Re: where should the line be drawn on what services a DC should be used for
- From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
- Date: Fri, 17 Apr 2009 11:22:16 +0000 (UTC)
Hello Lanwench and Bill,
thank's for the information about exchange and a possible solution with ISA server.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I agree with that. If you punch enough holes to allow AD and
Exchange, what is the point of having a firewall at all?
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:Ol0LKKpvJHA.528@xxxxxxxxxxxxxxxxxxxxxxx
Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de> wrote:
Hello Lanwench [MVP - Exchange],Not just that - you have to open up far too many ports between DMZ
I think you mean because of the needed GC, so you have topen the
connection to AD?
and LAN for communication. Exchange should always go on the LAN. You
can publish it with ISA...that's a recommended solution.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de> wrote:
Hello Jim,Yep.
You are right, a DC should do it's main task with AD/DNS/GC and
DHCP if needed. All other especially IIS accessible from the
internet is a security hole.
If possible run IIS and Exchange in a DMZ.Not Exchange, no. It's definitely not recommended. Public
webservers, yes - I agree wholeheartedly.
The DC is the heart of the network and if it is compromised and
the
security is lowered with services like IIS you open the network
for
the world. Also you should have at least 2 DC's in a domain for
redundancy
and
failover reason.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
I'm working at a manufacturing plant that's currently under
constructions. We have two DCs, one is local (server 2008) and
the other is hosted on the net (server 2003).
The local DC is being used for not just a DC and DNS, but as a
file, print and IIS server.
At what point should the line be drawn at how many uses a DC
should be sued for? I was always taught that the DC was one of
the most important computers in your network and should be
treated very securely. If that is the case, shouldn't the DCs be
left to just being DCs and not a swiss army knife of services?
My goal is to move IIS off the DC and put it on a new server,
along with SQL. This new server would also host the Fishbowl
server (it's currenlt on a personal laptop which I need to get
off of for numerous reasons). I need to convince management that
a DC should only be used for the primary purpose of active
directory (user/computer account authentication), DNS and DHCP
(and whatever else I may be forgetting at the moment that a DC
does), and not for a dozen other things.
I was looking for a webpage somewhere on Microsoft that may say
something about a DC only being used as a DC and nothing more for
security reasons but haven't been able to find much.
Can someone help me out on this? Is it really ok to use a DC for
pretty much everything or, if not, where can I find documentation
saying otherwise?
TIA,
Jim
.
- References:
- Prev by Date: Re: locally stored user profile corrupted
- Next by Date: Re: Size and event 1030 1058 0xc0001b77 0x00000423
- Previous by thread: Re: where should the line be drawn on what services a DC should be used for
- Next by thread: Where does Volume Shadow Copy Service actually save the old versio
- Index(es):
Relevant Pages
|
