And in a small network with SBS we want the DHCP on our DC because the
AD/DNS works WAY better than when the DHCP is on the router. We
strongly recommend that the DHCP stays on the server.
These days most IT pros remotely manage that SBS box and some don't even
delegate to an onsite IT person (of which there is none anyway).
What's the risks of this location.. what risks does it introduce
elsewhere.. best practices for you guys in big server land aren't
necessarily best practices for a small business...just keep that in mind.
We're little... so sometimes those "bad things for security" don't mean
as much when we're blasting through so many other 'don'ts' of
computing.... just keep that in mind.
Susan
Phil Renouf wrote:
It's not a best practice, but if you are a small shop and you will be
maintaining all of the acl's and permissions then it's not so bad. If
you have to delegate that to someone who isnt a domain admin then
you're pretty much out of luck since you need to grant them pretty
serious rights to be able to log onto the DC and perform that duty.
Also, running DHCP on a DC is a bad thing for security:
http://technet2.microsoft.com/WindowsServer/en/Library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true
<http://technet2.microsoft.com/WindowsServer/en/Library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true>
See the "Securing records when using the DnsUpdateProxy group" section.
Phil
On 6/28/06, *Larry Wahlers* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
On a lesser note, is there any problem with having a DC also be their
file server and print server? Again, we're only talking 20 people
here.
Assuming I can at least get the server rack locked, and I put the file
shares on a separate partition (i.e., not on the C drive, of course).
This is all good. I think I have enough ammunition to, at least,
cover
myself if management decides to go ahead and put a DC in that
location.
The reason is, of course, this group of 20 folks have no money, so
we'll
have to buy them a server out of our own budget, because they are
one of
our supported clients and we have no choice. In my opinion,
however, we
*do* have a choice as to whether we allow a DC to be in a physically
non-secure location.
--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
direct office line: (314) 996-1876
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
<http://www.activedir.org/ml/threads.aspx>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
