Re: Domain Controller Best Practice

From: Matthew S Barnes (mbarnes_at_bfinity.net)
Date: 02/24/05

  • Next message: Pawel.Janowski_at_bremultibank.com.pl: "RE: Com+ permissions" 
    Date: Wed, 23 Feb 2005 19:57:37 -0500
To: focus-ms@securityfocus.com

    From: "Sullivan Tim P" <tim.sullivan@nativemode.com>
    >To: <focus-ms@securityfocus.com>
    >
    >I am in need of some supporting documentation relating to Domain
    >Controllers.
    >
    >The situation is this. A medium sized school would like their single DC
    >to also be a file server. This DC would be serving about 300 people,
    >along with another file server and an email server.
    >
    >My initial recommendation is multiple domain controllers for the simple
    >reason of fault tolerance of the schema. They buy this.
    >
    >However, they would like to see technical documentation saying that it
    >is not a good idea to have a domain controller share roles as a DC and a
    >file server.=20
    >
    >One of my main concerns, aside from load, is that high school age kids
    >are using the network. They like to poke and prod. I would rather them
    >not even poke at the DC. Also, as the DC has no local security database,
    >you can no longer use permission assignment best practice. To me it just
    >seems like a bad idea, but I need documentation to back it up.
    >
    >Can anyone offer resources to illustrate this? I am scouring technet and
    >the MS AD deployment docs now.
    >
    >Thanks,
    >Tim
    >
    >=20
    >
    >______________________
    >Tim Sullivan
    >Nativemode Technologies
    >(623) 910-4700
    >tim@nativemode.com
    >
    >---------------------------------------------------------------------------
    >---------------------------------------------------------------------------
    >
    >

    Hi Tim there are some very good Guides avcailable from the NSA for free on their website that should give you just what you need.

    Quote from the AD Guide
    "Domain controllers contain sensitive information, such as copies of users’ secret keys used for domain authentication. Therefore, the security of domain controllers should be a high priority."

    You may want to look at several of the guides to get what you need all in one spot

    links follow:
    All Guides: Many to choose from !!!!
    http://www.nsa.gov/snac/downloads_all.cfm?MenuID=scg10.3.1
     MS - AD Guide
    http://www.nsa.gov/snac/os/win2k/w2k_active_dir.pdf

    Hope this helps!

    Matthew S Barnes
    bFinity Incorporated
    www.bfinity.net

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Pawel.Janowski_at_bremultibank.com.pl: "RE: Com+ permissions"

    Relevant Pages

    • Re: Impressions of Mathematica 6
      ... In the Documentation Center window, ... and a Tutorials folder which contain .nb files for each one. ... are about 645 Tutorials and 345 Guides. ... etc.) and which prioritizes higher level results ...
      (sci.math.symbolic)
    • Re: So long and thanks for all the fish.
      ... And we will have up to date guides ... and /then/ do the documentation. ... We will have RISC OS Six, we have the updated PRMs, we will have the user ...
      (comp.sys.acorn.misc)
    • Re: Replacing Server Hardware
      ... keep the name then I don't have to change my documentation. ... the FSMO roles to other domain controllers. ...
      (microsoft.public.windows.server.active_directory)
    • Re: SBS 2000 to Windows 2003
      ... I thought that SBS wouldn't allow ... additional domain controllers. ... Do you know of any documentation that ... Prev by Date: ...
      (microsoft.public.windows.server.sbs)
    • A tldp.org for MINIX
      ... I would like organise a group of guys that use this operating system ... for gather and/or create documentation (like ... how-to and guides) about vary and many arguments. ...
      (comp.os.minix)