Using a Domain Controller as a Print Server

  • Thread starter Thread starter chrism
  • Start date Start date
C

chrism

I've never had a problem with this in the past, but is it generally
considered 'OK' by Microsoft to use a Domain Controller as the Print Server
in a 2003 AD environment?

We have about 30 printers. The DC has about 28 GB of free disk space, so
that won't be an issue.

thx
 
In general you don't want to use DCs for file and print or backoffice or
pretty much anything other than authentication/authorization/LDAP and
maybe name resolution. Every exposed service is another exposed attack
surface and DCs are the core of your security for your Windows network.
A compromised DC usually means your entire Windows infrastructure is
untrustworthy. Look at the DNS vulnerability right now, you have people
scrambling all over because of a service that really has nothing to with
the DC is a very possible vector to compromise the DCs and DNS has far
more reason to be on a DC than file and print.

Also the drivers, etc for printers can cause instability in machines and
DCs are not machines you tend to want to be unstable.

If you have to you have to, but it wouldn't be in my top 10 choices.
I've never run DCs in production as file or print servers.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Joe said:
In general you don't want to use DCs for file and print or backoffice or
pretty much anything other than authentication/authorization/LDAP and
maybe name resolution. Every exposed service is another exposed attack
surface and DCs are the core of your security for your Windows network.
A compromised DC usually means your entire Windows infrastructure is
untrustworthy. Look at the DNS vulnerability right now, you have people
scrambling all over because of a service that really has nothing to with
the DC is a very possible vector to compromise the DCs and DNS has far
more reason to be on a DC than file and print.

Also the drivers, etc for printers can cause instability in machines and
DCs are not machines you tend to want to be unstable.

If you have to you have to, but it wouldn't be in my top 10 choices.
I've never run DCs in production as file or print servers.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
Click to expand...

I agree 100% with Joe that DCs are better off being DCs. But as far as
additional services goes, a print server is fairly benign. Look at a
Small Business Server - DC, SQL, Exchange, File-Server. Pretty much a
one-stop-shop kind of server. The main thing is how your server is
running as far as CPU/Memory/HD utilization. If it's just idling, I
wouldn't feel too bad about giving it something to do.

....kurt
 
Back
Top