separate VMs whenever possible and not a complete waste of resources (like a few megabyte licensing server that handles 50 requests a day - I keep one or two generic server VMs for these kind of things).
3) Start combing roles when required, and combine them in a fashion taking their other attributes (importance to business, frequency of maintenance, frequency of issues, resource requirements, etc) into account.
4) Get Windows Datacenter licensing whenever possible so you don't have to play the "Which existing server/app do I want to risk by bolting this new app onto it?" game. New app, new VM. Decommissioned app, decommissioned VM.

Of course, there are always exceptions to any rule and everybody has a different way of doing things.

I'll butt out now, curious to see some other opinions.
 
Last edited:
I always put print on its own server just incase you need to reboot due to a spooler issue etc
 
I always put print on its own server just incase you need to reboot due to a spooler issue etc

Especially if there are HP Laserjet 3600's on the network. Just looking at the printer the wrong way will crash the whole server. LOL

I'd also look at having the primary domain controller (one with FSMO roles) being a redundant physical box. If there is an issue with the VM environment such as the SAN or anything where the entire VM environment is down, at least authentication will still work, and users will be able to at least login to their computers and use any applications that arn't hosted in the VM environment.
 
Obviously the answer to this depends quite a bit on the particular setup. In a larger organisation you would have multiple hosts and go with Datacenter licensing to give you as many VMs as you like.
For the example scenario in the OP I was thinking more along the lines of a small organisation with only a single server. They would want to take advantage of virtualisation where possible, but the limited number of VMs and/or hardware available means that they would be restricted to a more compact configuration, so I am interested to know which roles you would be happy to combine and which you wouldn't.

Good points markwo - a print server with one or two drivers is probably safer to combine with other roles than a setup with dozens of printers of different makes and models.
 
Back
Top