Does it matter what I install on Domain Controllers.

Do you have SMS client installed on your domain controllers? If so you have given your SMS team the ability to run jobs against the DC’s this can include installing any software that they want. Now I am not saying there is anything wrong with having SMS installed in fact if used correctly it is an excellent tool what I would suggest is having the SMS clients that are installed on DC’s report to a SMS server that has restricted and trusted SMS administrators.

 

If you are installing any extra software on a DC then look at what areas this exposes. I have seen a customer who had a very key financial system that had intruder detections systems installed and a restricted administrators lists but during a penetration test they found that an administrator had installed a old copy of a remote control software that stored the user name and password in the registry in a manner that could be quickly compromised. This allowed the first foot hold for the penetration team and very shortly after they had full access.

Published 01 May 2006 15:57 by Garry
Filed under:

Comments

# re: Does it matter what I install on Domain Controllers.

For SMS, you really should seperate your clients and servers using at the very least a primary for each type. And you also need to consider the security model, in the form of accounts and groups for each type.

But, if the additional hardware is a problem (budget, lack of) then definately think through what you're doing before you begin combining server service roles (exchange, sms, mom, dc, ...) on one server.

01 May 2006 16:06 by Rob

# re: Does it matter what I install on Domain Controllers.

We (unfortunately) run SMS site servers on many of our Domain Controllers and found a nice little gotcha when one of the SMS administrators was having a problem with the IIS installation on one.  In attempting to resolve the problem he inocently removed IIS from a domain controller, the uninstallation routine deleted the IIS_WPG group from the domain! (It gets created as a domain local group if installation occurs on a domain controller)

This group deletion caused a host of problems for our SMS environment in that domain and took a little while to understand why (well at least the first time it happened anyway!)

This problem is fixed when you run IIS on W2K3 SP1 machines, but i'd still not recommend this kind of infrastructure sharing where ever possible.

03 May 2006 12:58 by RichardLythgoe

# re: Does it matter what I install on Domain Controllers.

Thats correct Richard the other issue is you end up conflicts if the group is created before replication has fully occured.
If you are forced to use SMS on DC's that are non SP1 you can either:

1) Permisson IIS to use another group
2) Edit the IIS.inf to remove the group deltion section.

These are all manual steps and people forget them so as Richard said just dont do it where possible as you may think you are saving money but in reality you are making support harder

04 May 2006 19:46 by Garry