| Author |
Message |
msw
Guest
|
 Posted:
Mon Jan 31, 2005 5:09 am Post subject:
Windows 2003 Domain Replication & Security |
|
|
There are only three users and there are three servers when the network was
setup the person who installed the network made the first two servers as
Domain Controllers because one server is an exchange server and the other is
an application server and both domains can replicate each other from my
understanding and I think this is a trust domain structure (is this
correct), I am just trying to understand the lingo and be assured that this
is the best way to a secure a network and what is point of making the
exchange as a domain controller and part of trusted structure .
Does making the exchange as a trusted domain controller make the server
vulnerable?
Are there any ideas on whether this is the best approach or is there another
approach that may be better?
Any ideas would be greatly appreciated as I am still learning and
experimenting.
Thank You |
|
| Back to top |
|
 |
Ace Fekay [MVP]
Guest
|
| Posted:
Mon Jan 31, 2005 6:46 am Post subject:
Re: Windows 2003 Domain Replication & Security |
|
|
In news:OSCFMDyBFHA.2032@tk2msftngp13.phx.gbl,
msw <msw@hotmail.com> made a post then I commented below
| Quote: | There are only three users and there are three servers when the
network was setup the person who installed the network made the first
two servers as Domain Controllers because one server is an exchange
server and the other is an application server and both domains can
replicate each other from my understanding and I think this is a
trust domain structure (is this correct), I am just trying to
understand the lingo and be assured that this is the best way to a
secure a network and what is point of making the exchange as a domain
controller and part of trusted structure .
Does making the exchange as a trusted domain controller make the
server vulnerable?
Are there any ideas on whether this is the best approach or is there
another approach that may be better?
Any ideas would be greatly appreciated as I am still learning and
experimenting.
Thank You
|
Not exactly sure what you are asking. Are you asking if this is a secured
configuration by having Exchange on a DC?
You also stated "domains are replicating" in regards to your DCs. Are the
DCs domain controllers for different domains or they are DCs for one domain
and you only really have one domain?
Ideally Exchange should not be on a DC due to performance and the fact this
machine is accessible by Internet traffic. If you want to secure a mail
server, you can setup another server (such as IIS and SMTP on it, or using a
Linux box), as a relay that receives mail from the Internet (that has no
mailboxes configured on it) and relays it to the internal server, or
configure an Exchange Front-End server.
As for a 'trusted structure', any server that is a member of a domain, is
trusted by the domain.
--
Regards,
Ace
G O E A G L E S !!! Superbowl bound NFC Champs!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
================================= |
|
| Back to top |
|
|
msw
Guest
|
| Posted:
Mon Jan 31, 2005 6:46 am Post subject:
Re: Windows 2003 Domain Replication & Security |
|
|
Thank You for your reply
Yes my first question is if it secure?
Second the exchange server is runing as exchange as well as a dc and the
application server is also a seprate dc on the other hand they both
replicate but both are seprate DC. when I go inside Active Directory Site
the two domain are listed and I am 99% sure each one of them is a DC
I don't know why the exchange was setup on a server as a DC is there a
reason behind that.
Is it your recommendation that exchange should not be a DC and just a part
of DC. I think IIS is runing on the exchange box I have Outlook OWA runing
already
If I can not set another server is there another option.
I hope this is not too many questions.
Thank You
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:%23z5snx1BFHA.1292@TK2MSFTNGP10.phx.gbl...
| Quote: | In news:OSCFMDyBFHA.2032@tk2msftngp13.phx.gbl,
msw <msw@hotmail.com> made a post then I commented below
There are only three users and there are three servers when the
network was setup the person who installed the network made the first
two servers as Domain Controllers because one server is an exchange
server and the other is an application server and both domains can
replicate each other from my understanding and I think this is a
trust domain structure (is this correct), I am just trying to
understand the lingo and be assured that this is the best way to a
secure a network and what is point of making the exchange as a domain
controller and part of trusted structure .
Does making the exchange as a trusted domain controller make the
server vulnerable?
Are there any ideas on whether this is the best approach or is there
another approach that may be better?
Any ideas would be greatly appreciated as I am still learning and
experimenting.
Thank You
Not exactly sure what you are asking. Are you asking if this is a secured
configuration by having Exchange on a DC?
You also stated "domains are replicating" in regards to your DCs. Are the
DCs domain controllers for different domains or they are DCs for one
domain and you only really have one domain?
Ideally Exchange should not be on a DC due to performance and the fact
this machine is accessible by Internet traffic. If you want to secure a
mail server, you can setup another server (such as IIS and SMTP on it, or
using a Linux box), as a relay that receives mail from the Internet (that
has no mailboxes configured on it) and relays it to the internal server,
or configure an Exchange Front-End server.
As for a 'trusted structure', any server that is a member of a domain, is
trusted by the domain.
--
Regards,
Ace
G O E A G L E S !!! Superbowl bound NFC Champs!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
|
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Tue Feb 01, 2005 6:47 am Post subject:
Re: Windows 2003 Domain Replication & Security |
|
|
In news:%231LUpR6BFHA.936@TK2MSFTNGP12.phx.gbl,
msw <msw@hotmail.com> made a post then I commented below
| Quote: | Thank You for your reply
Yes my first question is if it secure?
Second the exchange server is runing as exchange as well as a dc and
the application server is also a seprate dc on the other hand they
both replicate but both are seprate DC. when I go inside Active
Directory Site the two domain are listed and I am 99% sure each one
of them is a DC
I don't know why the exchange was setup on a server as a DC is there a
reason behind that.
Is it your recommendation that exchange should not be a DC and just a
part of DC. I think IIS is runing on the exchange box I have Outlook
OWA runing already
If I can not set another server is there another option.
I hope this is not too many questions.
Thank You
|
I see. Exchange or any other application, for that matter, the best practice
is that it should not be run on a DC. Install and run them on a member
server, if possible, especially Exchange, since it's exposed and accessible
from the Internet. You are exposing your DC on the Internet. Another reason
is the write-behind cache is disabled on domain controllers to aid in the AD
transaction log processes. This cuts performance almost 10% compared to a
member server. Usually the reason Exchange would get setup on a DC is either
due to lack of knowledge, funds, politics, or it's an SBS (Small Business
Server 2000) server.
Your wording:
| Quote: | Is it your recommendation that exchange should not be a DC and just a
part of DC
|
Is a bit off. I believe you meant to say; as "part of" or a "member of" a
domain.
A DC is a physical component of Active Directory. Apparently your two DCs
seem to be part of the same domain. A DC will replicate it's Sysvol and
NTDS database among other DCs. Simple stated, there are different facets of
replication, depending on whether the DCs are part of the same domain in a
forest or part of different domains in the same forest, but not between DCs
that are DCs for a domain in different forests.
I made some security suggestions concerning Exchange designs in my previous
post. Your best bet for security is either use a Front End/Back End design,
or install an smtp gateway.
IIS is a required user pre-configured component for Exchange 2000 and 2003.
Exchange requires a number of services to be running prior to instalation,
such as SMTP, HTTP (wth specific componenets), and NNTP. OWA gets installed
by default.
A DC is a physical component of Active Directory. A DC will replicate it's
Sysvol and NTDS database among other DCs. Apparently your two DCs seem to be
part of the same domain.
I hope that helps. Keep in mind, there are many factors in designing an
infrastructure, and there is not one design that will be good for everyone.
It depends on your business requirements, security requirements, budget, and
of course, political influences.
If you don't me suggesting something, it would greatly benefit you if you
can attend classes on Windows 2000 and/or Windows Server 2003 Active
Directory and Exchange 2000 and/or 2003. This way you get a better handle on
how all of this stuff works, and acquire the knowledge to secure it
properly. If you attend a class, the instructor will be a valuable resource
for questions.
I hope that helps.
Ace |
|
| Back to top |
|
|
msw
Guest
|
| Posted:
Wed Feb 02, 2005 12:49 am Post subject:
Re: Windows 2003 Domain Replication & Security |
|
|
Thank you very much for your thorough reply
The way you explained it, is almost 99%, the way I think the inviroment is
setup here,
I took some training without touching the system, but it is very difficult
to take training without a little of using the system, I think since I am
trying to figure everything on my own I am learning a lot with that it will
make the training expreience very easy.
In refernce to Exchange, I will need to research how to install an smtp
gateway!
Thank you again for your help.
Mo
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:eGXvY6CCFHA.520@TK2MSFTNGP09.phx.gbl...
| Quote: | In news:%231LUpR6BFHA.936@TK2MSFTNGP12.phx.gbl,
msw <msw@hotmail.com> made a post then I commented below
Thank You for your reply
Yes my first question is if it secure?
Second the exchange server is runing as exchange as well as a dc and
the application server is also a seprate dc on the other hand they
both replicate but both are seprate DC. when I go inside Active
Directory Site the two domain are listed and I am 99% sure each one
of them is a DC
I don't know why the exchange was setup on a server as a DC is there a
reason behind that.
Is it your recommendation that exchange should not be a DC and just a
part of DC. I think IIS is runing on the exchange box I have Outlook
OWA runing already
If I can not set another server is there another option.
I hope this is not too many questions.
Thank You
I see. Exchange or any other application, for that matter, the best
practice is that it should not be run on a DC. Install and run them on a
member server, if possible, especially Exchange, since it's exposed and
accessible from the Internet. You are exposing your DC on the Internet.
Another reason is the write-behind cache is disabled on domain controllers
to aid in the AD transaction log processes. This cuts performance almost
10% compared to a member server. Usually the reason Exchange would get
setup on a DC is either due to lack of knowledge, funds, politics, or it's
an SBS (Small Business Server 2000) server.
Your wording:
Is it your recommendation that exchange should not be a DC and just a
part of DC
Is a bit off. I believe you meant to say; as "part of" or a "member of" a
domain.
A DC is a physical component of Active Directory. Apparently your two DCs
seem to be part of the same domain. A DC will replicate it's Sysvol and
NTDS database among other DCs. Simple stated, there are different facets
of replication, depending on whether the DCs are part of the same domain
in a forest or part of different domains in the same forest, but not
between DCs that are DCs for a domain in different forests.
I made some security suggestions concerning Exchange designs in my
previous post. Your best bet for security is either use a Front End/Back
End design, or install an smtp gateway.
IIS is a required user pre-configured component for Exchange 2000 and
2003. Exchange requires a number of services to be running prior to
instalation, such as SMTP, HTTP (wth specific componenets), and NNTP. OWA
gets installed by default.
A DC is a physical component of Active Directory. A DC will replicate it's
Sysvol and NTDS database among other DCs. Apparently your two DCs seem to
be part of the same domain.
I hope that helps. Keep in mind, there are many factors in designing an
infrastructure, and there is not one design that will be good for
everyone. It depends on your business requirements, security requirements,
budget, and of course, political influences.
If you don't me suggesting something, it would greatly benefit you if you
can attend classes on Windows 2000 and/or Windows Server 2003 Active
Directory and Exchange 2000 and/or 2003. This way you get a better handle
on how all of this stuff works, and acquire the knowledge to secure it
properly. If you attend a class, the instructor will be a valuable
resource for questions.
I hope that helps.
Ace
|
|
|
| Back to top |
|
|
Ace Fekay [MVP]
Guest
|
| Posted:
Wed Feb 02, 2005 12:47 pm Post subject:
Re: Windows 2003 Domain Replication & Security |
|
|
| Quote: | Thank you very much for your thorough reply
The way you explained it, is almost 99%, the way I think the
inviroment is setup here,
I took some training without touching the system, but it is very
difficult to take training without a little of using the system, I
think since I am trying to figure everything on my own I am learning
a lot with that it will make the training expreience very easy.
In refernce to Exchange, I will need to research how to install an
smtp gateway!
Thank you again for your help.
Mo
|
My pleasure. As for the 99% setup, you mentioned Exchange is setup on a DC.
So does the 99% mean it's on a DC or a member server?
You can purchase a 3rd party smtp gateway, which is an appliance that will
receive and filter your mail for spam, content and/or viruses before sending
it on to your Exchange server.
Good luck!
Ace |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in