AD and File server on same machine

Hi

I'm learning server 2008. I'm doing the Train Signal tutorials on active directory for server 2008 (70-640).

Ive already set up active directory on 2 netbooks, and installed a file server on one of those. When I browse to it from another machine I notice Sysvol and Netlogon folders are shared. I was wondering if this is a security issue and is it OK to install a file server on the same machine with AD?

Thanks

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Hyper-Me

Its fine. Sysvol/Netlogon are shared once you make a machine a DC so that certain files (group policy, logon scripts, etc) can be downloaded by clients.

Infact, its on purpose that users have read access to these folders.

In larger environment, it would obvioulsy be ideal to seperate roles as best you can, but in situtations like SBS its perfectly OK.

crrussell3

As Hyper-Me said, its perfectly fine, especially in smaller environments. I work for a non-profit as a sys admin, and we have three sites, each with their own DC. These DC's also act as DNS, DHCP, File, and Print servers. They handle about 75-100 users each, and it works just fine.

Just make sure you harden your DC's and everything will be fine.

z0nk

OK thanks. Thats what I thought.

crrussell3, how do you mean harden?

Hyper-Me

z0nk wrote: »

OK thanks. Thats what I thought.

crrussell3, how do you mean harden?

Harden security wise.

MentholMoose

Just to make it clear, there are two issues. First, running a file server on a DC is fine, especially in smaller environments. Second, sysvol and netlogon are shared on a DC, which is required since clients need to obtain certain files from them. Even if you don't create additional file shares on a DC, sysvol and netlogon will still be shared.

dynamik

z0nk wrote: »

OK thanks. Thats what I thought.

crrussell3, how do you mean harden?

SCW, Security Templates, etc.

rwwest7

sysvol is where your GPO's will be stored. netlogon is where you keep your login scripts. Both these folders are replicated between all domain controllers in the domain. If you put a login script onto the share on one DC it will automagicaly appear on the other DC's.

RouteThisWay

z0nk wrote: »

OK thanks. Thats what I thought.

crrussell3, how do you mean harden?

No one jumped on this? Seriously? lol. TE is starting to disappoint

Talk about a softball!