• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 759
  • Last Modified:

Best way to secure a 2008 R2 DC?

We are a college campus.  We are in the middle of an Active Directory roll-out.  We'd like to configure a domain controller on our student segment, which is separated from faculty and staff by a firewall.  We are considering simply creating a firewall conduit, permitting the student segment DC to communication with the rest of the DC's on the faculty/staff side.  However, we have some questions:
1. If we don't want to use an RODC, or server core installation, are there best practices for securing a full installation of a 2008 R2 DC?
2. The DC needs to be a DNS server as well.  We prefer AD integrated DNS.  Therefore, this means the DC would have a full copy of our faculty/ staff zone since it will replicate with other DC's on that segment.  Are there things we should consider from a security stand point with this configuration?

Goal: accomplish our task according to best practices, and with the most security possible.

If we have to do server core, I'm familiar with how to configure it.  I'm aware of the requirement to use command line tools, however, you should still be able to use ADUC to manipulate it remotely.
0
patriots
Asked:
patriots
2 Solutions
 
NavdeepCommented:
Hi,

For securing AD, here is the step by step guide. Not all point would be necessary but this you will find all what you need in this guide.

Best-Practice-Guide-for-Securing.doc
0
 
kevinhsiehCommented:
My suggestion is to run two or more RODC on the student site. Open the the required ports from the RODCs to your other RW DCs. I don't think that access to the full DNS zone on the RODC is problematic if the firewall blocks communication.

Another option is to setup a separate forest with a one way or two way trust. It depends on what resources you want to make to whom.
0
 
Sigurdur HaraldssonSystem AdministratorCommented:
Run the SCW, Security Configuration Wizard! Start-Admin Tools-SCW.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now