Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Running other server roles on RODC
Running other server roles on RODC [message #161622] Sun, 04 October 2009 02:22 Go to next message
Kathy  is currently offline Kathy
Messages: 58
Registered: September 2009
Member
Ms has always recommended not to install any additional infra sevices (DHCP,
WINS , F&P etc) on DC's, though they are doable technically. I want to know
if this recommendation is going to change with RODC?

While there is a list of supported appplications on an RODC, i would like to
know the recommendation/security best practises on running multiple server
roles like DHCP, File and Print etc on a Branch RODC..what are the potential
risks on doing so?
Re: Running other server roles on RODC [message #161624 is a reply to message #161622] Sun, 04 October 2009 04:19 Go to previous messageGo to next message
Meinolf Weber MVP-DS  is currently offline Meinolf Weber MVP-DS  Germany
Messages: 129
Registered: July 2009
Senior Member
Hello Kathy,

No, not changed, doesn't matter if RWDC or RODC. If possible run DHCP server
role on a member server.

See for some details:
http://technet.microsoft.com/en-us/library/cc755190(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc725669(WS.10).aspx

Depending on the hardware it is load and performance. If you only use a C-drive
and need shares on it you have to configure permissions for domain users
direct on the system drive.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ms has always recommended not to install any additional infra sevices
> (DHCP, WINS , F&P etc) on DC's, though they are doable technically. I
> want to know if this recommendation is going to change with RODC?
>
> While there is a list of supported appplications on an RODC, i would
> like to know the recommendation/security best practises on running
> multiple server roles like DHCP, File and Print etc on a Branch
> RODC..what are the potential risks on doing so?
>
Re: Running other server roles on RODC [message #161625 is a reply to message #161622] Sun, 04 October 2009 05:16 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Kathy,
the only role you should consider is DNS (assuming you are using
AD-integrated DNS). Recommendations haven't really changed - performance and
security concerns still apply - even though the latter has somewhat limited
scope thanks to such featues such as credential caching or unidirectional
replication...

hth
Marcin


"Kathy" <Kathy@live.com> wrote in message
news:%23%23Pt5uMRKHA.4244@TK2MSFTNGP06.phx.gbl...
> Ms has always recommended not to install any additional infra sevices
> (DHCP, WINS , F&P etc) on DC's, though they are doable technically. I want
> to know if this recommendation is going to change with RODC?
>
> While there is a list of supported appplications on an RODC, i would like
> to know the recommendation/security best practises on running multiple
> server roles like DHCP, File and Print etc on a Branch RODC..what are the
> potential risks on doing so?
>
>
>
>
Re: Running other server roles on RODC [message #161645 is a reply to message #161622] Mon, 05 October 2009 06:46 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I'm going to have to disagree with Meinolf and Marcin on this one. At
meetings with Microsoft they spoke about the need for sites having the
ability to do multiple tasks with a single machine and allowing a non-domain
admin to perform these chores. Microsoft still advocates to place as few
things on an RODC as possible, they have recognized the predicament some
shops are in. That is why they provide the local admin on an RODC, to give
remote sites the ability to manage these specialized dc's w/o giving access
to the core AD services. These local admins are able to perform tasks such
as installing software on the RODC.


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Kathy" <Kathy@live.com> wrote in message
news:%23%23Pt5uMRKHA.4244@TK2MSFTNGP06.phx.gbl...
> Ms has always recommended not to install any additional infra sevices
> (DHCP, WINS , F&P etc) on DC's, though they are doable technically. I want
> to know if this recommendation is going to change with RODC?
>
> While there is a list of supported appplications on an RODC, i would like
> to know the recommendation/security best practises on running multiple
> server roles like DHCP, File and Print etc on a Branch RODC..what are the
> potential risks on doing so?
>
>
>
>
Re: Running other server roles on RODC [message #161653 is a reply to message #161645] Mon, 05 October 2009 09:19 Go to previous messageGo to next message
Jim  is currently offline Jim  United States
Messages: 1625
Registered: July 2009
Senior Member
Kathy, while technically its possible to run most of the server roles on an RODC, its about do you want to do that? A list of support applications can be found here:http://technet.microsoft.com/en-us/library/cc732790(WS.10).aspx


Whilst this topic has come up can someone through some light on the below points:
a.. How do we handle Group Policy requirements for certain roles that are installed on an RODC?
b.. Are there any security concerns in running any of the windows server roles? DHCP, WINS? etc
c.. I understand that in W3K the printing architecture utilizes user mode (Version 3). Version 3 mode only works with 2000 and XP clients. These clients render the jobs partially, and then forward the job to the Print Server to finish the rendering of the job on the server, this type of print rendering is CPU intensive. Has anything changed in this regard in Windows Server 2008 RODC?
d.. Any printer driver conflicts/issues may bring down the RODC
I feel that a risk assessment should be done before moving forward in this direction.



"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:eh9YVnbRKHA.1236@TK2MSFTNGP05.phx.gbl...
> I'm going to have to disagree with Meinolf and Marcin on this one. At
> meetings with Microsoft they spoke about the need for sites having the
> ability to do multiple tasks with a single machine and allowing a non-domain
> admin to perform these chores. Microsoft still advocates to place as few
> things on an RODC as possible, they have recognized the predicament some
> shops are in. That is why they provide the local admin on an RODC, to give
> remote sites the ability to manage these specialized dc's w/o giving access
> to the core AD services. These local admins are able to perform tasks such
> as installing software on the RODC.
>
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Kathy" <Kathy@live.com> wrote in message
> news:%23%23Pt5uMRKHA.4244@TK2MSFTNGP06.phx.gbl...
>> Ms has always recommended not to install any additional infra sevices
>> (DHCP, WINS , F&P etc) on DC's, though they are doable technically. I want
>> to know if this recommendation is going to change with RODC?
>>
>> While there is a list of supported appplications on an RODC, i would like
>> to know the recommendation/security best practises on running multiple
>> server roles like DHCP, File and Print etc on a Branch RODC..what are the
>> potential risks on doing so?
>>
>>
>>
>>
>
>
--
Re: Running other server roles on RODC [message #162074 is a reply to message #161622] Wed, 14 October 2009 14:07 Go to previous message
SubstituteThisWithMyF  is currently offline SubstituteThisWithMyF  Netherlands
Messages: 85
Registered: October 2009
Member
RODCs are perfect for that

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------ ------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------ ------------------------------
#################################################
#################################################
------------------------------------------------------------ ------------------------------

"Kathy" <Kathy@live.com> wrote in message
news:##Pt5uMRKHA.4244@TK2MSFTNGP06.phx.gbl...
> Ms has always recommended not to install any additional infra sevices
> (DHCP, WINS , F&P etc) on DC's, though they are doable technically. I want
> to know if this recommendation is going to change with RODC?
>
> While there is a list of supported appplications on an RODC, i would like
> to know the recommendation/security best practises on running multiple
> server roles like DHCP, File and Print etc on a Branch RODC..what are the
> potential risks on doing so?
>
>
>
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4507 (20091014) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>

__________ Information from ESET Smart Security, version of virus signature database 4507 (20091014) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Previous Topic:Restoring a PDC from an image
Next Topic:Format of AD Manager attribute
Goto Forum:
  


Current Time: Sat Jan 20 08:29:57 MST 2018

Total time taken to generate the page: 0.04178 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software