For example: someone was having trouble getting their Notes client to connect to Domino. Sounds simple enough. But what she really wanted to know was why Domino shouldn't be installed on a Windows domain controller. After several drinks to chase down a handful of aspirin, I recited Microsoft's admonitions on the subject. I memorized a number of such warnings while studying for my Microsoft Systems Engineer certification hoping they'd provide nice snippets of conversation at parties.

Domain controllers, by design, grab as many system resources as they deem fit for their own processes. They don't release resources. To domain controllers, there are no un-needed resources. It doesn't matter if you have 15 or 50,000 objects in Active Directory, the domain controller won't reconsider its position. It may request more resources but it will never release any.

Yes, of course, I've abused domain controllers on my test networks. They generally pay me back in spades. Right now I have a Windows domain controller under my desk running DHCP, DNS, WINS, and Remote Installation Services. It's linked by a cross-over cable to a single workstation. The server would be much happier if I removed all the extra services, even though there is only one workstation on its network. And, no, I'm not going to test its patience by adding a major application to its drives.

What about small networks? What kind of applications can you put on a Windows domain controller when you have 10 or 20 workstations? My suggestion would be to ALWAYS have at least 2 servers. Make the first one the domain controller then add DHCP, DNS, and WINS so you can use Active Directory. Make the second machine a member server and install your applications, like Domino, on it. That way, if the application dies, it doesn't take out your domain and if the domain dies your applications may still be recoverable.

Finally -- a domain controller is just a member server running some additional services. Until the server is properly configured, a domain controller is every bit as vulnerable to unauthorized access as any other machine.

Where to get some help
But, if you want to get it from the horse's mouth, you can start at the Microsoft Windows Server 2003 help and support page.

DominoPower Contributing Editor Nancy Hand is primary Notes admin at a remote site for a large corporation. She earned both Novell and Microsoft certifications in network engineering before being introduced to Lotus Notes. The 3,000 users she supports constantly challenge Nancy to keep up with their creative missteps. With a background in art, she brings a different perspective to working with computers and their users. In the past, Nancy has worked in the fields of accounting, criminal justice, and museum display. To balance the challenges of the job, she continues to draw and sculpt between stabs at writing novels and designing knitware.