Microsoft recommendation of lone server for Active Directory

[Vel]

Greetings,

I have searched for any concrete article /knowledgebase / anything that
shows Microsoft actually recommends a lone server as an Active
Driectory server, with no additional running application, but with no
results.

Does anyone know any?

Thank you.

 

[Jorge de Almeida Pinto [MVP]]

it is a recommendation and a best practice. it is not a hard fact!
For DCs, I would allow DNS, DHCP, WINS on a DC and nothing more (I know some
might disagree)

the more stuff on a DC, the more issues are possible.

Remember a DC is the most important machine on the network...

why?
(1) shutdown all DCs and try working.... (don't do this, but try to imagine
it)
(2) DCs know everything about user account and their password (imagine a DC
begin stolen..) if the DC is compromised, the rest is easy

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Paul Bergson]

Right on!

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP]"

 

[Joe Richards [MVP]]

What Microsoft documents and what Microsoft suggests can be different
things because Microsoft is a large company. Most everyone (inside and
outside of MSFT) who has any clue about AD and AD security will tell you
to minimize the attack vector surface area on a DC because DCs are the
bastion of security for your entire network. You will find occasional
comments in webinars and PPTS and other things from MSFT that speak to
this but you won't get an overall you shouldn't do it this way for two
reasons

1. MSFT wants to sell as much product as possible and if you want to set
yourself up insecurely, that is your issue, not theirs.

2. MSFT has the SBS product which has everything in the world loaded on it.

The unofficial recommendations from MSFT to not have other components,
especially Back Office has been around for as long as I have been doing
Windows which is the mid 90's.

This goes for any machine though that offers security for you so it
would affect PKI machines for instance as well. The whole idea is to
have as few holes in the machine as possible for attack. The less you
have running, the less chance a hole will pop up.

Usually when you hear someone demanding to see actual MSFT documentation
for something it means they don't actually comprehend the situation and
why the recommendations are being made.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Tim.Olsen]

MSFT doesn't do a whole lot of prescriptive advice unless you contract
for it. So I doubt you'll ever see something like you're looking for
with MSFT letterhead on it.

I also endorse the practice above, less is more when it comes to domain
controlers.
"Plumbing" --dns, wins, dhcp, radius, DFS root hosting (without
replicas), Term Server liscensing and the like is all I put on my
DC's.

You want to keep the folks that get on those boxes to a select few.

Stay clear of applications, especially homegrown stuff, developers will
always find a reason they need to logon locally to support it.