Domain Controllers should be the only role that server has, all other roles ( Unless using AD DNS then it's a DNS server also) should be removed or disabled, to comply with least privilege principles and functionality being off by default.
Think of this one scenario a flaw in a print driver or print-software which allowed privilege escalation of a user to admin or worse, guess where those drivers are stored ( on your DC and there workstation) bingo you just allowed a flaw in a seemly harmless item like a print-driver to basically be a route into getting your DC and all your domain accounts are going to get owned. ON top of that why would you want to tax a server that should be heavily locked down and controlled, with the extra burden of print server duties, unless it's a SBS box and it's the only box you got, then that is a little different story... Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: Jeremy Anderson [mailto:[email protected]] Sent: Wednesday, April 01, 2009 10:46 AM To: NT System Admin Issues Subject: RE: Redundant Print Servers Is there any best practice reasons Why a Print Server should NOT be on a domain controller? From: Ziots, Edward [mailto:[email protected]] Sent: Wednesday, April 01, 2009 6:35 AM To: NT System Admin Issues Subject: RE: Redundant Print Servers +1 All our Print servers are on ESX VM's and not too much issues on availability. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: Sherry Abercrombie [mailto:[email protected]] Sent: Wednesday, April 01, 2009 9:25 AM To: NT System Admin Issues Subject: Re: Redundant Print Servers ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
