Archived from groups: microsoft.public.win2000.dns (More info?)
<email@example.com> wrote in message
> Where should a server that is a Domain Controller, that also host
> Active Directory and DNS, be placed on a firewall?
Not on firewall machine at all.
Behind as many firewalls as practical.
> What if that server is the external DNS server?
It should not do both internal and external DNS.
A DC should almost never be publicly accessible
(there are some very few exceptions to this where.)
> Should a company have both an external and internal DNS server?
Yes. And for almost everyone the External DNS should
be left at (or returned to) the REGISTRAR (not the ISP
and not on the companies on DNS servers.)
> If so,
> should both of them be Active Directory Domain Controllers?
And if you break this practice, the DC should be internal or
hidden behind as many layers are practical.
Is it possible to secure a DC on the Internet?
Yes, it is a possible, but a simple experiment will show how
difficult that will be: Go to a DC and from an open command
Now, decide if you believe that you can secure all legitimate
access to all of those open ports and services, and if you are
willing to accept that none of those services are going to be
compromised by bugs or security holes that hackers can use
to attack your DC and thus your entire domain.
Recognize that losing a web server is bad, but losing control
of ALL of the resources and private information in your domain
is usually much worse.
(The very few exceptions to placing a DC on the Internet are
by those people who accept the loss of the information as
unimportant compared with the likelyhood of it happening.)