Active Directory security

Question

Possible Duplicate:
Can you help me with my software licensing question?

I want to setup Active Directory on a network consisting of 2 sites. Site 1 has 16 Windows computers, a 2003 Server exclusively used for file sharing, and a 2000 Server for SQL Server only. Site 2 has 4 Windows computers plus a 2000 Server for SQL Server only and a little file sharing. The 2 sites are linked by a VPN tunnel (watchguard Edge). No external services (e.g IIS) are needed.

I was thinking of using the 2003 Server as the AD server, but according to posts I've read, best practices dictate a server dedicated to AD. My main motivation for using AD is that the SQL Servers have sensitive data and I want to enforce account restrictions through AD.

Should I have a dedicated AD Server, and if so, can anyone explain how Microsoft licensing works when I just want to add a server? I think that I just need to purchase a server license and that my existing CAL's for the workstations (per computer) are sufficient.

Answer 1

Depends how much you trust your users and what kind of file sharing you got going on. You don't want free "wild west" file sharing on your DCs, so I would lock that part of it down with NTFS perms/GPOs and make sure you know what is going on there.

But that being said, Microsoft builds SBS to be all-in-one server, so by implication they are saying its ok to use a server for AD and file sharing at the same time, as along as proper security measures are in place.

I would also place the file sharing shares and AD/OS info (like sysvol) on different partitions from each other.

Given the numbers of users you have and assuming your user behavior and the type of files you would placing on the DCs are pretty standard, I think you wold be fine, especially if you are trying to pinch pennies.