WSUS Location
-
@dafyre said in WSUS Location:
It's far better to lose both at the same time and reduce total outages.
Umm... Not sure I agree with you here. I'd rather not be completely dead in the water because of <insert reason for outage here>
DHCP doesn't fix the problem that you are imagining. You are looking at it wrong. If you need DHCP to function, then your risk of DHCP failing remains the same. The risk that AD goes down at a time that it impacts you but you are not completely dead is ADDITIONAL. Your reaction is an emotional one caused by looking at the risk solely from the AD direction and ignoring the DHCP risk on its own.
-
@dafyre said in WSUS Location:
Umm... if DHCP is running on the AD server that went tits up, then yes it does. Especially if everything is completely AD integrated.
NB: My current AD servers are not tied in to ADSo everything about the approach is wrong.
Based on personal experiences and the issues I've seen, we'll have to agree to disagree here.
It's just math. Risk math makes it so. There's nothing to agree or disagree on. There's no opinion involved. It's just "how does the risk math work."
-
@dafyre said in WSUS Location:
Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.
Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.
That's not at all correct. If DHCP fails and your IP fails, then AD fails TOO. If AD fails and DHCP does not, you still have a partial outage.
Your system makes ANY failure twice as likely. Half of the time it is just as bad as having them combined. The other half of the time isn't AS bad, but not good.
So it's that easy. Your dead in the water time is equal either way, because you have a complete DHCP dependency apparently. The other half of the time, even though you are not completely dead, is 100% unnecessary risk caused solely by having designed the system to fail unnecessarily often (by 50%.)
By merging the services you can dramatically reduce your overall risk with literally zero downsides.
-
@dafyre said in WSUS Location:
Umm... if DHCP is running on the AD server that went tits up, then yes it does. Especially if everything is completely AD integrated.
If AD itself goes tits up, but the box stays running - DHCP will stay running
NB: My current AD servers are not tied in to AD
What? how are AD servers not tied to AD - unless you're talking about the physical hosts (i.e. the Hypervisor level)
-
@dashrender said in WSUS Location:
@dafyre said in WSUS Location:
Umm... if DHCP is running on the AD server that went tits up, then yes it does. Especially if everything is completely AD integrated.
If AD itself goes tits up, but the box stays running - DHCP will stay running
NB: My current AD servers are not tied in to AD
What? how are AD servers not tied to AD - unless you're talking about the physical hosts (i.e. the Hypervisor level)
Argh... The typos. I'll fix it It should be :
NB: My current DHCP servers are not tied in to AD
-
@dafyre said in WSUS Location:
@dashrender said in WSUS Location:
@dafyre said in WSUS Location:
Umm... if DHCP is running on the AD server that went tits up, then yes it does. Especially if everything is completely AD integrated.
If AD itself goes tits up, but the box stays running - DHCP will stay running
NB: My current AD servers are not tied in to AD
What? how are AD servers not tied to AD - unless you're talking about the physical hosts (i.e. the Hypervisor level)
Argh... The typos. I'll fix it It should be :
NB: My current DHCP servers are not tied in to AD
And what do you gain from that?
-
@scottalanmiller said in WSUS Location:
@dafyre said in WSUS Location:
Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.
Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.
That's not at all correct. If DHCP fails and your IP fails, then AD fails TOO. If AD fails and DHCP does not, you still have a partial outage.
Your system makes ANY failure twice as likely. Half of the time it is just as bad as having them combined. The other half of the time isn't AS bad, but not good.
So it's that easy. Your dead in the water time is equal either way, because you have a complete DHCP dependency apparently. The other half of the time, even though you are not completely dead, is 100% unnecessary risk caused solely by having designed the system to fail unnecessarily often (by 50%.)
By merging the services you can dramatically reduce your overall risk with literally zero downsides.
I'm really trying to understand the math here considering - two AD servers, two DHCP servers - and crazily, we'll assume one DNS server, because he never stated that he has two DNS servers.
-
@dashrender said in WSUS Location:
@scottalanmiller said in WSUS Location:
@dafyre said in WSUS Location:
Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.
Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.
That's not at all correct. If DHCP fails and your IP fails, then AD fails TOO. If AD fails and DHCP does not, you still have a partial outage.
Your system makes ANY failure twice as likely. Half of the time it is just as bad as having them combined. The other half of the time isn't AS bad, but not good.
So it's that easy. Your dead in the water time is equal either way, because you have a complete DHCP dependency apparently. The other half of the time, even though you are not completely dead, is 100% unnecessary risk caused solely by having designed the system to fail unnecessarily often (by 50%.)
By merging the services you can dramatically reduce your overall risk with literally zero downsides.
I'm really trying to understand the math here considering - two AD servers, two DHCP servers - and crazily, we'll assume one DNS server, because he never stated that he has two DNS servers.
In this scenario, 2 x AD+DNS Servers, and 2 x DHCP Servers (Windows, Configured for HA)
-
@scottalanmiller SAM there are 2 DC's now (VM's) and i have to add DNS and DHCP as separate VM's or put them together.
It's a very small network but needs high availability.
Should DNS and DHCP have a primary and secondary VM?
-
The reason for using WSUS as it will have constant internet access to be able to download updates and patches. During maintenance we will set it to deploy what we need and nothing else as these systems will run production equipment on the manufacturing plant floor and we only get a small window to update things monthly so we can't spend it choosing the update we need and downloading and deploying them on 1 of 35 VM's
we get about 4 hrs per month to take things down and do any kind of work.
-
@eleceng DNS and DCs go hand in hand so while you could get away with it there is no reason to separate those roles.
-
@eleceng said in WSUS Location:
@scottalanmiller SAM there are 2 DC's now (VM's) and i have to add DNS and DHCP as separate VM's or put them together.
It's a very small network but needs high availability.
Should DNS and DHCP have a primary and secondary VM?
They should be redundant, just like AD. In a cluster.
-
@dafyre said in WSUS Location:
@dashrender said in WSUS Location:
@scottalanmiller said in WSUS Location:
@dafyre said in WSUS Location:
Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.
Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.
That's not at all correct. If DHCP fails and your IP fails, then AD fails TOO. If AD fails and DHCP does not, you still have a partial outage.
Your system makes ANY failure twice as likely. Half of the time it is just as bad as having them combined. The other half of the time isn't AS bad, but not good.
So it's that easy. Your dead in the water time is equal either way, because you have a complete DHCP dependency apparently. The other half of the time, even though you are not completely dead, is 100% unnecessary risk caused solely by having designed the system to fail unnecessarily often (by 50%.)
By merging the services you can dramatically reduce your overall risk with literally zero downsides.
I'm really trying to understand the math here considering - two AD servers, two DHCP servers - and crazily, we'll assume one DNS server, because he never stated that he has two DNS servers.
In this scenario, 2 x AD+DNS Servers, and 2 x DHCP Servers (Windows, Configured for HA)
Right, that's a lot of extra risk (and cost) for no reason. You could have more reliability going down to just two VMs instead of four.
-
@dashrender said in WSUS Location:
If AD itself goes tits up, but the box stays running - DHCP will stay running
Correct, only risk is at the hardware or operating system level.
-
@dashrender said in WSUS Location:
@dafyre said in WSUS Location:
@dashrender said in WSUS Location:
@dafyre said in WSUS Location:
Umm... if DHCP is running on the AD server that went tits up, then yes it does. Especially if everything is completely AD integrated.
If AD itself goes tits up, but the box stays running - DHCP will stay running
NB: My current AD servers are not tied in to AD
What? how are AD servers not tied to AD - unless you're talking about the physical hosts (i.e. the Hypervisor level)
Argh... The typos. I'll fix it It should be :
NB: My current DHCP servers are not tied in to AD
And what do you gain from that?
Risk and cost!
-
@dashrender said in WSUS Location:
@scottalanmiller said in WSUS Location:
@dafyre said in WSUS Location:
Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.
Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.
That's not at all correct. If DHCP fails and your IP fails, then AD fails TOO. If AD fails and DHCP does not, you still have a partial outage.
Your system makes ANY failure twice as likely. Half of the time it is just as bad as having them combined. The other half of the time isn't AS bad, but not good.
So it's that easy. Your dead in the water time is equal either way, because you have a complete DHCP dependency apparently. The other half of the time, even though you are not completely dead, is 100% unnecessary risk caused solely by having designed the system to fail unnecessarily often (by 50%.)
By merging the services you can dramatically reduce your overall risk with literally zero downsides.
I'm really trying to understand the math here considering - two AD servers, two DHCP servers - and crazily, we'll assume one DNS server, because he never stated that he has two DNS servers.
Assuming the DNS is either with the AD or with the DHCP. As DNS is an AD dependency, you have to keep them together for safety. However DHCP is also an AD dependency that you have to keep together for safety. So who knows.
-
@scottalanmiller SAM thanks for the video that does clarify it and makes it easy to understand.
-
@eleceng said in WSUS Location:
@scottalanmiller SAM thanks for the video that does clarify it and makes it easy to understand.
No problem
-
@scottalanmiller said in WSUS Location:
@dashrender said in WSUS Location:
@scottalanmiller said in WSUS Location:
@dafyre said in WSUS Location:
Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.
Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.
That's not at all correct. If DHCP fails and your IP fails, then AD fails TOO. If AD fails and DHCP does not, you still have a partial outage.
Your system makes ANY failure twice as likely. Half of the time it is just as bad as having them combined. The other half of the time isn't AS bad, but not good.
So it's that easy. Your dead in the water time is equal either way, because you have a complete DHCP dependency apparently. The other half of the time, even though you are not completely dead, is 100% unnecessary risk caused solely by having designed the system to fail unnecessarily often (by 50%.)
By merging the services you can dramatically reduce your overall risk with literally zero downsides.
I'm really trying to understand the math here considering - two AD servers, two DHCP servers - and crazily, we'll assume one DNS server, because he never stated that he has two DNS servers.
Assuming the DNS is either with the AD or with the DHCP. As DNS is an AD dependency, you have to keep them together for safety. However DHCP is also an AD dependency that you have to keep together for safety. So who knows.
Scott Allan Miller - excellent video and thanks for you awesome input as always. I made it about 5 minutes before I got lost in your beard though xD
-
@dave247 a common enough problem.
