Focus on Microsoft
Windows Server Roles Dec 13 2010 04:19PM
Alberto Medina (amedinaj gmail com) (4 replies)
RE: Windows Server Roles Dec 13 2010 06:47PM
C. Thomas @ ACS (cthomas ashleycyber com)
Re: Windows Server Roles Dec 13 2010 06:26PM
Ansgar Wiechers (bugtraq planetcobalt net)
On 2010-12-13 Alberto Medina wrote:
> I'm planning in migrating some servers to VM's for separate some roles
> and for and replace some old servers. Currently we have 2 domain
> controllers, one on Windows 2000 and other in Windows 2003. Windows
> 2000 is the primary domain controller and W2K3 is Domain Controller,
> Terminal Services, and DHCP (and of course DNS for AD), and I want add
> VPN server for remote access. I have found that is not recommended to
> run DHCP or Terminal services in a Domain controller, so I want
> separate those roles to VM's but I want to know which of this roles
> can I run together in a VM without affecting security.

First and foremost: replace your PDC with something more recent than
Windows 2000. Now. Windows 2000 reached End-of-Life this past July. You
do *not* want to run this in a production environment anymore.

That said, I don't see anything wrong in running DHCP on a DC, provided
you follow the suggestions in [1] (allow only secure dynamic updates and
create a dedicated account for DHCP DDNS updates). As for the rest, I'd
separate infrastructure services (AD, DNS, DHCP) from application
services like RDS in application mode. VPN endpoints I'd separate from
everything else.

If you intend to virtualize your DCs as well, read [2,3] before making
your final decision.


Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

[ reply ]
RE: Windows Server Roles Dec 13 2010 06:07PM
Cruz, Dariel (dcruz gableseng com)
RE: Windows Server Roles Dec 13 2010 06:07PM
Mathew Sealy (mat shj co uk)


Privacy Statement
Copyright 2010, SecurityFocus