Hardware for Domain Controllers

John-W · 2025-06-25T14:58:26.620Z

Hey all,
We are looking at setting up a second domain in an attempt to better split off our public devices (we are a library) from our other stuff.

It’s going to be a bit of an adventure to set up a domain from scratch, as it’s been a very long time since our current one was setupup…but in the mean time, we’d like to get a couple of physical machines that could be the domain controllers for the new domain.

They would be housed in two separate buildings and I am thinking that since this is a smaller domain, we would probably want to have DNS of course, but also DHCP on them. I realize that none of this stuff is particularly intensive in the needs, but would like a little redundancy, as far as the storage and maybe the power supply.

I am just looking for some general guidance on servers to use for this. Generally, in the past, we have used HPE or Dell servers, so that’s what I’m most familiar with.

Jay-Updegrove · 2025-06-25T15:04:04.106Z

Why not just spin up a new VLAN and handle this with firewall/network rules instead of a whole new domain??

Also, physical machines are wasted on domain controller duties! The requirements are so minimal, it’s not worth it. Host them as virtual machines (and do NOT use Server 2025…)

@Rod-IT will tell you (and rightfully so) that DHCP doesn’t belong on a domain controller but if you insist on going this route, such a small domain would be fine doing it this way.

Get a NAS, connect your Hypervisor for shared storage pool(s), be done with it…two 1U hosts, one NAS, done…

PatrickFarrell · 2025-06-25T15:26:24.340Z

Seconded on virtualizing. That for starters will allow you 2 VMs for every license you purchase which allows you to spin up a second VM to put all of the stuff that doesn’t belong on a DC on the second VM.

You could do something like Star Wind Virtual San with it so that you have high availability with HyperV.

Rod-IT · 2025-06-25T15:30:33.528Z

Library devices should be on their own ‘dirty’ network and away from other company devices (except their own printers, scanners, book borrowing machines etc.).

Typically a product like deepfreeze would be used on them, so they go back to a base image at the end of the day/on reboot. They are likely to be infected at some point, in some cases, on purpose as the general public are often disgruntled.

Depending on their use case, is a domain even necessary?

Nerf_Herder · 2025-06-25T15:45:47.232Z

Agreed, separate vlans, set up a DMZ. really no need for a second domain for what you are looking for

John-W · 2025-06-25T15:55:58.244Z

I have virtual DC’s right now, and I’m perfectly fine with them, but it was suggested it may just be as straightforward as anything to go with a couple of basic physical machines for this. We do intend on putting them on a separate vlan as well.

John-W · 2025-06-25T15:57:35.283Z

We do not use deepfreeze - We’ve looked at it a number of times, but we’ve always been able to manage them very well with policies. This goes back to how the Bill & Melinda Gates foundation computers were set up.

We do use guest profiles on them, so it’s not retaining customer information, but since we do rely on policies on them, that’s where having the domain comes in.

Rod-IT · 2025-06-25T16:35:48.990Z

How it works is your call, not mine.

The biggest thing you need to fix is segregation of traffic.

John-W · 2025-06-25T16:47:34.548Z

Agreed - I believe the thinking was that on top of a separate vlan, we could have true separation if we had a second domain, so that the patron side didn’t really need to get to the employee side at all.

randomparts · 2025-06-25T16:48:33.020Z

I worked at a public library and we had separate vlans for public and staff stuff. We had DCs for both and it made things a lot easier to manage, we had 19 locations and plenty of GPOs. A DC itself doesn’t require a lot a resources. Personally, I would think 4 CPU and 8 gigs of RAM should do it. We had Deep Freeze for a while and stopped using it to cut expenses. A bit of a sigh of relief from me when the library started using it again.

Rod-IT · 2025-06-25T17:14:28.684Z

John W.:

I believe the thinking was that on top of a separate vlan, we could have true separation

Ideally yes, but I was asking if a domain for public use was necessary as a food-for-thought type question, apart from policies, which may or may not be relevant depending on your library management system, might not be necessary.

phildrew · 2025-06-25T20:24:17.258Z

John W.:

in an attempt to better split off our public devices (we are a library) from our other stuff.

What do the public devices do that requires them to be on a domain?

If there isn’t a hard requirement, I’d advise against creating a domain. It’s extra management and vulnerabilities for little to no real gain.

If the public devices can be treated like a kiosk (launch a set number of applications from a limited user session), then that’s better. If you must use Windows, then something like DeepFreeze (or any of the other reboot to restore software packages), is a very easy way to undo anything that may have happened during the day. Remember that almost all GPOs are actually just registry settings, so having a domain isn’t a requirement to manage them. Anything done via GPO can almost always be done with a script to makes the necessary registry changes.

For security through obscurity, you could use Linux for the public kiosk machines. You’d still have to take the necessary steps to harden it, but it’s a less appealing target to someone who watched a YouTube video on how to hack a library kiosk running Windows.

John-W · 2025-06-25T20:40:57.689Z

Thanks @randomparts - I think that is what we were thinking is that it would be the simplest solution for us right now without overhauling everything, while still providing the separation.

It may be that at some point in the future, moving to using Deep Freeze, or some sort of linux kiosk may be looked into (although we provide Microsoft Office for our customer base so I’m not sure that’s feasible), but right now the idea was to see get to the easiest point of providing some separation between devices.

Jay-Updegrove · 2025-06-25T20:41:46.718Z

John W.:

Microsoft Office for our customer base

You can use the webapps for the kiosks still.

John-W · 2025-06-25T20:52:39.718Z

As far as I know, that would require a login - we use the LTSC versions that are not tied to a specific login.

Rod-IT · 2025-06-25T21:00:36.064Z

John W.:

As far as I know, that would require a login

Which any user can sign up for, for free.

If like UK libraries, there is no cost for patrons to use the internet, wouldn’t the free, but with registration, libre office or some other product work?

As for LTSC, isn’t that only for Windows, not office?

While you may have people who complain about signing up, I’d bet 99% of them go to the library to look at email, Facebook, job search etc. Which they will have signed up for.

Jonathan-Johnson · 2025-06-25T21:23:17.647Z

If you already have a virtual infrastructure, you can create a separate virtual switch that maps to a different VLAN, and just have a virtual DC that connects to that vswitch. Then you won’t need additional server hardware.

John-W · 2025-06-26T13:27:25.696Z

Which any user can sign up for, for free.

If like UK libraries, there is no cost for patrons to use the internet, wouldn’t the free, but with registration, libre office or some other product work?

As for LTSC, isn’t that only for Windows, not office?

While you may have people who complain about signing up, I’d bet 99% of them go to the library to look at email, Facebook, job search etc. > > Which they will have signed up for.

Microsoft still provides a standalone per machine install of office (LTSC 2024 was the latest - in fact the trend towards Office 365 is one that has been a worry libraries since our customer base is not static). Yes, I understand that you can access Office online for free by signing up, but in the library industry, the goal is to limit barriers to access and so not requiring a sign in would be one way to do that - plus if a signin was required, I think our staff would spend all their time explaining to folks how to do it (trust me).

Jay-Updegrove · 2025-06-26T13:35:37.701Z

Not only that, but who would be in charge of making sure each user bothered to remember signing themselves out after, remembered what they used to login the next time they visited, etc.

I think the “solution” would be to create a generic library account (or multiple, depending on need) and sign into Office with it instead of having guests walk up and create one themselves.

Rod-IT · 2025-06-26T14:46:51.245Z

@John-W

I wasn’t expecting you to be on Office 2024 already, hence the question.

As for libraries and limited access, I am aware, I assist with our public libraries filtering, library system and understand the setup, hence the suggestion of Deep Freeze. Ours is currently being revamped, but isn’t as intwined as yours.

John W.:

plus if a signin was required, I think our staff would spend all their time explaining to folks how to do it (trust me).

I am aware this may be necessary, but who helps them setup their email address or sign-up for Facebook.

A sheet of paper or a guide on the system on how to setup an email account so there is some form of self help wouldn’t hurt.

That said, if the business can absorb the cost of licenses, go ahead, I was simply offering an option, as we do to our clients.