From: "Ulf B. Simon-Weidner" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
To: <ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Virtual Servers in Branch Offices
Date: Thu, 20 Oct 2005 09:42:14 +0200
Hi Al,
you don't need IIS running on the machine where Virtual Server is running.
IIS supports the admin website, and you can put this on any other server,
and have couple servers managed from one machine. Since we are talking
about
VS in BOs I'd recommend putting the virtual server w/o IIS and the
admin-sites (not sure about the right names of the components - to lazy to
install VS just to figure that out) on the BO-Servers and install the
admin-Webpages onto a central server (or a workstation).
Ulf
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Thursday, October 20, 2005 3:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Servers in Branch Offices
Strange, I was just having this conversation today with a co-worker. :)
My thoughts? I'd say make it a GC and put the f/p in the virtual. Why?
because you still need to protect the physical, but the virtual you can
give
out access to. The downside is that the virtual machine requires IIS (in
Microsoft products) meaning you have a vector for attack. But nothing that
requires changing the security otherwise for the GC.
I prefer not to put IIS on a GC for security reasons, but if you can get
away without it then I should think that this method would provide greater
ability to secure it. Keep in mind that physical access is still
warranted.
It's just that you wouldn't have to worry about somebody taking the GC home
on a USB key like they otherwise could ;)
It's not pretty no matter which way you turn IMHO. Could be better.
Al
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Wednesday, October 19, 2005 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Servers in Branch Offices
I assume you are refering to the fact that the the host could be
compromised
over the network and the virtual hard drive or virtual machine itself
simply
copied. (Just for the record, this is covered in the white paper. Did not
mean to imply that it is not. Security in this respect is refered over to
NTFS permissions).
So given that you could have a single physical machine at a branch office
and that you must have a DC and F/P service, what is the prefered
configuration?
-- nme
P.S. thanks for keeping this thread going.
_____
From: Dean Wells [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 18, 2005 8:42 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Virtual Servers in Branch Offices
"Does placing the DC inside a virtual machine add any security? Would it be
harder for someone with physical access to compromise the DC? The white
paper does not really make this clear. Also, I am assuming that a host
machine would be a domain member, right? Does it authenticate off the
virtual DC?"
<Dean>
Virtual DCs effectively weaken the broader-definition of security in a
number of ways including the context of physical access ... this is due
primarily to the relative ease with which the entire DC's state can be
duplicated, subsequently, becoming portable and reproduced in a running
state elsewhere with little to no effort.
The host machine has no bearing ... it's rather like saying "the rack in
which the server is physically housed has to be a domain member" (or any
further extension of that particular metaphor). Keep in mind the VM (for
the most part) doesn't even realize it's virtual.
</Dean>
--
Dean Wells
MSEtechnology
* Email: dwells <mailto:[EMAIL PROTECTED]> @msetechnology.com
<http://msetechnology.com/> http://msetechnology.com
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Friday, October 14, 2005 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Servers in Branch Offices
Thanks for the thoughts. And thanks Tony for the reference -- just finished
reading it.
Unfortunately, deploying the DC at HQ or simply authenticating over the WAN
is not really an option. The WAN links are ok (and getting better) but are
located in places where environmental (as in the weather) conditions often
cause short interruptions.
Does placing the DC inside a virtual machine add any security? Would it be
harder for someone with physcial access to compromise the DC? The white
paper does not really make this clear. Also, I am assuming that a host
machine would be a domain member, right? Does it authenticate off the
virtual DC? [1]
Thanks again.
-- nme
[1] This sort of reminds me of the scene in Animal House when they talk
about the "whole universe as we know it existing under the fingernail of
some other giant being..." Whoa, dude!
_____
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 13, 2005 12:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Servers in Branch Offices
Other important factors in this scenario must be the physical and logical
security of the server housing the DC role.
1. Will the server be securely locked away in the branches? If not, do not
deploy a DC.
2. Do you trust the file server admins to have physical access to the
server
hosting the DC role?
3. Who administers the server that hosts the file and DC roles? Are they
also trusted?
When designing the branch office, I would always ask the questions below,
too:
1. Is a local DC required? i.e. what are the drawbacks if a DC is not
deployed?
2. Is logon/startup traffic over the WAN larger than replication traffic
over the WAN? If not, consider not deploying a local DC.
3. Does a local DC offer redundancy in the event of a WAN failure? If other
apps are accessed over the WAN, then consider deploying the DC at a central
location and not at the branch.
hth,
neil
___________________________
Neil Ruston
Global Technology Infrastructure
Nomura International plc
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 13 October 2005 01:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Virtual Servers in Branch Offices
Here's a link to a Microsoft document that covers what you need to do to
run
a production DC on Virtual Server 2005.
http://tinyurl.com/5enjd
Tony
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Thursday, 13 October 2005 11:30 a.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Virtual Servers in Branch Offices
Hi -
Just to follow up on the design thread.... Since I am placing DCs in small
branch offices is there a value in using Virtual Server 2005 to create
separate virtual boxes (DC & file server) running on the same physical box?
Some users have administrative access to the file server, and I'd love to
keep them off the DCs. I am also curious about optimal physical and virtual
drive configurations for such a box.
I reviewed the thread here about Virtual Domain Controllers but it seemed
to
focus on using them as backups. I am talking about production.
Any thoughts most welcome.
-- nme
_____
This communication, including any attachments, is confidential.
If you are not the intended recipient, you should not read it -
please contact me immediately, destroy it, and do not copy or
use any part of this communication or disclose anything about it.
Thank You.
Please note that this communication does not designate an information
system
for the purposes of the NZ Electronic Transactions Act 2002..
This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i
_____
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by
law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those
of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation
or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
