Re: ask - Recommended Configuration for Domain Controll and SQL Server

no_name · ‎06-26-2013

Hi there,

we plan to upgrade old server to new one. we consider to use tower server.

that server will be used for domain controller under Windows server 2008 R2 (either enterprise or standard, still discuss about this), and also will be installed sql server 2008 data center.

is E3-1220 with 4GB ram will enough? or it too basic?
usage time 3-5 years.

thanks in advance

Skotte · ‎06-26-2013

Hi,

It is not reccommended to install SQL server on a domain controller.

The main reason is security, if SQL server is compromised, the possibility of the DC being compromised is increased.

Also it is more difficult to tune a system running multiple applications.

That being said, it can be done, there is nothing stopping you from installing SQL server on a machine with the Domain Controller role.

In my honest opinion, 4GB RAM is way too small to be running SQL server let alone a DC.

SQL Server will chew up a minimum of 400MB RAM just sitting idle.

If you could post more information as to what the SQL server is to process, the db environment, and how many concurrent transactions / users will be using the Database server at one time.

Cheers

Leon

no_name · ‎06-26-2013

hi, thanks for input.

database wiil be used for data stored from certain application.

concurrent user for database (via application, which installed on client site) up to 4 users, but very rare, mostly only 2 users.

we are not use reporting nor analyst tool for database.

4GB too small? then what size of RAM you recommend?

how about the processor? since that processor categorized as low cost processor. But I'm amazed the clock is 3Ghz and it has 4 cores.

thanks :)

Skotte · ‎06-26-2013

Hi,

I tried last night to install SQL server on a DC (virtual testbed) to see how the system will perform using 4GB RAM on a 4 core VM.

I ran into an issue:

The DC role installed fine, however, upon installing SQL Server 2008 / 2008R2 / 2012 onto the 2008R2 DC, the files installed, however, the security groups were not created.

2005 installs fine btw, just seems to be 2008 and above.

So, I would suggest the following:

Use HyperV, install 12-16GB RAM onto the machine, and run the DC from the primary OS, and SQL Server from the Virtualised OS.

Windows Server 2008r2 standard has one additional HyperV license, enterprise has 4 additional licenses.

This allows you to isolate the SQL Server instance from the DC.

HTH

Cheers

Leon

Skotte · ‎06-26-2013

I am posting the explaination in a separate post.

On Win 2008 service SID is supported.

The service SID is added to the security group and the resources are normalized (Access Control Lists) using the group. The exception is Domain Controller where the resources are normalized using the service SID itself.

On Win 2008 R2 and above the service SID enquires the “well known group” which is in the form of “NT Service\Service Name” to get the status of the account so that resources can be normalized using the service SID.

Service SID is added as sysadmin for engine to access the resources.

Therefore the behavior encountered is by design.

On Win 2008 R2 DC, if you install SQL 2008 or above the security groups are never created.

Rather the service SID “NT Service\Service Name” is provisioned to set Access Control Lists on the resources.

Thus you see “DATA” or other folder/reg keys have this account on “Security” tab under folder properties.

The per-service SID is derived from the service name and is unique to that service.

A service SID name for SQL Server service is like “NT Service\MSSQL$<InstanceName>”

In any case, the security group or service SID for SQL is managed by SQL itself.

Cheers

Leon

no_name · ‎06-28-2013

Hi,

thanks for detail describe :)

so, there is an error while we combine DC 2008 with SQL 2008. an the error is security issue. am I right?

if you suggest for 16GB ram, is there tower version which have that much ram?

and, E3-1220 or on its class (1230, 1240) are capable for those tasks to run together, am I right?

Skotte · ‎06-28-2013

Hi,

Yes, it's a security issue.

Intel Ark advises that the i3-1220 can support up to 32GB DDR3-1066/1333 RAM, so that should not really be an issue.

Considering what you are running, and what will be used, the i3 should be able to run all of the applications without a problem given enough RAM.

Hope this helps.

Cheers

Leon

no_name · ‎07-01-2013

hi,

yes, your explanation very clear :)

btw, we consider not to use virtual machine if possible, because even we use 1 PC, that could be mean we still need more than 1 license for MS windows server.

let say, I ignore about security issue (I assume security issue refer to "system has been compromised/attacked"), is there any consideration to not combine sql server with domain control in one system?

thanks in advance.

Skotte · ‎07-01-2013

Hi,

Using Windows Server 2008 / 2008R2 / 2012 server, you can physically install SQL Server 2008 / 2008R2 / 2012 on the system with the Domain Controller Role, however, it will not allow the groups to be created.

Windows will not allow a server to be promoted to a Domain Controller with SQL Server installed.

On Win 2008 the service SID is added to the security group and the resources are normalized using the service SID itself. *The Service SID is added as sysadmin, not MSSQLSERVER*.

On Win 2008 R2 and above,the service SID enquires the NT Service\Service Name to get the status of the account so that resources can be normalized using the service SID in all scenarios like Standalone, Cluster or DC.

Of course service SID is added as sysadmin for engine to access the resources.

You can read here how it works, the per-service SID is derived from the service name and is unique to that service. A service SID name for SQL Server service is like “NT Service\MSSQL$<InstanceName>”

The security group or service SID for SQL is managed by SQL itself, not the DC.

You can however, install SQL Server 2005 onto a 2008 / 2008R2 / 2012 Domain Controller.

Cheers

Leon

Skotte · ‎07-01-2013

What I am trying to say is that SQL Server 2008 / 2008R2 and 2012 manages its own groups.

Windows Server 2008 / 2008R2 and 2012 with a Domain Controller role will not allow these groups to be created by SQL Server.

SQL Server 2005 does not install these groups, it uses a completely different management substructure.

All editions of Windows Server come with at least 1 addiitonal licence for HyperV with the exception of the foundation edition, so you do not have to worry about having to purchase an additional licence

Hope this Helps

Cheers

Leon

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: ask - Recommended Configuration for Domain Controll and SQL Server

ask - Recommended Configuration for Domain Controll and SQL Server