Focus on Microsoft
Windows Server Roles Dec 13 2010 04:19PM
Alberto Medina (amedinaj gmail com) (4 replies)
RE: Windows Server Roles Dec 13 2010 06:47PM
C. Thomas @ ACS (cthomas ashleycyber com)
Re: Windows Server Roles Dec 13 2010 06:26PM
Ansgar Wiechers (bugtraq planetcobalt net)
RE: Windows Server Roles Dec 13 2010 06:07PM
Cruz, Dariel (dcruz gableseng com)
RE: Windows Server Roles Dec 13 2010 06:07PM
Mathew Sealy (mat shj co uk)

In theory you should run Terminal Services and RAS server on Member Servers, your Domain controllers should be DC's only, it is also recommended that DC's should not be installed on VM's due to the nature of AD NTDS.dit even on a physical disk, dick caching needs to be disabled.

It is debabtable of course.

So the answer to your question is none, create a new VM and make it a member server.

In reality with limited physical resources etc, you can run all services from one server ( like a small business server) you will have to force strict registry enforcements via GPO, however i recommend if you install your RAS and Terminal services on Separate VM's.


Mat Sealy.
From: listbounce (at) securityfocus (dot) com [email concealed] [listbounce (at) securityfocus (dot) com [email concealed]] on behalf of Alberto Medina [amedinaj (at) gmail (dot) com [email concealed]]
Sent: 13 December 2010 16:19
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Windows Server Roles

Hi all,
I'm planning in migrating some servers to VM's for separate some roles and for and replace some old servers. Currently we have 2 domain controllers, one on Windows 2000 and other in Windows 2003. Windows 2000 is the primary domain controller and W2K3 is Domain Controller, Terminal Services, and DHCP (and of course DNS for AD), and I want add VPN server for remote access. I have found that is not recommended to run DHCP or Terminal services in a Domain controller, so I want separate those roles to VM's but I want to know which of this roles can I run together in a VM without affecting security.

Please let me know your opinions about this.

Thank you and Best Regards,
Alberto Medina

This email has been scanned by the MessageLabs Email Security System.

-------------------------------------------------------- The content of this e-mail (including any attachments) is strictly confidential and may be commercially sensitive. If you are not, or believe you may not be, the intended recipient, please advise the sender immediately by return e-mail, delete this e-mail and destroy any copies. --------------------------------------------------------

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus