Re: Why you wouldn't want a server in the domain
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Mon, 3 Apr 2006 07:08:03 -0700
On a slightly different slant, often what I have seen stated as a
reason for not joining a server that has no requirement/need for
domain membership is along the lines of better isolation of that
server . . . that a compromise on one server will not role over
via a compromised domain admin account (or delegated server
admin) onto other servers, etc..
In return for this the "isolate by not joining" design gives up the
central management, backup, monitoring, etc. that is enabled
by sharing a security context (i.e. being domain joined).
So, just on the face, is it then better managed and more secure
if these things have become more difficult, and hence less likely
well done?
Sometime the response to this is that "we have gotten past that",
and when you look into it this has been done by defining accounts
in some similarity on all of these stand-alones.
So then where is the "isolation" that was supposedly the main
argument for making this all stand-alone ?
"Charles Melton" <Charlesc.Melton@xxxxxxxxxx> wrote in message
news:1861ADB9-1419-4C3E-BAA0-5811B8CAD9F3@xxxxxxxxxxxxxxxx
First, I should identify my network organization. We currently have 3
domains, 1 W2k3, and 2 W2k domains. Two of those are client facing and
one
is internal only. None of these have any Internet presence. We also have
no
servers in our Internet DMZ or in our client facing DMZ. Everything is on
our internal network. Although, the client domains are on a seperate
subnet
and VLAN from the internal domain.
I also have several servers that are not connected to any domain. 3
Microsoft SQL Servers (that only use SQL authentication), several servers
that are backup media agents, and the master backup system that
coordinates
all the backups.
One of my cohorts has been bugging me lately to make them all part of any
one of the domains. So far, I've resisted because, at least with the SQL
servers, it just seemed to isolate them better and dare I say, it seemed
like
the right thing to do. Now I'm wondering why. Could you give me any
reasons
why I should (or shouldnt) keep these servers outside the Active Directory
Windows domain? Am I just being pig headed for no good reason.
Thank you for any assistance or thoughts you may wish to provide.
Charles
--
Charles Melton
.
- Prev by Date: Re: How To Synchronize the domain directory partition of the replication partner with the PDC emulator master
- Next by Date: Re: Cannot Login to one of My DCs
- Previous by thread: Re: Why you wouldn't want a server in the domain
- Next by thread: Re: Very slow login when DC2 is removed
- Index(es):
Relevant Pages
|
