Re: Windows 2003 Domain Replication & Security
From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 02/01/05
- Next message: Desmond Lee: "RE: DNS on BDC"
- Previous message: Kevin D. Goodknecht Sr. [MVP]: "Re: Sub domain zone resolution"
- In reply to: msw: "Re: Windows 2003 Domain Replication & Security"
- Next in thread: msw: "Re: Windows 2003 Domain Replication & Security"
- Reply: msw: "Re: Windows 2003 Domain Replication & Security"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 1 Feb 2005 02:20:59 -0500
In news:%231LUpR6BFHA.936@TK2MSFTNGP12.phx.gbl,
msw <msw@hotmail.com> made a post then I commented below
> Thank You for your reply
>
> Yes my first question is if it secure?
>
> Second the exchange server is runing as exchange as well as a dc and
> the application server is also a seprate dc on the other hand they
> both replicate but both are seprate DC. when I go inside Active
> Directory Site the two domain are listed and I am 99% sure each one
> of them is a DC
> I don't know why the exchange was setup on a server as a DC is there a
> reason behind that.
>
> Is it your recommendation that exchange should not be a DC and just a
> part of DC. I think IIS is runing on the exchange box I have Outlook
> OWA runing already
>
> If I can not set another server is there another option.
>
> I hope this is not too many questions.
>
> Thank You
I see. Exchange or any other application, for that matter, the best practice
is that it should not be run on a DC. Install and run them on a member
server, if possible, especially Exchange, since it's exposed and accessible
from the Internet. You are exposing your DC on the Internet. Another reason
is the write-behind cache is disabled on domain controllers to aid in the AD
transaction log processes. This cuts performance almost 10% compared to a
member server. Usually the reason Exchange would get setup on a DC is either
due to lack of knowledge, funds, politics, or it's an SBS (Small Business
Server 2000) server.
Your wording:
> Is it your recommendation that exchange should not be a DC and just a
> part of DC
Is a bit off. I believe you meant to say; as "part of" or a "member of" a
domain.
A DC is a physical component of Active Directory. Apparently your two DCs
seem to be part of the same domain. A DC will replicate it's Sysvol and
NTDS database among other DCs. Simple stated, there are different facets of
replication, depending on whether the DCs are part of the same domain in a
forest or part of different domains in the same forest, but not between DCs
that are DCs for a domain in different forests.
I made some security suggestions concerning Exchange designs in my previous
post. Your best bet for security is either use a Front End/Back End design,
or install an smtp gateway.
IIS is a required user pre-configured component for Exchange 2000 and 2003.
Exchange requires a number of services to be running prior to instalation,
such as SMTP, HTTP (wth specific componenets), and NNTP. OWA gets installed
by default.
A DC is a physical component of Active Directory. A DC will replicate it's
Sysvol and NTDS database among other DCs. Apparently your two DCs seem to be
part of the same domain.
I hope that helps. Keep in mind, there are many factors in designing an
infrastructure, and there is not one design that will be good for everyone.
It depends on your business requirements, security requirements, budget, and
of course, political influences.
If you don't me suggesting something, it would greatly benefit you if you
can attend classes on Windows 2000 and/or Windows Server 2003 Active
Directory and Exchange 2000 and/or 2003. This way you get a better handle on
how all of this stuff works, and acquire the knowledge to secure it
properly. If you attend a class, the instructor will be a valuable resource
for questions.
I hope that helps.
Ace
- Next message: Desmond Lee: "RE: DNS on BDC"
- Previous message: Kevin D. Goodknecht Sr. [MVP]: "Re: Sub domain zone resolution"
- In reply to: msw: "Re: Windows 2003 Domain Replication & Security"
- Next in thread: msw: "Re: Windows 2003 Domain Replication & Security"
- Reply: msw: "Re: Windows 2003 Domain Replication & Security"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
