Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows 2003
    - Admin Tips
      - Security
        Increase file server performance

Section(s): Active Directory , Security
Published on Jul 12, 2006.
Last Modified on Jul 12, 2006.
Last Modified by Mitch Tulloch.
Rated 2.9 out of 5 based on 17 votes.

Don't use your domain controller as a file server--here's why.

One simple way to get better file server performance is to make sure you use a separate server as your file server. In other words, don't use your domain controller as your file server. Why, you might ask. After all, domain controllers don't do all that much most of the time--everyone logs on in the morning, downloads GPOs, and the DC goes quiet, right?

Well, if you are running Windows Server 2003 then SMB signing is turned on by default for security reasons to safeguard network communciations between client computers and DCs by protecting against man in the middle attacks and SMB packet replay attacks. But SMB signing also means that all packets in a TCP session that are exchanged between clients and DCs are serialized i.e. packet 1 must be acknowledged as received before packet 2 is sent, and so on. And this can have a huge impact if you try to transfer a large file between a client and a DC.

Rather than disable SMB signing, which would expose your domain controller to possible attack, why not migrate your file server functions to a separate machine instead.

Cheers, Mitch Tulloch, MVP

About Mitch Tulloch

Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is the book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. Mitch was also the author of Introducing Windows Server 2008 and technical project lead for the Microsoft Office Communications Server 2007 Resource Kit, both books also from Microsoft Press. For more information on these and other books by Mitch, see www.mtit.com .