?
Solved

Email Server located on the LAN as a PDC

Posted on 2005-02-27
11
Medium Priority
?
187 Views
Last Modified: 2013-12-04
I'm looking at Microsoft Small Business Server 2003 for email.  Are there any unusual security risks of running email alongside your file sharing, printer server, antivirus server, and primary domain controller functions (DHCP, DNS, ETC) all in one Box?

Would I be better off putting this new box on a separate leg of the firewall and segregating the LAN from the Email server?  SBS is cheaper, but I don't want to get screwed later.

My dilemma is that SBS is cheaper, but scary that it is doing email on my "bread and butter" server.

Anybody have experience or can lend me a thought?

Thanks,

Deeky
0
Comment
Question by:deeky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 16

Accepted Solution

by:
samccarthy earned 400 total points
ID: 13416821
You will need to take all your factors into consideration when making your decision.  For a small network, SBS makes a lot of sense because it is very cost effective.  It does have a limit of 70 users and you cannot add any other DC's to the mix, but for a small network with limited funds that can afford a little down time in the event of failure, again it is a good deal.

Personally, I don't care for SBS.  I want to have a second DC in my network in the event of failure of the first.  I want to be able to put my Exchange server on a separate box for better security and performance.  I want to be able to grow my network without worrying about everything riding on 1 server or having a limit of 70 users.  Without SBS, I have a lot of flexibility I don't have with it.  It does cost more though and there is more administrative overhead with each extra server that you bring online.  Even if I use an old Workstation as a DC, that still gives me a level of fault tolerance that SBS does not give.  

I have all my servers on the same subnet, Natted behind a Watchguard Firewall and keep up with my patches, AntiVirus and AntiSpam.
0
 

Author Comment

by:deeky
ID: 13416857
I sort of new to the hosting web-servers like email and http stuff.  So, it would be normal or host email on the same network segment as all of my users?  I have a Iptables Firewall that when I built the thing I put 4 NICS in it.  I planned on using one of the NICs at the DMZ if you will.  That meant to me that there was that extra security.  But, it that necessary?

Deeky
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13416886
If you are going to be hosting Web Servers then the DMZ aspect is the way to go.  Some people put their Exchange Server in a DMZ to more protect their internal network, but then that exposes their mail server to the Internet a little bit more.  I put my Exchange Server behind my firewall with the rest of my internal servers.  I just port forward TCP port 25 and rely on my firewall and internal security, patches, antivirus, Exchange AntiVirus etc. to protect my Exchange server.  If I grew bigger, I would probably put an Exchange Front End server in the DMZ with the Back End server on my local network.
 
You have a lot of expandibility there in your firewall.  You could also use 1 of the Nics for a non production test network.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 13417025
Just a small point - with SBS2003 you *can* have additional DCs in the Active Directory, the SBS machine just needs to be the first DC in the Forest.

This is a change from the way SBS2000 worked in order to add redundancy for Active Directory and its functions.

Dave Dietz
0
 

Author Comment

by:deeky
ID: 13417128
Do you know if I need to have SBS 2003 on both DCs in order for them to replicate and behave properly.  I currently have a 2000 server that is running as the PDC.  Can that become the backup controller with the new SBS 2003 box?

Deeky
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13417218
Dave, I stand corrected about being able to add an additional DC to SBS now.  I do agree that it must be the first DC in the Forest and there are some other restrictions as far as the SBS Server and Domains.  There is always that magical 75 user limit and limited expandablilty.
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13417228
Yes, your old 2000 server can become a DC added to the SBS domain.  2 SBS servers would equal 2 domains.
0
 

Author Comment

by:deeky
ID: 13417244
Does that 75 user limit mean 75 simultaneous user connections, or 75 users listed in AD, whether they are logged in or not?

Deeky
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13418969
From my understanding here, it is 75 concurrent user connections.  Now, if a user connected from 2 different workstations, that would count as 2.  These liceses are per connection, so the same would hold true if you had a machine always logged in with a mapped drive to  the server.  That would also count as a connection.  It used to be 50, however they increased the number in SBS2003
0
 

Author Comment

by:deeky
ID: 13425778
Thanks for you help.  Now I just need to figure our licensing issues and I should be ready to make a move.  Why does licensing have to be so complicated?

Deeky
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13425805
Good luck and Thanks!
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month9 days, 18 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question