• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 192
  • Last Modified:

Email Server located on the LAN as a PDC

I'm looking at Microsoft Small Business Server 2003 for email.  Are there any unusual security risks of running email alongside your file sharing, printer server, antivirus server, and primary domain controller functions (DHCP, DNS, ETC) all in one Box?

Would I be better off putting this new box on a separate leg of the firewall and segregating the LAN from the Email server?  SBS is cheaper, but I don't want to get screwed later.

My dilemma is that SBS is cheaper, but scary that it is doing email on my "bread and butter" server.

Anybody have experience or can lend me a thought?

Thanks,

Deeky
0
deeky
Asked:
deeky
  • 6
  • 4
1 Solution
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
You will need to take all your factors into consideration when making your decision.  For a small network, SBS makes a lot of sense because it is very cost effective.  It does have a limit of 70 users and you cannot add any other DC's to the mix, but for a small network with limited funds that can afford a little down time in the event of failure, again it is a good deal.

Personally, I don't care for SBS.  I want to have a second DC in my network in the event of failure of the first.  I want to be able to put my Exchange server on a separate box for better security and performance.  I want to be able to grow my network without worrying about everything riding on 1 server or having a limit of 70 users.  Without SBS, I have a lot of flexibility I don't have with it.  It does cost more though and there is more administrative overhead with each extra server that you bring online.  Even if I use an old Workstation as a DC, that still gives me a level of fault tolerance that SBS does not give.  

I have all my servers on the same subnet, Natted behind a Watchguard Firewall and keep up with my patches, AntiVirus and AntiSpam.
0
 
deekyAuthor Commented:
I sort of new to the hosting web-servers like email and http stuff.  So, it would be normal or host email on the same network segment as all of my users?  I have a Iptables Firewall that when I built the thing I put 4 NICS in it.  I planned on using one of the NICs at the DMZ if you will.  That meant to me that there was that extra security.  But, it that necessary?

Deeky
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
If you are going to be hosting Web Servers then the DMZ aspect is the way to go.  Some people put their Exchange Server in a DMZ to more protect their internal network, but then that exposes their mail server to the Internet a little bit more.  I put my Exchange Server behind my firewall with the rest of my internal servers.  I just port forward TCP port 25 and rely on my firewall and internal security, patches, antivirus, Exchange AntiVirus etc. to protect my Exchange server.  If I grew bigger, I would probably put an Exchange Front End server in the DMZ with the Back End server on my local network.
 
You have a lot of expandibility there in your firewall.  You could also use 1 of the Nics for a non production test network.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Dave_DietzCommented:
Just a small point - with SBS2003 you *can* have additional DCs in the Active Directory, the SBS machine just needs to be the first DC in the Forest.

This is a change from the way SBS2000 worked in order to add redundancy for Active Directory and its functions.

Dave Dietz
0
 
deekyAuthor Commented:
Do you know if I need to have SBS 2003 on both DCs in order for them to replicate and behave properly.  I currently have a 2000 server that is running as the PDC.  Can that become the backup controller with the new SBS 2003 box?

Deeky
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Dave, I stand corrected about being able to add an additional DC to SBS now.  I do agree that it must be the first DC in the Forest and there are some other restrictions as far as the SBS Server and Domains.  There is always that magical 75 user limit and limited expandablilty.
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Yes, your old 2000 server can become a DC added to the SBS domain.  2 SBS servers would equal 2 domains.
0
 
deekyAuthor Commented:
Does that 75 user limit mean 75 simultaneous user connections, or 75 users listed in AD, whether they are logged in or not?

Deeky
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
From my understanding here, it is 75 concurrent user connections.  Now, if a user connected from 2 different workstations, that would count as 2.  These liceses are per connection, so the same would hold true if you had a machine always logged in with a mapped drive to  the server.  That would also count as a connection.  It used to be 50, however they increased the number in SBS2003
0
 
deekyAuthor Commented:
Thanks for you help.  Now I just need to figure our licensing issues and I should be ready to make a move.  Why does licensing have to be so complicated?

Deeky
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Good luck and Thanks!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now