Link to home
Start Free TrialLog in
Avatar of Renkie
Renkie

asked on

Do I need IIS if I am not hosting a website or custom application?

I have a Win 2000 domain controller with IIS installed - I want to demote it and remove it from our network. Is IIS required for a domain? Do I need to install IIS 6.0 on my new domain controller first? This domain was setup and configured prior to my arrival.

Thanks in advance.

Renkie
Avatar of Tolomir
Tolomir
Flag of Germany image

Take this tool:

Microsoft Baseline Security Analyzer 2.0
Published: July 1, 2005 | Updated: August 4, 2005

In response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). Version 2.0 of MBSA includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows Server 2003, Windows 2000, and Windows XP systems and will scan for common security misconfigurations in the following products: Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS) 5.0, and 6.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000, 2002 and 2003. MBSA also scans for missing security updates, update rollups and service packs published to Microsoft Update.

With it you can easily deactive any webserver, of cause you don't need. If contains certain usage profiles, myking a proper selection easy.

Tolomir
Hmm, ok, seems like I missunderstood your question, it's not just about deinstalling IIS.

Ok, what windows version should be installed on the new domain controller?

Avatar of Renkie
Renkie

ASKER

so an IIS server is not required for a domain? I wasn't aware that you could use the baseline tool to decommission a d.c. - was planning on using 'manage my server'

Renkie
Avatar of Renkie

ASKER

new server - inet5 - Win server 2003
old server - ahcpdc - Win server 2000

Please take a look at:

http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en

The Active Directory Migration Tool version 3 (ADMT v3) simplifies the process of restructuring your operating environment to meet the needs of your organization. You can use ADMT v3 to migrate users, groups, and computers from Microsoft® Windows NT® 4.0 domains to Active Directory® directory service domains; between Active Directory domains in different forests (interforest migration); and between Active Directory domains in the same forest (intraforest migration). ADMT v3 also performs security translation from Windows NT 4.0 domains to Active Directory domains and between Active Directory domains in different forests.

System Requirements

    * ADMT can be installed on any computer capable of running the Windows Server 2003 operating system.
    * Target domain: The target domain must be running either Windows 2000 Server or Windows Server 2003
    * Source domain: The source domain must be running Windows 2000 Server, Windows Server 2003, or Windows NT Server 4.0
    * The primary domain controller (PDC) of a Windows NT Server 4.0 source domain must have SP4 or higher installed.
    * The ADMT agent (installed by ADMT on the source computers) can operate on computers running Windows NT Server 4.0 (with SP4 or higher); Windows 2000 Server, Windows XP, and Windows Server 2003.

Tolomir
As reference this should be a goog advice too:

http://www.microsoft.com/technet/prodtechnol/sbs/2003/deploy/sbs2k203.mspx

To upgrade to Windows Small Business Server 2003 from Small Business Server 2000 or Windows 2000 Server, you can either upgrade the existing server or complete a server migration. A server migration involves installing Windows Small Business Server 2003 on a new computer and then migrating data and settings. You can complete a server migration either to a computer on which you are installing a retail version of Windows Small Business Server 2003 or to a computer that has Windows Small Business Server 2003 preinstalled by an original equipment manufacturer (OEM).
ASKER CERTIFIED SOLUTION
Avatar of pDoGG
pDoGG
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Wasn't IIS installed by default in the early days of win2000 - when MS thought, providing as much services as possible is ultimately userfriendly ;-)

Tolomir
;-)
Renkie > so an IIS server is not required for a domain?

Correct. A server does not have to be part of domain eiter, and Apache (among others) will run on the Windows platform, should you need a webserver in the future (change your mind or configuration).

pDoGG > It is a bad idea to be running IIS on any of your DCs due to security reasons

For MS servers, it is a good idea to separate each function to a separate server, lest a problem with one of them adversely impact the others. That includes SQL and Exchange. IE browser, any version, should not be placed on any server, it is for workstations only.
No, that's all that had to be said, it's not required. :)
-rich
It is not required to run IIS on a Domain Controller. In matter of fact in Microsofts own documentation they recommend against Running IIS, Exchange, or SQL on a Domain Controller due to the security risks from possible misconfigurations and exploits. It is shipped with SBS and other servers because alot of the time smaller companies cannot afford to deploy multiple server and it look like a "feature" to those who need to save money.

There are some programs that require IIS to run, but your DOmain Controller is not one of them.

I would recommend one of the following options in your situation:

1. Uninstall IIS if not needed
2. Keep it installed if your not sure and at least run the IIS Lockdown tool on it. http://www.microsoft.com/technet/security/tools/locktool.mspx
3. Disable any IIS related services may also be another option.

Remember this: It is alway recommended to uninstall or disable services that you do not need running. This will allow you to reduce your exposure to exploits and provide for a more secure environment.

Let me know if you have any more questions or need more help!!
> There are some programs that require IIS to run
:-((                                  agreed
Win2003 server in all editions can be started without IIS -- with the exception of Web edition server.