In our environment, we had to do a fair amount of security work to allow someone to log onto a Domain Controller for maintenance of the hardware or OS, but not grant them access to Active Directory on that box. When someone is logging onto a DC, by default they must have administrative privileges and will be doing some work within Active Directory. If you don't want that to happen, you'll need to look closely at how you want to set up security to restrict your users from accessing AD when on that box.
As for a 'backup' DC, the whole question doesn't make a lot of sense. Unless you're hiding this 2nd DC somehow (via DnsAvoidRegisterRecords registry entry, for example), this DC will be available for user logins and resource access just like the primary. In fact, when a user logs in, DNS provides it a list of viable DC candidates. These DCs are queried via an LDAP Ping. The fastest one responding is the one the client uses (of course, it prefers DCs in its own site and domain). Generally, I wouldn't recommend that a DC be a Terminal Server, and I don't see the value in it. If you want a Terminal Server, I'd recommend a 3rd server dedicated to that purpose. Because, as Robert says, you always need at least 2 DCs in your environment. Scott -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rutherford, Robert Sent: Monday, July 12, 2004 5:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question Running TS on a Domain Controller is generally not a good idea, mainly down to security issues and possible performance degradation. It will run but I would not consider it myself, i.e. some app's need to run with elevated privileges and I wouldn't want this on a DC. I'm sure someone else will jump in here and give some more defined reasoning. I'd always advise having at least 2 DC's. It just saves a lot of hassle and gives you some peace-of-mind when in a system failure scenario, i.e. You lose your single DC, all your users come in and can't login or access any resources - you have to rebuild your DC, get AD back up and working, while users are screaming at you... Get at least 2 DC's. You can make other servers DC's If you are running tight, I.e. SQL, Exchange, file/print, etc. Of course your hand may be twisted on all of the above if you only have 10 users or so. BR Rob -----Original Message----- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: 12 July 2004 10:58 To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller Question Gotta strange question for you. Powers to be asked if I would install a "backup" domain controller on a local terminal server and if I would have a problem with it. They do not see an issue with it. So, basically users would log into a terminal server that is a DC. Can you share your opinion? Also, they also said that we can you have a domain controller sit there doing nothing just waiting for the "primary" controller to fail (not in a cluster configuration)? Does anyone know anything about this configuration? Can you share? Thanks in advance! Kind Regards, Jennifer Fountain R&B Inc 3400 E Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
