where should the line be drawn on what services a DC should be used for

I'm working at a manufacturing plant that's currently under constructions.
We have two DCs, one is local (server 2008) and the other is hosted on the
net (server 2003).

The local DC is being used for not just a DC and DNS, but as a file, print
and IIS server.

At what point should the line be drawn at how many uses a DC should be sued
for? I was always taught that the DC was one of the most important computers
in your network and should be treated very securely. If that is the case,
shouldn't the DCs be left to just being DCs and not a swiss army knife of
services?

My goal is to move IIS off the DC and put it on a new server, along with
SQL. This new server would also host the Fishbowl server (it's currenlt on a
personal laptop which I need to get off of for numerous reasons). I need to
convince management that a DC should only be used for the primary purpose of
active directory (user/computer account authentication), DNS and DHCP (and
whatever else I may be forgetting at the moment that a DC does), and not for
a dozen other things.

I was looking for a webpage somewhere on Microsoft that may say something
about a DC only being used as a DC and nothing more for security reasons but
haven't been able to find much.

Can someone help me out on this? Is it really ok to use a DC for pretty much
everything or, if not, where can I find documentation saying otherwise?

TIA,
Jim

--

 

I don't like putting anything on a DC that doesn't need to be there (AD and
DNS). The more things you add to it the more problems you can run into.
For example, hosting IIS on the box means that you may have to perform
updates and fixes for IIS or .NET components that require a server reboot,
or a change to something may lock up the server. If it's only affecting the
IIS server, then great, but when a change for IIS means that everything in
the organization has to go down (logons, Exchange, fileshares, etc) then
you're looking at outages whose affect is outside the scope of what you're
trying to work on.

Really it comes down to personal preference. Many people use their servers
for multiple roles (i.e. SBS setups). Determining where the line needs to
be drawn is a balancing act of what you can afford, who's doing work on the
server and how often, and weighing this against the risk of taking down
multiple services at once should a problem arise.

Joe

"Jim in Arizona" <tiltowait@hotmail.com> wrote in message
news:uNzi7VfvJHA.1748@TK2MSFTNGP03.phx.gbl...
> I'm working at a manufacturing plant that's currently under constructions.
> We have two DCs, one is local (server 2008) and the other is hosted on the
> net (server 2003).
>
> The local DC is being used for not just a DC and DNS, but as a file, print
> and IIS server.
>
> At what point should the line be drawn at how many uses a DC should be
> sued for? I was always taught that the DC was one of the most important
> computers in your network and should be treated very securely. If that is
> the case, shouldn't the DCs be left to just being DCs and not a swiss army
> knife of services?
>
> My goal is to move IIS off the DC and put it on a new server, along with
> SQL. This new server would also host the Fishbowl server (it's currenlt on
> a personal laptop which I need to get off of for numerous reasons). I need
> to convince management that a DC should only be used for the primary
> purpose of active directory (user/computer account authentication), DNS
> and DHCP (and whatever else I may be forgetting at the moment that a DC
> does), and not for a dozen other things.
>
> I was looking for a webpage somewhere on Microsoft that may say something
> about a DC only being used as a DC and nothing more for security reasons
> but haven't been able to find much.
>
> Can someone help me out on this? Is it really ok to use a DC for pretty
> much everything or, if not, where can I find documentation saying
> otherwise?
>
> TIA,
> Jim
>
> --
>
>
>

 

Hello Jim,

You are right, a DC should do it's main task with AD/DNS/GC and DHCP if needed.
All other especially IIS accessible from the internet is a security hole.
If possible run IIS and Exchange in a DMZ.

The DC is the heart of the network and if it is compromised and the security
is lowered with services like IIS you open the network for the world. Also
you should have at least 2 DC's in a domain for redundancy and failover reason.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I'm working at a manufacturing plant that's currently under
> constructions. We have two DCs, one is local (server 2008) and the
> other is hosted on the net (server 2003).
>
> The local DC is being used for not just a DC and DNS, but as a file,
> print and IIS server.
>
> At what point should the line be drawn at how many uses a DC should be
> sued for? I was always taught that the DC was one of the most
> important computers in your network and should be treated very
> securely. If that is the case, shouldn't the DCs be left to just being
> DCs and not a swiss army knife of services?
>
> My goal is to move IIS off the DC and put it on a new server, along
> with SQL. This new server would also host the Fishbowl server (it's
> currenlt on a personal laptop which I need to get off of for numerous
> reasons). I need to convince management that a DC should only be used
> for the primary purpose of active directory (user/computer account
> authentication), DNS and DHCP (and whatever else I may be forgetting
> at the moment that a DC does), and not for a dozen other things.
>
> I was looking for a webpage somewhere on Microsoft that may say
> something about a DC only being used as a DC and nothing more for
> security reasons but haven't been able to find much.
>
> Can someone help me out on this? Is it really ok to use a DC for
> pretty much everything or, if not, where can I find documentation
> saying otherwise?
>
> TIA,
> Jim

 

Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de> wrote:
> Hello Jim,
>
> You are right, a DC should do it's main task with AD/DNS/GC and DHCP
> if needed. All other especially IIS accessible from the internet is a
> security hole.

Yep.

> If possible run IIS and Exchange in a DMZ.

Not Exchange, no. It's definitely not recommended. Public webservers, yes -
I agree wholeheartedly.

>
> The DC is the heart of the network and if it is compromised and the
> security is lowered with services like IIS you open the network for
> the world. Also you should have at least 2 DC's in a domain for redundancy
> and
> failover reason.
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> I'm working at a manufacturing plant that's currently under
>> constructions. We have two DCs, one is local (server 2008) and the
>> other is hosted on the net (server 2003).
>>
>> The local DC is being used for not just a DC and DNS, but as a file,
>> print and IIS server.
>>
>> At what point should the line be drawn at how many uses a DC should
>> be sued for? I was always taught that the DC was one of the most
>> important computers in your network and should be treated very
>> securely. If that is the case, shouldn't the DCs be left to just
>> being DCs and not a swiss army knife of services?
>>
>> My goal is to move IIS off the DC and put it on a new server, along
>> with SQL. This new server would also host the Fishbowl server (it's
>> currenlt on a personal laptop which I need to get off of for numerous
>> reasons). I need to convince management that a DC should only be used
>> for the primary purpose of active directory (user/computer account
>> authentication), DNS and DHCP (and whatever else I may be forgetting
>> at the moment that a DC does), and not for a dozen other things.
>>
>> I was looking for a webpage somewhere on Microsoft that may say
>> something about a DC only being used as a DC and nothing more for
>> security reasons but haven't been able to find much.
>>
>> Can someone help me out on this? Is it really ok to use a DC for
>> pretty much everything or, if not, where can I find documentation
>> saying otherwise?
>>
>> TIA,
>> Jim

 

Hello Lanwench [MVP - Exchange],

I think you mean because of the needed GC, so you have topen the connection
to AD?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de> wrote:
>
>> Hello Jim,
>>
>> You are right, a DC should do it's main task with AD/DNS/GC and DHCP
>> if needed. All other especially IIS accessible from the internet is a
>> security hole.
>>
> Yep.
>
>> If possible run IIS and Exchange in a DMZ.
>>
> Not Exchange, no. It's definitely not recommended. Public webservers,
> yes - I agree wholeheartedly.
>
>> The DC is the heart of the network and if it is compromised and the
>> security is lowered with services like IIS you open the network for
>> the world. Also you should have at least 2 DC's in a domain for
>> redundancy
>> and
>> failover reason.
>> Best regards
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I'm working at a manufacturing plant that's currently under
>>> constructions. We have two DCs, one is local (server 2008) and the
>>> other is hosted on the net (server 2003).
>>>
>>> The local DC is being used for not just a DC and DNS, but as a file,
>>> print and IIS server.
>>>
>>> At what point should the line be drawn at how many uses a DC should
>>> be sued for? I was always taught that the DC was one of the most
>>> important computers in your network and should be treated very
>>> securely. If that is the case, shouldn't the DCs be left to just
>>> being DCs and not a swiss army knife of services?
>>>
>>> My goal is to move IIS off the DC and put it on a new server, along
>>> with SQL. This new server would also host the Fishbowl server (it's
>>> currenlt on a personal laptop which I need to get off of for
>>> numerous reasons). I need to convince management that a DC should
>>> only be used for the primary purpose of active directory
>>> (user/computer account authentication), DNS and DHCP (and whatever
>>> else I may be forgetting at the moment that a DC does), and not for
>>> a dozen other things.
>>>
>>> I was looking for a webpage somewhere on Microsoft that may say
>>> something about a DC only being used as a DC and nothing more for
>>> security reasons but haven't been able to find much.
>>>
>>> Can someone help me out on this? Is it really ok to use a DC for
>>> pretty much everything or, if not, where can I find documentation
>>> saying otherwise?
>>>
>>> TIA,
>>> Jim

 

Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de> wrote:
> Hello Lanwench [MVP - Exchange],
>
> I think you mean because of the needed GC, so you have topen the
> connection to AD?

Not just that - you have to open up far too many ports between DMZ and LAN
for communication. Exchange should always go on the LAN. You can publish it
with ISA...that's a recommended solution.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de> wrote:
>>
>>> Hello Jim,
>>>
>>> You are right, a DC should do it's main task with AD/DNS/GC and DHCP
>>> if needed. All other especially IIS accessible from the internet is
>>> a security hole.
>>>
>> Yep.
>>
>>> If possible run IIS and Exchange in a DMZ.
>>>
>> Not Exchange, no. It's definitely not recommended. Public webservers,
>> yes - I agree wholeheartedly.
>>
>>> The DC is the heart of the network and if it is compromised and the
>>> security is lowered with services like IIS you open the network for
>>> the world. Also you should have at least 2 DC's in a domain for
>>> redundancy
>>> and
>>> failover reason.
>>> Best regards
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> I'm working at a manufacturing plant that's currently under
>>>> constructions. We have two DCs, one is local (server 2008) and the
>>>> other is hosted on the net (server 2003).
>>>>
>>>> The local DC is being used for not just a DC and DNS, but as a
>>>> file, print and IIS server.
>>>>
>>>> At what point should the line be drawn at how many uses a DC should
>>>> be sued for? I was always taught that the DC was one of the most
>>>> important computers in your network and should be treated very
>>>> securely. If that is the case, shouldn't the DCs be left to just
>>>> being DCs and not a swiss army knife of services?
>>>>
>>>> My goal is to move IIS off the DC and put it on a new server, along
>>>> with SQL. This new server would also host the Fishbowl server (it's
>>>> currenlt on a personal laptop which I need to get off of for
>>>> numerous reasons). I need to convince management that a DC should
>>>> only be used for the primary purpose of active directory
>>>> (user/computer account authentication), DNS and DHCP (and whatever
>>>> else I may be forgetting at the moment that a DC does), and not for
>>>> a dozen other things.
>>>>
>>>> I was looking for a webpage somewhere on Microsoft that may say
>>>> something about a DC only being used as a DC and nothing more for
>>>> security reasons but haven't been able to find much.
>>>>
>>>> Can someone help me out on this? Is it really ok to use a DC for
>>>> pretty much everything or, if not, where can I find documentation
>>>> saying otherwise?
>>>>
>>>> TIA,
>>>> Jim

 

I agree with that. If you punch enough holes to allow AD and Exchange,
what is the point of having a firewall at all?

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:Ol0LKKpvJHA.528@TK2MSFTNGP06.phx.gbl...
> Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de> wrote:
>> Hello Lanwench [MVP - Exchange],
>>
>> I think you mean because of the needed GC, so you have topen the
>> connection to AD?
>
> Not just that - you have to open up far too many ports between DMZ and LAN
> for communication. Exchange should always go on the LAN. You can publish
> it with ISA...that's a recommended solution.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>
>>> Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de> wrote:
>>>
>>>> Hello Jim,
>>>>
>>>> You are right, a DC should do it's main task with AD/DNS/GC and DHCP
>>>> if needed. All other especially IIS accessible from the internet is
>>>> a security hole.
>>>>
>>> Yep.
>>>
>>>> If possible run IIS and Exchange in a DMZ.
>>>>
>>> Not Exchange, no. It's definitely not recommended. Public webservers,
>>> yes - I agree wholeheartedly.
>>>
>>>> The DC is the heart of the network and if it is compromised and the
>>>> security is lowered with services like IIS you open the network for
>>>> the world. Also you should have at least 2 DC's in a domain for
>>>> redundancy
>>>> and
>>>> failover reason.
>>>> Best regards
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> I'm working at a manufacturing plant that's currently under
>>>>> constructions. We have two DCs, one is local (server 2008) and the
>>>>> other is hosted on the net (server 2003).
>>>>>
>>>>> The local DC is being used for not just a DC and DNS, but as a
>>>>> file, print and IIS server.
>>>>>
>>>>> At what point should the line be drawn at how many uses a DC should
>>>>> be sued for? I was always taught that the DC was one of the most
>>>>> important computers in your network and should be treated very
>>>>> securely. If that is the case, shouldn't the DCs be left to just
>>>>> being DCs and not a swiss army knife of services?
>>>>>
>>>>> My goal is to move IIS off the DC and put it on a new server, along
>>>>> with SQL. This new server would also host the Fishbowl server (it's
>>>>> currenlt on a personal laptop which I need to get off of for
>>>>> numerous reasons). I need to convince management that a DC should
>>>>> only be used for the primary purpose of active directory
>>>>> (user/computer account authentication), DNS and DHCP (and whatever
>>>>> else I may be forgetting at the moment that a DC does), and not for
>>>>> a dozen other things.
>>>>>
>>>>> I was looking for a webpage somewhere on Microsoft that may say
>>>>> something about a DC only being used as a DC and nothing more for
>>>>> security reasons but haven't been able to find much.
>>>>>
>>>>> Can someone help me out on this? Is it really ok to use a DC for
>>>>> pretty much everything or, if not, where can I find documentation
>>>>> saying otherwise?
>>>>>
>>>>> TIA,
>>>>> Jim

 

Hello Lanwench and Bill,

thank's for the information about exchange and a possible solution with ISA
server.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I agree with that. If you punch enough holes to allow AD and
> Exchange, what is the point of having a firewall at all?
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
> message news:Ol0LKKpvJHA.528@TK2MSFTNGP06.phx.gbl...
>
>> Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de> wrote:
>>
>>> Hello Lanwench [MVP - Exchange],
>>>
>>> I think you mean because of the needed GC, so you have topen the
>>> connection to AD?
>>>
>> Not just that - you have to open up far too many ports between DMZ
>> and LAN for communication. Exchange should always go on the LAN. You
>> can publish it with ISA...that's a recommended solution.
>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>> Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de> wrote:
>>>>
>>>>> Hello Jim,
>>>>>
>>>>> You are right, a DC should do it's main task with AD/DNS/GC and
>>>>> DHCP if needed. All other especially IIS accessible from the
>>>>> internet is a security hole.
>>>>>
>>>> Yep.
>>>>
>>>>> If possible run IIS and Exchange in a DMZ.
>>>>>
>>>> Not Exchange, no. It's definitely not recommended. Public
>>>> webservers, yes - I agree wholeheartedly.
>>>>
>>>>> The DC is the heart of the network and if it is compromised and
>>>>> the
>>>>> security is lowered with services like IIS you open the network
>>>>> for
>>>>> the world. Also you should have at least 2 DC's in a domain for
>>>>> redundancy
>>>>> and
>>>>> failover reason.
>>>>> Best regards
>>>>> Meinolf Weber
>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>> and
>>>>> confers no rights.
>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>> I'm working at a manufacturing plant that's currently under
>>>>>> constructions. We have two DCs, one is local (server 2008) and
>>>>>> the other is hosted on the net (server 2003).
>>>>>>
>>>>>> The local DC is being used for not just a DC and DNS, but as a
>>>>>> file, print and IIS server.
>>>>>>
>>>>>> At what point should the line be drawn at how many uses a DC
>>>>>> should be sued for? I was always taught that the DC was one of
>>>>>> the most important computers in your network and should be
>>>>>> treated very securely. If that is the case, shouldn't the DCs be
>>>>>> left to just being DCs and not a swiss army knife of services?
>>>>>>
>>>>>> My goal is to move IIS off the DC and put it on a new server,
>>>>>> along with SQL. This new server would also host the Fishbowl
>>>>>> server (it's currenlt on a personal laptop which I need to get
>>>>>> off of for numerous reasons). I need to convince management that
>>>>>> a DC should only be used for the primary purpose of active
>>>>>> directory (user/computer account authentication), DNS and DHCP
>>>>>> (and whatever else I may be forgetting at the moment that a DC
>>>>>> does), and not for a dozen other things.
>>>>>>
>>>>>> I was looking for a webpage somewhere on Microsoft that may say
>>>>>> something about a DC only being used as a DC and nothing more for
>>>>>> security reasons but haven't been able to find much.
>>>>>>
>>>>>> Can someone help me out on this? Is it really ok to use a DC for
>>>>>> pretty much everything or, if not, where can I find documentation
>>>>>> saying otherwise?
>>>>>>
>>>>>> TIA,
>>>>>> Jim