Thanks to everyone for replies on the DC configuration. I got a number
of good links.
I would summarize the dialog and what I found through reading as this:
It would be *best practice* to limit the roles a DC has, however you are
not creating a real security risk by allowing your DC to also function
as a file server.
________________________
Tim Sullivan
Nativemode Technologies
623.910.4700
tim@nativemode.com
________________________________
From: Sullivan Tim P [mailto:tim.sullivan@nativemode.com]
Sent: Mon 2/21/2005 6:21 PM
To: focus-ms@securityfocus.com
Subject: Domain Controller Best Practice
I am in need of some supporting documentation relating to Domain
Controllers.
The situation is this. A medium sized school would like their single DC
to also be a file server. This DC would be serving about 300 people,
along with another file server and an email server.
My initial recommendation is multiple domain controllers for the simple
reason of fault tolerance of the schema. They buy this.
However, they would like to see technical documentation saying that it
is not a good idea to have a domain controller share roles as a DC and a
file server.
One of my main concerns, aside from load, is that high school age kids
are using the network. They like to poke and prod. I would rather them
not even poke at the DC. Also, as the DC has no local security database,
you can no longer use permission assignment best practice. To me it just
seems like a bad idea, but I need documentation to back it up.
Can anyone offer resources to illustrate this? I am scouring technet and
the MS AD deployment docs now.
Thanks,
Tim
______________________
Tim Sullivan
Nativemode Technologies
(623) 910-4700
tim@nativemode.com
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
