On 2010-12-13 Alberto Medina wrote: > I'm planning in migrating some servers to VM's for separate some roles > and for and replace some old servers. Currently we have 2 domain > controllers, one on Windows 2000 and other in Windows 2003. Windows > 2000 is the primary domain controller and W2K3 is Domain Controller, > Terminal Services, and DHCP (and of course DNS for AD), and I want add > VPN server for remote access. I have found that is not recommended to > run DHCP or Terminal services in a Domain controller, so I want > separate those roles to VM's but I want to know which of this roles > can I run together in a VM without affecting security.
First and foremost: replace your PDC with something more recent than Windows 2000. Now. Windows 2000 reached End-of-Life this past July. You do *not* want to run this in a production environment anymore. That said, I don't see anything wrong in running DHCP on a DC, provided you follow the suggestions in [1] (allow only secure dynamic updates and create a dedicated account for DHCP DDNS updates). As for the rest, I'd separate infrastructure services (AD, DNS, DHCP) from application services like RDS in application mode. VPN endpoints I'd separate from everything else. If you intend to virtualize your DCs as well, read [2,3] before making your final decision. [1] http://support.microsoft.com/kb/255134 [2] http://support.microsoft.com/kb/888794 [3] http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv.aspx Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
