would any one care to give a little more insight in to this issue of name hijacking
i take the point of how in principal an full control over the dns zones and data is potentially insecure, am i right to say that the risk mainfests itself only when the computer account of the domain controller is compromised ??, presumably by getting its password ? or are there techniques (unknown to me) of "hijacking services" running in privileged security contexts ? notwithstanding, it would seem to me a very common "remote site" configuration for the networking services to be one a single host GT ----- Original Message ----- From: "Roger Seielstad" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 25, 2003 12:35 PM Subject: RE: [ActiveDir] What Services/Server's can be combined with Activ e Directory. > You are correct, but realistically a DDNS setup requires DNS and DCs to > coexist, I'd expect that to be the much more likely scenario. > > -------------------------------------------------------------- > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > > Sent: Monday, March 24, 2003 10:34 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] What Services/Server's can be > > combined with Active Directory. > > > > > > Missy, > > > > Doesn't this only apply when a DNS is also present on the DC? > > Combining the DNS and DHCP services can cause a security > > issue as you noted. But, if I combine DC services and DNS > > services, the compromise is not possible. Also, if I combine > > DHCP and DC functionality, I'm still secure - true? > > > > Good to have you here! > > > > Rick Kingslan MCSE, MCSA, MCT > > Microsoft MVP - Active Directory > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Missy Koslosky > > Sent: Monday, March 24, 2003 9:18 PM > > To: [EMAIL PROTECTED] > > > > Glenn, > > > > I'd want to keep DHCP off my DC's to avoid name hijacking. > > See http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q255134 > > > > Hope all is well with you! > > > > Missy Koslosky > > ----- Original Message ----- > > From: "Glenn Corbett" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Saturday, March 22, 2003 5:33 PM > > Subject: Re: [ActiveDir] What Services/Server's can be > > combined with Active Directory. > > > > > > John, > > > > The reason why you havent really been able to find a source, > > is that the answer is "it depends". > > > > Depending on the size of your sites, the amount of data, > > number of clients, other applications using DC services etc, > > you can really have a single server that does DC, GC, DNS, > > WINS, DHCP, FP. I really wouldn't worry about putting DHCP > > on a server by itself, the load is so small. Out of all of > > the infrastructure services, DCHP is probably the smallest > > load. Client machines get a dhcp address when they start, > > and IIRC there are two requests during the lifetime of the IP > > address (one halfway though, and one at the end of the > > lease). So for a 2 week lease timeout, you have essentially > > 3 requests to a DHCP server which is nothing to really worry about. > > > > I recently did some AD design work where small sites (up to > > about 30 uers) had a single server (Dual PIII 2+Ghz) ran all > > the functions listed previously, plus Exchange with no real > > trouble. For larger sites, my suggestion would be one > > "infrastructure server" (DC, GC, WINS, DHCP, DNS), and > > "application server(s)" (File Print, Exchange etc). > > > > As long as you design your AD site topology correctly (so > > that replication is optimised, and GC placement is relevant > > for your clients), AD can pretty much co-exist with most > > things, its a question of network bandwidth and load on the > > server. Other Databases (like Exchange, SQL, Oracle) are > > really the main applications you need to be careful with when > > putting on the same server as AD, because they can cramp each > > others style (Exchange and SQL on the same box for example is > > very touchy). > > > > If you are thinking or layering other applications onto an AD > > DC, just have a read of the requirements. In a lot of cases > > MS "force" you down a particular path. For example, SUS > > (System Update Services), and MOM (Microsoft Ops Manager) > > wont run on DC's, so you are forced to put in an additional > > server to run these. > > > > so, as for your original question *grin*, I would have one > > server that does the "infrastructure" stuff, and another > > server for FP. > > > > Glenn > > > > > > ----- Original Message ----- > > From: "John Strongosky" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Saturday, March 22, 2003 11:27 AM > > Subject: [ActiveDir] What Services/Server's can be combined > > with Active Directory. > > > > > > > In our planning group we are having a discussion on what > > > server's/services do we need to combine or can combine for our AD > > > deployment. I have looked thru allot of Technote's there is not one > > > definitive answer. Can anyone point me to a source or > > answer this for me. > > > > > > We are thinking of combing: DC,dns and gc's on a server, file and > > > print > > and > > > dhcp on another in our sites or DC, dns, gc on a server, file and > > > print on > > a > > > server and dhcp by itself. > > > > > > > > > john > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
