General advice is that the only thing running on a DC should be a log collection tool, and only if they can't be scraped remotely. Microsoft also has various products they specifically say should not be run on a DC.
I've heard people even advocating not installing antivirus as well. Not sure how common that is, though. Antivirus, worse case, can be a vector that attackers use bugs in or via the AV management console to own a machine. I have no comment either way. InfoSec Is Fun. Daniel Wolf From: [email protected] [mailto:[email protected]] On Behalf Of David Lum Sent: Monday, April 14, 2014 11:47 AM To: [email protected] Subject: [NTSysADM] RE: Help me fire my old DC's Oh man yeah, I remember doing this to myself once too, on a DC that had IIS stuff and I DCPROMO'd it down and rebooted... Things like these are why I like a DC to really do nothing BUT hold DC roles, I even kick DHCP off it if I can. -Dave Lum From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Monday, April 14, 2014 5:35 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Help me fire my old DC's In addition to the others' comments-back in the day I had demoted a 2003 dc or two that was running IIS for WSUS. I remember things getting quite broken with permissions, and it took some fixing. Has to do with the fact that on a DC, your special accounts (IIS_WPG, aspnet, etc) are domain-level accounts, but once on a member server they will become new local accounts. Had to reapply permissions in several places to get it all just right-YMMV. -Bonnie From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of David McSpadden Sent: Friday, April 11, 2014 4:59 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Help me fire my old DC's Ok, you guys almost have me convinced to not P2V my 2 DC's at this Data Center. Now I have never actually demoted one. (All of my old DC's have just hardware failed.) (I do have a 2012 DC up and have migrated all the FSMO roles to it and made it my SNTP time provider.) So to do this correctly. I am going to use this checklist. -Make sure none of them are in my SNTP setup and Time providers. -Make sure no clients are using them for DNS resolution. -Demote them. -Make sure they are no longer Global Catalog providers for the Exchange 2010 environment. -Make sure they are no longer LDAP connectors for my Cisco Anywhere client connection on my ASA 5500. -Make sure I can still access the IIS apps that are loaded on one of them. -For the 2008 R2 DC at this point I can just un join it from the Domain and then shut off. ---Then remove all DNS records or OU records that may remain after 1 day. (Give replication a very good amount of time.) -For the 2003 DC (With IIS apps installed.) I should be able to P2V at this time. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
