It's not a best practice, but if you are a small shop and you will be maintaining all of the acl's and permissions then it's not so bad. If you have to delegate that to someone who isnt a domain admin then you're pretty much out of luck since you need to grant them pretty serious rights to be able to log onto the DC and perform that duty.
Also, running DHCP on a DC is a bad thing for security:
See the "Securing records when using the DnsUpdateProxy group" section.
Phil
On 6/28/06, Larry Wahlers <[EMAIL PROTECTED]> wrote:
On a lesser note, is there any problem with having a DC also be their
file server and print server? Again, we're only talking 20 people here.
Assuming I can at least get the server rack locked, and I put the file
shares on a separate partition (i.e., not on the C drive, of course).
This is all good. I think I have enough ammunition to, at least, cover
myself if management decides to go ahead and put a DC in that location.
The reason is, of course, this group of 20 folks have no money, so we'll
have to buy them a server out of our own budget, because they are one of
our supported clients and we have no choice. In my opinion, however, we
*do* have a choice as to whether we allow a DC to be in a physically
non-secure location.
--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
