Agreed. FWIW my DC's are also DHCP servers in all my small biz (2 server) environments.
Dave From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Friday, April 24, 2009 9:13 AM To: NT System Admin Issues Subject: RE: Server OS opinion I may be missing something, but that article didn't convince me. It says: "...[I]f you're running your DHCP server on a domain controller then an attacker who compromises your DHCP server gains access to your accounts database and can cause all sorts of further problems." That's true, but that's a big "if." Is this something that's known to happen on a regular enough basis to be a concern? Or is the logic that the attack surface of a DC should be minimized by running absolutely nothing else on it? John Hornbuckle MIS Department Taylor County School District 318 North Clark Street Perry, FL 32347 www.taylor.k12.fl.us<http://www.taylor.k12.fl.us> From: David Lum [mailto:david....@nwea.org] Sent: Friday, April 24, 2009 11:38 AM To: NT System Admin Issues Subject: RE: Server OS opinion Security. http://www.windowsecurity.com/articles/DHCP-Security-Part1.html David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -----Original Message----- From: Andy Ognenoff [mailto:andyognen...@gmail.com] Sent: Friday, April 24, 2009 8:33 AM To: NT System Admin Issues Subject: RE: Server OS opinion What's the reasoning for no DHCP on a DC - besides the extra stuff you need to do to make DNS updates work correctly? We're a very small shop with only 1 domain/2 DCs and I'm implementing DHCP soon - again, migrating from Netware. - Andy O. ________________________________________ From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, April 23, 2009 3:52 AM To: NT System Admin Issues Subject: RE: Server OS opinion 1) Full Install, with minimal roles, unless core will do it for me and not be an admin headache. 2) Enterprise Edition X64 for E2k7 in a 4 node cluster GEO-Cluster for FT and HA. 3) Domain Controller not with DHCP put that role on a separate server protected, ( Standard Edition) 4) File server, Standard edition, implement file blocking, quotas, and ABE. 5) Always take a minimalist approach, still like gui tools, but if you can do all the stuff from the cmdline or via POSH then you GTG. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + ezi...@lifespan.org Phone:401-639-3505 ________________________________________ From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Wednesday, April 22, 2009 8:39 PM To: NT System Admin Issues Subject: RE: Server OS opinion Until Server 2008 R2, there is no .NET Framework with Server Core, so anything that relies on .NET (e.g. Exchange) isn't going to work. Administration via GUI can be done remotely (though I suppose sometimes you have to do things at the console) so no having a gui isn't a big -ve in my opinion. I would add your Hyper-V hosts to a domain to make it easier to manage remotely. Cheers Ken ________________________________________ From: Glen Johnson [gjohn...@vhcc.edu] Sent: Wednesday, 22 April 2009 10:14 PM To: NT System Admin Issues Subject: Server OS opinion What flavor of server 08 would you choose for these servers? Core or full install. Exchange 07 Domain controller with DHCP. File server for user home directories. In your opinion does the reduced attack surface and fewer patches outweigh the convenience of having the gui tools and such installed? I've also got a couple of hyper v hosts and unless someone can convince me otherwise, core will go on them. Any advice or horror stories appreciated. Glen Johnson LAN Admin Virginia Highlands Community College PO Box 828, Abingdon, VA 24212 phone: (276)739-2467 fax: (276)739-2590 www.vhcc.edu<http://www.vhcc.edu> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
