G
Guest
I remeber in my training something about the Schema master should be created then disconnected from the network and kept off-line can anyone explain this please? Is it for security? What is the official line?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
C
Cary Shultz [A.D. MVP]
Rich,
This is not accurate. The Schema Master is one of the five FSMO Roles (
Schema Master, Domain Naming Master; PDC Emulator, RID Master and
Infrastructure Master ). The first two are Enterprise-wide roles and the
last three are domain-wide roles.
Only a Domain Controller can hold these FSMO Roles ( by default the first DC
in the domain / tree / forest holds all five ). You do not want to take a
DC off-line for an extended period of time ( tombstone life = 60 days, by
default ) otherwise you start having lots of fun errors.
HTH,
Cary
explain this please? Is it for security? What is the official line?
This is not accurate. The Schema Master is one of the five FSMO Roles (
Schema Master, Domain Naming Master; PDC Emulator, RID Master and
Infrastructure Master ). The first two are Enterprise-wide roles and the
last three are domain-wide roles.
Only a Domain Controller can hold these FSMO Roles ( by default the first DC
in the domain / tree / forest holds all five ). You do not want to take a
DC off-line for an extended period of time ( tombstone life = 60 days, by
default ) otherwise you start having lots of fun errors.
HTH,
Cary
created then disconnected from the network and kept off-line can anyoneRich said:I remeber in my training something about the Schema master should be
explain this please? Is it for security? What is the official line?
M
Matjaz Ladava [MVP]
Person that can extend schema must be part of Schema Admins group, so it is
enough for schema master to be safe, not to put anyone in Schema Admins
group. I haven't heard of recommendations of keeping schema master offline.
Organizations normally use empty root domain to protect Schema Admins and
Enterprise Admins.
--
Regards
Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
enough for schema master to be safe, not to put anyone in Schema Admins
group. I haven't heard of recommendations of keeping schema master offline.
Organizations normally use empty root domain to protect Schema Admins and
Enterprise Admins.
--
Regards
Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
G
Guest
But Schema itself would still be vunerable to hack right,
which for an enterprise could be serious.
which for an enterprise could be serious.
M
Matjaz Ladava [MVP]
Schema does not reside on Schema master, but it is available on any DC, but
it can only be changed on schema master server, but if anyone hacks your DC,
he can seize schema master on DC and thus modify schema. Putting schema
mater offline doesn't improve your schema security.
--
Regards
Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
it can only be changed on schema master server, but if anyone hacks your DC,
he can seize schema master on DC and thus modify schema. Putting schema
mater offline doesn't improve your schema security.
--
Regards
Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
G
Guest
thanks for the info, there is a lot of misleading
information out there.
information out there.
E
Enkidu
I wonder if Rich is confusing the Schema Master and Certificate
Server. The recommendation is that the root Certificate Server (if you
have one) is best kept offline unless it is needed to serve a
certificate, in which case it can be brought on line.
Cheers,
Cliff
(MVP)
Server. The recommendation is that the root Certificate Server (if you
have one) is best kept offline unless it is needed to serve a
certificate, in which case it can be brought on line.
Cheers,
Cliff
(MVP)