Domain Controllers: What do you all do?

DeathmageDeathmage Banned Posts: 2,496
Hey guys,

What do you guys do with your domain controllers?

IE

1) Do you make them all virtual if you run virtualization?

2) Do you keep the cookie jar half in and half out mentality, like having numerous physical boxes on-top of virtual ones?

3) Do you restrict access to the Primary DC except for only the default admin account and make all DC-based changes on secondary controllers? - IE: what security measure of this sorts do you guys use...

4)Do you split Operations Masters between servers?

5) Are your DC's on separate vLAN's from other servers, IE: CA, FS, IIS?

6) Do you block some of your DC's from accessing the internet completely? - for security purposes.



Curious what other peoples domain controller postures are in their organizations. icon_study.gif

Comments

  • joelsfoodjoelsfood Member Posts: 1,027 ■■■■■■□□□□
    All virtual
    Standard vlan (one of our many data vlans, but nothing DC specific)
    Not sure on rest off the top of my head
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    1-2) Used to leave at least one as physical in case vmware goes down, but it never does, so these days tend to make them all virtual

    3) -- don't see any sense in this, never do

    4) No. Besides the fact that schema and domain naming reside in forest root domain that isn't used much

    5) It could be, provided that authentication traffic still can reach authentication servers, etc.

    6) Saw both, personally don't have preference. It's a very weak security control anyways, because it's pretty easy to set up an exfiltration proxy on some other server/workstation if I was a malicious actor.
  • dave330idave330i Member Posts: 2,091 ■■■■■■■■■■
    If you work for Microsoft, then DCs must be physical or else they are not secure. Rest of the world, virtual.
    2018 Certification Goals: Maybe VMware Sales Cert
    "Simplify, then add lightness" -Colin Chapman
  • TheProfTheProf Users Awaiting Email Confirmation Posts: 331 ■■■■□□□□□□
    Deathmage wrote: »
    Hey guys,

    What do you guys do with your domain controllers?

    IE

    1) Do you make them all virtual if you run virtualization?

    All virtual / placed on different hosts/clusters throughout the org

    2) Do you keep the cookie jar half in and half out mentality, like having numerous physical boxes on-top of virtual ones?

    All virtual including RODCs in the DMZ


    3) Do you restrict access to the Primary DC except for only the default admin account and make all DC-based changes on secondary controllers? - IE: what security measure of this sorts do you guys use...

    Nothing major on the security side other than separate VLANs and restricted access to only the people who manage DCs or require special permission for their job function

    4)Do you split Operations Masters between servers?

    Always split roles as best practice unless you have only one DC

    5) Are your DC's on separate vLAN's from other servers, IE: CA, FS, IIS?

    DC's are usually on the same VLAN as other production servers, although some implementation required dedicated VLANs

    6) Do you block some of your DC's from accessing the internet completely? - for security purposes.

    Some customers use web filtering / proxy servers. It's a good way to protect your servers, but protecting DCs is a lot more than just controlling internet access
    Curious what other peoples domain controller postures are in their organizations. icon_study.gif

    Check the quoted post :)
  • gkcagkca Member Posts: 243 ■■■□□□□□□□
    Deathmage wrote: »
    3) Do you restrict access to the Primary DC except for only the default admin account and make all DC-based changes on secondary controllers? - IE: what security measure of this sorts do you guys use...
    Primary DC? Are we talking about NT4 domains? In AD it wouldn't make much sense because of the multi-master replication and PDC Emulator is just another role that can be transferred or seized.
    "I needed a password with eight characters so I picked Snow White and the Seven Dwarves." (c) Nick Helm
  • DeathmageDeathmage Banned Posts: 2,496
    @=gkca

    I like keeping one DC as pristine as possible and never log into it
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    This is one of those questions that pop up a lot, so here goes:
    1. We run mostly virtual, but my company decided to keep three of the twenty-six in our forest physical mainly due to wanting to spend the remaining budget for that quarter.
    2. I'm not quite sure what you mean by that, to tell the truth.
    3. The PDC emulator isn't any more restricted than the other DCs. It happens to live on a physical server since those run 128GB of RAM as part of our standard build, as opposed to the VMs which have 16GB.
    4. Yes
    5. Our VLAN infrastructure isn't split by application, but rather by region and office, as well as location type, (i.e. datacenter, wired office, wireless office, IP phones, etc.)
    6. No, but there are other firewall rules in place to prevent unauthorized access to the DCs from the outside world and from within the network on specific ports, as well as GPOs locking them down to company security standards, and they're all running Core.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
Sign In or Register to comment.