I'm new to server 03

Darthn3ss

so don't hurt me here... But, i have a domain name that i have not been using so i'm wondering a few things.. When i reset up my server, i want to play aroudn with some stuff... for example:

I'm in a class that covers objectives for server 2003 (70-290) and xp (70-270). when we install XP next class, could i possibly point the domain to m local server and join the domain over the internet?

Oh, and since i'm running DNS on my server, i could just use that DNS server for the domain? i know in a production envrioment you wouldn't want your dns, AD, HTTP, etc runnng all on one box, but would it work? :-p
i have a couple other ideas floating around so i'll post them once i put a little more thought into it.

royal

Well, you'd never want to join a domain over the internet anyways. You always want your domain in your Corporate Network behind firewalls that block LDAP ports and such. Of course there are exceptions such as having a second domain in your DMZ to control your DMZ machines that is separate from your corporate domain with confidential data. If you were to open up the appropriate ports such as 53, 389, etc., then you would be able to join the domain over the internet.

A best practice for all Windows Servers is to harden them so they are not running a single thing they do not need to while still being able to perform its' job. This reduces the attack surface of that machine. Active Directory on a Domain Controller requires DNS. The only caveat to that, is a Domain Controller does NOT need to have DNS installed. That might sound confusing, so I will explain. The first Domain Controller will need to need to have DNS installed. A second Domain Controller does not to have DNS installed as it will be able to use the DNS from the first Domain Controller as long as you have the Domain Controller with DNS as the primary DNS IP. You can of course configure DNS on both Domain Controllers, which I would recommend.

As for IIS (Internet Information Services, aka web services), you could run it on a Domain Controller just fine. You can typically run most services on your Domain Controller. In fact, there is a Windows Server 2003 Small Business Server edition that will come with tons of stuff such as Certificate Services/PKI, IIS, AD, DNS, ISA, Exchange, etc... The best practice though is to leave Domain Controllers running only Active Directory. The reason? The Domain Controllers are the heart of your company's infrastructure. They contain the database of usernames, passwords, policies, etc... You want as little as possible running on them and harden them as much as possible.

Speaking of hardening, there is a utility Microsoft released called Security Configuration Wizard. It is a tool that reduces the attack surface of a system by looking at what role(s) a system is running. It will then give recommendations on how you can reduce the attack surface of the system and guide you through the process.

Hope this helps.

Darthn3ss

it did thanks.... i understand secuirty risks of joining a domain over the internet... just wanted to see if it'd work.i can still use RD though.

oh, and since we're on the subject of server 2003

during install i keep getting thse damn blue screen hardware errors.... around 25-30 minutes left it'll just quit. i have 2 other disks though so if this one acts up again i may try another one.

royal

Well, like I said, you pretty much can join a client to a domain over the internet, but you'd have to have a swiss-cheese firewall in order to do so. There are so many ports that are required to be open. LDAP, DNS, RPC, Kerberos, GC, etc... As for using Remote Desktop, you don't want a corporate DC accessible from the internet. I would at least require a VPN connection before you were allowed to RD or have a device such as Internet Application Gateway device that you can publish an RDP connection to a DC and require multi-factor authentication.

You can read more about what ports are needed from the following sites:
http://support.microsoft.com/default.aspx/kb/832017/en-us
http://support.microsoft.com/default.aspx?scid=kb;en-us;179442

Darthn3ss

i'll just stck to my home DC for vpn.. yeah, i just want access to it when incase i'm learning something interesting in school

rossonieri#1

Darthn3ss wrote:

i'll just stck to my home DC for vpn.. yeah, i just want access to it when incase i'm learning something interesting in school

well, you have the answer there.
if you already have a router in front of your home DC (like dsl router etc.) just go VPN to your home DC -- and join it.
there are few things that will not going to be easy when you joining a domain over the internet.
make sure you get all the requirement such as valid public DNS naming, SNAT to your DNS(DC), etc.

good luck.

Darthn3ss

i guess i'll forget about joining the domain over the internet for a while. however, i do have a public domain i'd like toa ssocate with the server. i just don't have access to DNS servers... my registrar requires 2.

royal

Well, what you could do is tell your registrar to set the nameserver records to a free dns hosting service such as Zoneedit. You then get a static IP from your ISP and use that on your DC that you want internet facing. You can use the same domain with ZoneEdit as your Active Directory domain. That way you still have public dns that is registered on the root/tld name servers, and when you try to contact your DomainController.domain.com via the internet, it will see your domain.com registered on the internet, contact the nameserver on Zoneedit's servers, then find the public ip for your Domain Controller. You could also set one of the nameserver records to point to ZoneEdit's nameservers and have the second nameserver pointing to your Domain Controller. The only problem with either of these configurations is that if you use a client to join a domain and it contacts the name server being hosted at ZoneEdit, it won't have any SRV records and you'll run into problems.