Re: Secondary Site on a DC
From: Kim Oppalfens (kim_at_computacenter.nospam)
Date: 09/10/04
- Next message: Kim Oppalfens: "Re: Client Push Install, Seems like it did? How can I tell if there was a problem?"
- Previous message: Kim Oppalfens: "Re: Advanced Clients at remote sites"
- In reply to: Jeff Singer: "Secondary Site on a DC"
- Next in thread: Carl Sullivan [MSFT]: "Re: Secondary Site on a DC"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 10 Sep 2004 21:33:45 +0200
Inline.
In article <9808FB95-999C-43E9-A9CB-A02C3F1DAC65@microsoft.com>,
JeffSinger@discussions.microsoft.com says...
> It appears that making Domain Controllers a secondary site server is not an
> uncommon idea... just one that is frowned on from a security perspective from
> Microsoft.
Completely correct, common idea, just not a good security practice.
Ah well, budgets I guess :-)
>
> I have my lab setup using SMS 2003 in Advanced Security mode. When creating
> an address for the parent and child site to use would it be possible to use a
> domain account instead of the computer account? Eventually, when this hits
> the production environment each of our 28 or so Domain Controllers at remote
> sites is going to be a Secondary site server. Instead of making each
> computer account a Domain Admin would I be able to just use a single account
> in the domain admin group to work as the "New Address to Parent Site" service
> account?
>
Sure you can, downside of this approach is that it is more difficult to
change the password on this account. (You would have to update all
addresses to use the new password). By consequence you will probably
specify that this account's password should never expire. Again
possible, not an uncommon idea, but not the best security practice.
> Also, how are other people using domain controllers as site servers working
> around this while keeping security in perspective?
Wherever possible try to use computer accounts, try to avoid any of the
site system roles that require IIS on the DC. And obviously use the best
practices in standard OS security, or security in general for that
matter. Protected physical access, patches, no surfing or anything
internet related on the dc,...
Kim Oppalfens
>
> -Jeff
>
-- Check out the SMS Technical FAQ: http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default .mspx
- Next message: Kim Oppalfens: "Re: Client Push Install, Seems like it did? How can I tell if there was a problem?"
- Previous message: Kim Oppalfens: "Re: Advanced Clients at remote sites"
- In reply to: Jeff Singer: "Secondary Site on a DC"
- Next in thread: Carl Sullivan [MSFT]: "Re: Secondary Site on a DC"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
