Solved

Best way to secure a 2008 R2 DC?

Posted on 2011-03-23
3
751 Views
Last Modified: 2012-06-27
We are a college campus.  We are in the middle of an Active Directory roll-out.  We'd like to configure a domain controller on our student segment, which is separated from faculty and staff by a firewall.  We are considering simply creating a firewall conduit, permitting the student segment DC to communication with the rest of the DC's on the faculty/staff side.  However, we have some questions:
1. If we don't want to use an RODC, or server core installation, are there best practices for securing a full installation of a 2008 R2 DC?
2. The DC needs to be a DNS server as well.  We prefer AD integrated DNS.  Therefore, this means the DC would have a full copy of our faculty/ staff zone since it will replicate with other DC's on that segment.  Are there things we should consider from a security stand point with this configuration?

Goal: accomplish our task according to best practices, and with the most security possible.

If we have to do server core, I'm familiar with how to configure it.  I'm aware of the requirement to use command line tools, however, you should still be able to use ADUC to manipulate it remotely.
0
Comment
Question by:patriots
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 12

Accepted Solution

by:
Navdeep earned 400 total points
ID: 35202923
Hi,

For securing AD, here is the step by step guide. Not all point would be necessary but this you will find all what you need in this guide.

Best-Practice-Guide-for-Securing.doc
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35203965
My suggestion is to run two or more RODC on the student site. Open the the required ports from the RODCs to your other RW DCs. I don't think that access to the full DNS zone on the RODC is problematic if the firewall blocks communication.

Another option is to setup a separate forest with a one way or two way trust. It depends on what resources you want to make to whom.
0
 
LVL 11

Assisted Solution

by:sighar
sighar earned 100 total points
ID: 35206803
Run the SCW, Security Configuration Wizard! Start-Admin Tools-SCW.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Active Directory Account getting mysteriously locked 13 64
GPO on certain users 17 34
Multiple Errors from DCDIAG 2 21
Move the SYSVOL and NTDS folder to another drive 5 32
In-place Upgrading Dirsync to Azure AD Connect
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question