"Does placing the DC inside a virtual machine add any
security? Would it be harder for someone with physical access to compromise the
DC?"
Hmmm....
interesting. Yes, and no. Physical access is always an issue, but
the NTDS.DIT is not out there in the open on a disk as it might be in a
traditional DC. However, anyone with a VS *COULD* mount and start your DC
- so the same rules apply. Don't allow anyone you do not trust physical
access to your systems.
As to domain member - I
don't recall VS requiring Domain Membership (more, because I just haven't
tried...). So, does this mean that a machine that is a work group system
could host a VS with a number of DCs? Ummm - yeah. I suppose
so.
But, if it *IS* a domain
member, then yes - it could likely authN off of the VM that it hosts - but
obviously not at start up. Brings up a Schrödinger's cat' quandary, now
doesn't it?
Rick
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Friday, October 14, 2005 2:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Servers in Branch Offices
Thanks for the thoughts. And thanks Tony for the reference
-- just finished reading it.
Unfortunately, deploying the DC at HQ or simply
authenticating over the WAN is not really an option. The WAN links are ok (and
getting better) but are located in places where environmental (as in the
weather) conditions often cause short interruptions.
Does placing the DC inside a virtual machine add any
security? Would it be harder for someone with physcial access to compromise the
DC? The white paper does not really make this clear. Also, I am assuming that a
host machine would be a domain member, right? Does it authenticate off the
virtual DC? [1]
Thanks again.
-- nme
[1] This sort of reminds me of the scene in Animal House
when they talk about the "whole universe as we know it existing under the
fingernail of some other giant being..." Whoa, dude!
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 13, 2005 12:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Servers in Branch OfficesOther important factors in this scenario must be the physical and logical security of the server housing the DC role.1. Will the server be securely locked away in the branches? If not, do not deploy a DC.2. Do you trust the file server admins to have physical access to the server hosting the DC role?3. Who administers the server that hosts the file and DC roles? Are they also trusted?When designing the branch office, I would always ask the questions below, too:1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed?2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC.3. Does a local DC offer redundancy in the event of a WAN failure? If other apps are accessed over the WAN, then consider deploying the DC at a central location and not at the branch.hth,neil___________________________
Neil Ruston
Global Technology Infrastructure
Nomura International plc
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 13 October 2005 01:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Servers in Branch OfficesHere's a link to a Microsoft document that covers what you need to do to run a production DC on Virtual Server 2005.Tony
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Thursday, 13 October 2005 11:30 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Virtual Servers in Branch OfficesHi -Just to follow up on the design thread.... Since I am placing DCs in small branch offices is there a value in using Virtual Server 2005 to create separate virtual boxes (DC & file server) running on the same physical box? Some users have administrative access to the file server, and I'd love to keep them off the DCs. I am also curious about optimal physical and virtual drive configurations for such a box.I reviewed the thread here about Virtual Domain Controllers but it seemed to focus on using them as backups. I am talking about production.Any thoughts most welcome.-- nme
This communication, including any attachments, is confidential.
If you are not the intended recipient, you should not read it -
please contact me immediately, destroy it, and do not copy or
use any part of this communication or disclose anything about it.
Thank You.
Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002..This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i
PLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intendedrecipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication andNomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disablingcode in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as,investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation oroffer to buy or sell securities or related financial instruments. NIplcdoes not provide investment services to private customers. Authorised andregulated by the Financial Services Authority. Registered in Englandno. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,London, EC1A 4NP. A member of the Nomura group of companies.
