AD and File server on same machine

z0nkz0nk Member Posts: 5 ■□□□□□□□□□
Hi

I'm learning server 2008. I'm doing the Train Signal tutorials on active directory for server 2008 (70-640).

Ive already set up active directory on 2 netbooks, and installed a file server on one of those. When I browse to it from another machine I notice Sysvol and Netlogon folders are shared. I was wondering if this is a security issue and is it OK to install a file server on the same machine with AD?

Thanks

Comments

  • Hyper-MeHyper-Me Banned Posts: 2,059
    Its fine. Sysvol/Netlogon are shared once you make a machine a DC so that certain files (group policy, logon scripts, etc) can be downloaded by clients.

    Infact, its on purpose that users have read access to these folders.

    In larger environment, it would obvioulsy be ideal to seperate roles as best you can, but in situtations like SBS its perfectly OK.
  • crrussell3crrussell3 Member Posts: 561
    As Hyper-Me said, its perfectly fine, especially in smaller environments. I work for a non-profit as a sys admin, and we have three sites, each with their own DC. These DC's also act as DNS, DHCP, File, and Print servers. They handle about 75-100 users each, and it works just fine.

    Just make sure you harden your DC's and everything will be fine.
    MCTS: Windows Vista, Configuration
    MCTS: Windows WS08 Active Directory, Configuration
  • z0nkz0nk Member Posts: 5 ■□□□□□□□□□
    OK thanks. Thats what I thought.

    crrussell3, how do you mean harden?
  • Hyper-MeHyper-Me Banned Posts: 2,059
    z0nk wrote: »
    OK thanks. Thats what I thought.

    crrussell3, how do you mean harden?

    Harden security wise.
  • MentholMooseMentholMoose Member Posts: 1,525 ■■■■■■■■□□
    Just to make it clear, there are two issues. First, running a file server on a DC is fine, especially in smaller environments. Second, sysvol and netlogon are shared on a DC, which is required since clients need to obtain certain files from them. Even if you don't create additional file shares on a DC, sysvol and netlogon will still be shared.
    MentholMoose
    MCSA 2003, LFCS, LFCE (expired), VCP6-DCV
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    z0nk wrote: »
    OK thanks. Thats what I thought.

    crrussell3, how do you mean harden?

    SCW, Security Templates, etc.
  • rwwest7rwwest7 Member Posts: 300
    sysvol is where your GPO's will be stored. netlogon is where you keep your login scripts. Both these folders are replicated between all domain controllers in the domain. If you put a login script onto the share on one DC it will automagicaly appear on the other DC's.
  • RouteThisWayRouteThisWay Member Posts: 514
    z0nk wrote: »
    OK thanks. Thats what I thought.

    crrussell3, how do you mean harden?

    No one jumped on this? Seriously? lol. TE is starting to disappoint icon_cool.gif


    Talk about a softball! icon_thumright.gif
    "Vision is not enough; it must be combined with venture." ~ Vaclav Havel
Sign In or Register to comment.