Re: AD Design Question

From: Mike Brannigan [MSFT] (mikebran_at_online.microsoft.com)
Date: 10/28/04

  • Next message: DOUG: "Re: Upgrade Question" 
    Date: Thu, 28 Oct 2004 21:23:03 +0100

    "Jon" <nospam@nowhere.com> wrote in message
    news:O3cwSfSvEHA.3228@TK2MSFTNGP12.phx.gbl...
    > Sorry if I sound stupid, but what does that mean? What is the security
    > concern that would make me not want to use it as a DC? I am not that
    > familiar with AD.
    >

    If you have a publicly accessible machine such as an ISA Server that you may
    be using as the access point to your network from the public Internet. In
    that you use it as a proxy serve for your internal machines - it may alos be
    acting as a VPN server to allow you to access the internal network securly
    for the internet , it may also be acting as a VPN to VPN tunnelling server
    to connect your 2 networks (at each site) together over the internet, the to
    make it a Domain controller has the potentially (if you do not take extreme
    precautions) of exposing your DC to potential attack from hostile parties on
    the Internet. If you DC is compromised then so is you entire domain and
    actually your forest.
    It is strongly advised against making an edge of you network visible server
    a DC - especially if you are "not that familiar with AD." 

    -- 
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
"Jon" <nospam@nowhere.com> wrote in message 
news:O3cwSfSvEHA.3228@TK2MSFTNGP12.phx.gbl...
> Sorry if I sound stupid, but what does that mean?  What is the security
> concern that would make me not want to use it as a DC?  I am not that
> familiar with AD.
>
> Jon
>
> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
> news:OMO%23roRvEHA.1300@TK2MSFTNGP14.phx.gbl...
>> "Jon" <nospam@nowhere.com> wrote in message
>> news:eDCmOWQvEHA.2680@TK2MSFTNGP10.phx.gbl...
>> > At some of my sites, I currently have an ISA Server running.  Could I
> use
>> > that server as the DC for that site?  Or does the ISA function task the
>> > server too much to add the duty of DC?  The boxes are PIII 800  2GB 
>> > Ram,
>> > 36GB RAID 5.
>> >
>>
>> That box could be a DC but from a security perspective it should not be.
>>
>> -- 
>>
>> Regards,
>>
>> Mike
>> --
>> Mike Brannigan [Microsoft]
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>>
>> Please note I cannot respond to e-mailed questions, please use these
>> newsgroups
>>
>> "Jon" <nospam@nowhere.com> wrote in message
>> news:eDCmOWQvEHA.2680@TK2MSFTNGP10.phx.gbl...
>> > At some of my sites, I currently have an ISA Server running.  Could I
> use
>> > that server as the DC for that site?  Or does the ISA function task the
>> > server too much to add the duty of DC?  The boxes are PIII 800  2GB 
>> > Ram,
>> > 36GB RAID 5.
>> >
>> > Jon
>> >
>> > "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in 
>> > message
>> > news:%23aWOPGQvEHA.2192@TK2MSFTNGP14.phx.gbl...
>> >> "Jon" <nospam@nowhere.com> wrote in message
>> >> news:utH7M%23PvEHA.2012@TK2MSFTNGP15.phx.gbl...
>> >> > It is not that I want a Domain at each site.  I wasn't sure if the
>> > design
>> >> > and the number of workstation gave merit to having a Domain at each
>> > site.
>> >> > So at each site, if I have a DC then I can keep authentication local
> to
>> >> > that
>> >> > site?
>> >>
>> >> Yes that is what setting up AD Sites is all about - it allows various
>> >> functions to be aware of the physical network and use resources that
> are
>> >> "close" to them.
>> >>
>> >> > Is there a problem with having 14 DC's in the same Domain?  It 
>> >> > sounds
>> >> > like alot, but I do not know AD that well.
>> >>
>> >> We can happily support thousands of domain controllers and million of
>> >> account per domain. Scale is not an issue,
>> >>
>> >> >  If that is not a problem, then I
>> >> > can go that route.  I have a few sites that have 15-20 computers.
>> >> > Could
>> > I
>> >> > still have those authenticate over the WAN by not creating a site 
>> >> > for
>> > that
>> >> > location?  Or would that be too slow?
>> >> >
>> >>
>> >> Any machine that cannot locate a DC in its site will authenticate over
>> >> the
>> >> network.
>> >>
>> >> > Also, what is the minimum security level for someone logging into a
>> >> > workstation to join an AD Domain?  Thanks again!
>> >> >
>> >>
>> >> If the user account is in the domain then the question makes no sense.
> I
>> >> you mean what level of privilege is required to add an additional
> machine
>> > to
>> >> the domain then a regular Domain User can add up to 10 machines to the
>> >> Domain (by default - but you ca change this up to more or down to
> zero).
>> >> Regular Domain Users (by default) cannot add addtional user accounts 
>> >> to
>> > the
>> >> domain.
>> >>
>> >> -- 
>> >>
>> >> Regards,
>> >>
>> >> Mike
>> >> --
>> >> Mike Brannigan [Microsoft]
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights
>> >>
>> >> Please note I cannot respond to e-mailed questions, please use these
>> >> newsgroups
>> >>
>> >> "Jon" <nospam@nowhere.com> wrote in message
>> >> news:utH7M%23PvEHA.2012@TK2MSFTNGP15.phx.gbl...
>> >> > It is not that I want a Domain at each site.  I wasn't sure if the
>> > design
>> >> > and the number of workstation gave merit to having a Domain at each
>> > site.
>> >> > So at each site, if I have a DC then I can keep authentication local
> to
>> >> > that
>> >> > site?  Is there a problem with having 14 DC's in the same Domain? 
>> >> > It
>> >> > sounds
>> >> > like alot, but I do not know AD that well.  If that is not a 
>> >> > problem,
>> > then
>> >> > I
>> >> > can go that route.  I have a few sites that have 15-20 computers.
>> >> > Could
>> > I
>> >> > still have those authenticate over the WAN by not creating a site 
>> >> > for
>> > that
>> >> > location?  Or would that be too slow?
>> >> >
>> >> > Also, what is the minimum security level for someone logging into a
>> >> > workstation to join an AD Domain?  Thanks again!
>> >> >
>> >> > Jon
>> >> > "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in
>> >> > message
>> >> > news:emok37MvEHA.2624@TK2MSFTNGP11.phx.gbl...
>> >> >> "Jon" <nospam@nowhere.com> wrote in message
>> >> >> news:eFJeAWHvEHA.3080@TK2MSFTNGP12.phx.gbl...
>> >> >> > Hello,
>> >> >> >
>> >> >> > I work for a school district where we have one central site and 
>> >> >> > 12
>> >> > school
>> >> >> > sites.  We are currently running Novell for all file and print
>> > sharing.
>> >> >> > We
>> >> >> > need to implement a W2K network to sync users and passwords
> between
>> >> > Novell
>> >> >> > and W2K for my 2K and XP workstations.  All the sites are linked
> via
>> >> >> > T1.
>> >> >> > Each site has between 300 and 800 computers.  Can I setup one
> domain
>> >> >> > for
>> >> >> > all
>> >> >> > of the sites without having a DC at each site?
>> >> >>
>> >> >> Yes a single Domain can span multiple sites.  And there is no
>> > requirement
>> >> > to
>> >> >> have a DC at each site BUT se next answer
>> >> >>
>> >> >> > Wanting to keep
>> >> >> > authentication traffic off of the WAN, can you specify a GC 
>> >> >> > Server
>> >> >> > at
>> >> > each
>> >> >> > site that is not a DC and tell the workstations to authenticate 
>> >> >> > to
>> > it?
>> >> >>
>> >> >> No - authentication is done by a DC.  You also need to contact a GC
>> >> >> during
>> >> >> logon processing for evaluation of Universal Group membership.
>> >> >> BUT a GC IS a DC by definition so if you place a GC at a site it IS
> a
>> > DC
>> >> > so
>> >> >> will be doing the authentications locally instead of across the 
>> >> >> WAN.
>> >> >>
>> >> >> > If
>> >> >> > not, then I would have to have each site be a separate domain,
>> >> >> > therefore
>> >> >> > requiring two W2K servers at each site?
>> >> >> >
>> >> >>
>> >> >> No, see the answer above - if you are putting a GC at a site then 
>> >> >> it
>> >> >> IS
>> > a
>> >> >> DC,  if you went with a Domain per site then yes you would have
>> >> >> notionally
>> >> > 2
>> >> >> DCs per site - but why do you want a Domain at each site ?
>> >> >> Unless you are trying to either implement different security
> policies
>> > at
>> >> >> each site or you are trying to constrain the replication traffic -
>> >> >> e.g.
>> >> >> in
>> >> > a
>> >> >> single domain model all password changes as they occur will be
>> > replicated
>> >> > to
>> >> >> all other sites.  Of course inter site replication is extremely
>> >> > controllable
>> >> >> so that you could do this "after hours"
>> >> >>
>> >> >> > Any help is greatly appreciated!
>> >> >> >
>> >> >>
>> >> >>
>> >> >> -- 
>> >> >>
>> >> >> Regards,
>> >> >>
>> >> >> Mike
>> >> >> --
>> >> >> Mike Brannigan [Microsoft]
>> >> >>
>> >> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> >> rights
>> >> >>
>> >> >> Please note I cannot respond to e-mailed questions, please use 
>> >> >> these
>> >> >> newsgroups
>> >> >>
>> >> >> "Jon" <nospam@nowhere.com> wrote in message
>> >> >> news:eFJeAWHvEHA.3080@TK2MSFTNGP12.phx.gbl...
>> >> >> > Hello,
>> >> >> >
>> >> >> > I work for a school district where we have one central site and 
>> >> >> > 12
>> >> > school
>> >> >> > sites.  We are currently running Novell for all file and print
>> > sharing.
>> >> >> > We
>> >> >> > need to implement a W2K network to sync users and passwords
> between
>> >> > Novell
>> >> >> > and W2K for my 2K and XP workstations.  All the sites are linked
> via
>> >> >> > T1.
>> >> >> > Each site has between 300 and 800 computers.  Can I setup one
> domain
>> >> >> > for
>> >> >> > all
>> >> >> > of the sites without having a DC at each site?  Wanting to keep
>> >> >> > authentication traffic off of the WAN, can you specify a GC 
>> >> >> > Server
>> >> >> > at
>> >> > each
>> >> >> > site that is not a DC and tell the workstations to authenticate 
>> >> >> > to
>> > it?
>> >> > If
>> >> >> > not, then I would have to have each site be a separate domain,
>> >> >> > therefore
>> >> >> > requiring two W2K servers at each site?
>> >> >> >
>> >> >> > Any help is greatly appreciated!
>> >> >> >
>> >> >> > Jon
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
  • Next message: DOUG: "Re: Upgrade Question"