We help IT Professionals succeed at work.

Do I need IIS if I am not hosting a website or custom application?

Renkie
Renkie asked
on
436 Views
Last Modified: 2010-04-11
I have a Win 2000 domain controller with IIS installed - I want to demote it and remove it from our network. Is IIS required for a domain? Do I need to install IIS 6.0 on my new domain controller first? This domain was setup and configured prior to my arrival.

Thanks in advance.

Renkie
Comment
Watch Question

TolomirAdministrator
CERTIFIED EXPERT
Top Expert 2005

Commented:
Take this tool:

Microsoft Baseline Security Analyzer 2.0
Published: July 1, 2005 | Updated: August 4, 2005

In response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). Version 2.0 of MBSA includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows Server 2003, Windows 2000, and Windows XP systems and will scan for common security misconfigurations in the following products: Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS) 5.0, and 6.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000, 2002 and 2003. MBSA also scans for missing security updates, update rollups and service packs published to Microsoft Update.

With it you can easily deactive any webserver, of cause you don't need. If contains certain usage profiles, myking a proper selection easy.

Tolomir
TolomirAdministrator
CERTIFIED EXPERT
Top Expert 2005

Commented:
http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx#EFAA
TolomirAdministrator
CERTIFIED EXPERT
Top Expert 2005

Commented:
Hmm, ok, seems like I missunderstood your question, it's not just about deinstalling IIS.

Ok, what windows version should be installed on the new domain controller?

Author

Commented:
so an IIS server is not required for a domain? I wasn't aware that you could use the baseline tool to decommission a d.c. - was planning on using 'manage my server'

Renkie

Author

Commented:
new server - inet5 - Win server 2003
old server - ahcpdc - Win server 2000

TolomirAdministrator
CERTIFIED EXPERT
Top Expert 2005

Commented:
Please take a look at:

http://www.microsoft.com/downloads/details.aspx?FamilyId=6F86937B-533A-466D-A8E8-AFF85AD3D212&displaylang=en

The Active Directory Migration Tool version 3 (ADMT v3) simplifies the process of restructuring your operating environment to meet the needs of your organization. You can use ADMT v3 to migrate users, groups, and computers from Microsoft® Windows NT® 4.0 domains to Active Directory® directory service domains; between Active Directory domains in different forests (interforest migration); and between Active Directory domains in the same forest (intraforest migration). ADMT v3 also performs security translation from Windows NT 4.0 domains to Active Directory domains and between Active Directory domains in different forests.

System Requirements

    * ADMT can be installed on any computer capable of running the Windows Server 2003 operating system.
    * Target domain: The target domain must be running either Windows 2000 Server or Windows Server 2003
    * Source domain: The source domain must be running Windows 2000 Server, Windows Server 2003, or Windows NT Server 4.0
    * The primary domain controller (PDC) of a Windows NT Server 4.0 source domain must have SP4 or higher installed.
    * The ADMT agent (installed by ADMT on the source computers) can operate on computers running Windows NT Server 4.0 (with SP4 or higher); Windows 2000 Server, Windows XP, and Windows Server 2003.

Tolomir
TolomirAdministrator
CERTIFIED EXPERT
Top Expert 2005

Commented:
As reference this should be a goog advice too:

http://www.microsoft.com/technet/prodtechnol/sbs/2003/deploy/sbs2k203.mspx

To upgrade to Windows Small Business Server 2003 from Small Business Server 2000 or Windows 2000 Server, you can either upgrade the existing server or complete a server migration. A server migration involves installing Windows Small Business Server 2003 on a new computer and then migrating data and settings. You can complete a server migration either to a computer on which you are installing a retail version of Windows Small Business Server 2003 or to a computer that has Windows Small Business Server 2003 preinstalled by an original equipment manufacturer (OEM).
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
TolomirAdministrator
CERTIFIED EXPERT
Top Expert 2005

Commented:
Wasn't IIS installed by default in the early days of win2000 - when MS thought, providing as much services as possible is ultimately userfriendly ;-)

Tolomir

Commented:
;-)
Renkie > so an IIS server is not required for a domain?

Correct. A server does not have to be part of domain eiter, and Apache (among others) will run on the Windows platform, should you need a webserver in the future (change your mind or configuration).

pDoGG > It is a bad idea to be running IIS on any of your DCs due to security reasons

For MS servers, it is a good idea to separate each function to a separate server, lest a problem with one of them adversely impact the others. That includes SQL and Exchange. IE browser, any version, should not be placed on any server, it is for workstations only.
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
No, that's all that had to be said, it's not required. :)
-rich

Commented:
It is not required to run IIS on a Domain Controller. In matter of fact in Microsofts own documentation they recommend against Running IIS, Exchange, or SQL on a Domain Controller due to the security risks from possible misconfigurations and exploits. It is shipped with SBS and other servers because alot of the time smaller companies cannot afford to deploy multiple server and it look like a "feature" to those who need to save money.

There are some programs that require IIS to run, but your DOmain Controller is not one of them.

I would recommend one of the following options in your situation:

1. Uninstall IIS if not needed
2. Keep it installed if your not sure and at least run the IIS Lockdown tool on it. http://www.microsoft.com/technet/security/tools/locktool.mspx
3. Disable any IIS related services may also be another option.

Remember this: It is alway recommended to uninstall or disable services that you do not need running. This will allow you to reduce your exposure to exploits and provide for a more secure environment.

Let me know if you have any more questions or need more help!!

Commented:
> There are some programs that require IIS to run
:-((                                  agreed
Win2003 server in all editions can be started without IIS -- with the exception of Web edition server.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.