Domain Controllers: What do you all do?

Hey guys,

What do you guys do with your domain controllers?

IE

1) Do you make them all virtual if you run virtualization?

2) Do you keep the cookie jar half in and half out mentality, like having numerous physical boxes on-top of virtual ones?

3) Do you restrict access to the Primary DC except for only the default admin account and make all DC-based changes on secondary controllers? - IE: what security measure of this sorts do you guys use...

4)Do you split Operations Masters between servers?

5) Are your DC's on separate vLAN's from other servers, IE: CA, FS, IIS?

6) Do you block some of your DC's from accessing the internet completely? - for security purposes.

Curious what other peoples domain controller postures are in their organizations.

Find more posts tagged with

Comments

joelsfood

All virtual
Standard vlan (one of our many data vlans, but nothing DC specific)
Not sure on rest off the top of my head

gespenstern

1-2) Used to leave at least one as physical in case vmware goes down, but it never does, so these days tend to make them all virtual

3) -- don't see any sense in this, never do

4) No. Besides the fact that schema and domain naming reside in forest root domain that isn't used much

5) It could be, provided that authentication traffic still can reach authentication servers, etc.

6) Saw both, personally don't have preference. It's a very weak security control anyways, because it's pretty easy to set up an exfiltration proxy on some other server/workstation if I was a malicious actor.

dave330i

If you work for Microsoft, then DCs must be physical or else they are not secure. Rest of the world, virtual.

TheProf

Deathmage wrote: »

Hey guys,

What do you guys do with your domain controllers?

IE

1) Do you make them all virtual if you run virtualization?

All virtual / placed on different hosts/clusters throughout the org

2) Do you keep the cookie jar half in and half out mentality, like having numerous physical boxes on-top of virtual ones?

All virtual including RODCs in the DMZ

3) Do you restrict access to the Primary DC except for only the default admin account and make all DC-based changes on secondary controllers? - IE: what security measure of this sorts do you guys use...

Nothing major on the security side other than separate VLANs and restricted access to only the people who manage DCs or require special permission for their job function

4)Do you split Operations Masters between servers?

Always split roles as best practice unless you have only one DC

5) Are your DC's on separate vLAN's from other servers, IE: CA, FS, IIS?

DC's are usually on the same VLAN as other production servers, although some implementation required dedicated VLANs

6) Do you block some of your DC's from accessing the internet completely? - for security purposes.

Some customers use web filtering / proxy servers. It's a good way to protect your servers, but protecting DCs is a lot more than just controlling internet access
Curious what other peoples domain controller postures are in their organizations.

Check the quoted post

gkca

Deathmage wrote: »

3) Do you restrict access to the Primary DC except for only the default admin account and make all DC-based changes on secondary controllers? - IE: what security measure of this sorts do you guys use...

Primary DC? Are we talking about NT4 domains? In AD it wouldn't make much sense because of the multi-master replication and PDC Emulator is just another role that can be transferred or seized.

Deathmage

@=gkca

I like keeping one DC as pristine as possible and never log into it

Slowhand

This is one of those questions that pop up a lot, so here goes:

We run mostly virtual, but my company decided to keep three of the twenty-six in our forest physical mainly due to wanting to spend the remaining budget for that quarter.
I'm not quite sure what you mean by that, to tell the truth.
The PDC emulator isn't any more restricted than the other DCs. It happens to live on a physical server since those run 128GB of RAM as part of our standard build, as opposed to the VMs which have 16GB.
Yes
Our VLAN infrastructure isn't split by application, but rather by region and office, as well as location type, (i.e. datacenter, wired office, wireless office, IP phones, etc.)
No, but there are other firewall rules in place to prevent unauthorized access to the DCs from the outside world and from within the network on specific ports, as well as GPOs locking them down to company security standards, and they're all running Core.