Re: ISA 2004 enterprise install
- From: "Ole Thomsen" <ot@xxxxxxxxxxx>
- Date: Thu, 14 Apr 2005 13:21:16 +0200
Thanks a lot, Yuru, your help is much appreciated.
Ole Thomsen
Yury Berezansky [MSFT] wrote:
There are several aspects you should consider.
Performance
Most of the time ADAM doesn't perform any singificant work.
Considering this and the small number of array members there should be no significant
difference between installing the CSS on an array member or on a DC
from the performance point of view.
Security
It's considered less secure to install CSS on the edge, as described
in
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx.
In addition, you should understand that administrator of a machine
where CSS is installed becomes ISA administrator. Therefore, for example, if
the CSS is installed on a DC, then DC administrators become ISA
administrators. It's not a problem if ISA servers are domain members because DC
administrators are domain administrators anyway.
However if CSS is installed on a SQL Server machine SQL Server
admininstrators (which are essentially machine administrators) become
ISA administrators which may be undesired.
Reliability and redundancy
When the CSS becomes unavailable array members remain fully
functioning with the latest configuration. This configuration remains available and
active after services restart or reboot (this is different from ISA 2000).
However, you cannot make configuration changes.
To provide redundancy you may install an additional replica (one
only) of the CSS and configure the array to use that replica as an alternate
CSS. If the primary CSS becomes unavailable, the array members will
automatically start using the alternate CSS and return to the primary once it
available again (with some configurable delays, as described in
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/setcssdelaytimes.mspx).
Having all the above and taking into account that installing the CSS
on dedicated server is not an option, I would recommend installing it on
a DC. If you have two DCs you may consider installing an alternate CSS too.
Please do not send e-mail directly to this alias. This alias is for newsgroup purposes only. "Nathan" <caseynathan@xxxxxxxxxxx> wrote in message news:%23t9uNAHQFHA.2356@xxxxxxxxxxxxxxxxxxxxxxxI also want to base my choice upon best practice or experience from
other users. Currently, our ISA 2000 array has 2 members that are member
servers in an DMZ AD domain. The DMZ AD domain has 2 DC's. Since the array
info is stored in AD I can count on the array being online as long as one of
the 2 DC's is online. With this in mind, for the same redundancy, should I
install the CSS on the DC's or both ISA array members? The option to
purchase dedicated CSS is not really feasible. But if we did, should
their be 2 of them?
Nathan
"Ole Thomsen" <ot@xxxxxxxxxxx> wrote in message news:uMO$UV%23PFHA.3760@xxxxxxxxxxxxxxxxxxxxxxxThanks a lot, but I would like to base my choice upon best practice or experience from other users.
In my case there will be 2 (maybe 3) servers in an array, and I have a hard time deciding if I should install CSS on our domain controllers, ISA servers or somewhere else. All our servers are located on the same subnet.
Ole Thomsen
Yury Berezansky [MSFT] wrote:Hi Ole,
Please see http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx for Deployment Guidelines for ISA Server 2004 Enterprise Edition. Specifically, read the Configuration Storage Server Deployment Guidelines section.
ISA Configuration Storage server (CSS) is implemented using Active Directory Application Mode (ADAM) which may run side by side and independently with Active Directory on a domain controller. You may choose to install ISA CSS on domain controller(s) rather than on dedicated server(s) to conserve hardware. Installing the CSS on a domain controller doesn't automatically replicate to other domain controllers. On the other hand, you also don't have to install the CSS manually on all domain controllers. The choice should be based on your network topology. Yury Berezansky [MSFT]
"Ole Thomsen" <ot@xxxxxxxxxxx> wrote in message news:ePk2ZZ$OFHA.3076@xxxxxxxxxxxxxxxxxxxxxxxI'm also looking for best practice for ADAM install for ISA array. Hope someone has input.
Ole Thomsen
Nathan wrote:We currently have 2 ISA 2000 enterprise servers set up in an
array. We are planning a migration or upgrade to ISA 2004 enterprise. My
question is bout the best way to set up the "Configuration
Storage Server". The install choices are to install the Configuration
Storage Server on the same server as ISA or to install it on
another server. With ISA 2000 Arrays, all ISA Server
configuration information is saved to Active Directory.
With this in mind, is it best to first install the Configuration
Storage Server on the Domain controllers? If so, do I need to
install the Configuration Storage Server on all DC's or will this
install replicate to other DC's as the 2000 array info did.
Or, should the Configuration Storage Server be install on both
ISA servers?
Thanks
Nathan
.
- References:
- ISA 2004 enterprise install
- From: Nathan
- Re: ISA 2004 enterprise install
- From: Ole Thomsen
- Re: ISA 2004 enterprise install
- From: Yury Berezansky [MSFT]
- Re: ISA 2004 enterprise install
- From: Ole Thomsen
- Re: ISA 2004 enterprise install
- From: Nathan
- Re: ISA 2004 enterprise install
- From: Yury Berezansky [MSFT]
- ISA 2004 enterprise install
- Prev by Date: Re: ISA 2004 enterprise install
- Next by Date: ISA 2004 & DNS
- Previous by thread: Re: ISA 2004 enterprise install
- Next by thread: Re: Probs. Initializing Enterprise Schema & Active Directory
- Index(es):
Relevant Pages
|
