We recently had an issue where a domain admin brought up a new domain controller for testing in the oregonstate.edu forest. This domain controller was placed in a private IP space that did not have the proper connectivity to the forest. In light of this behavior, we have established the following policies in regards to new domain controllers in the forest. This policy is to ensure that the actions of a domain admin do not affect the health of the entire forest.
New domain controllers that do not meet these requirements can be demoted or deleted from the directory.
- All new domain controllers will be placed in the domain controller context of the enterprise firewall.
- RPC will be limited to tcp ports 5000-5200.
- Domain admins will notify itconsult (at) oregonstate.edu prior to promotion in order verify that they are configured properly. Additionally, we require that you notify us after the promotion has completed so we can verify that your new DC is replicating properly, has the proper FSMO roles and is fully functional.
- The Windows firewall will be disabled.
- The promotion of a domain controller to a GC requires approval.
- Minimum hardware requirements:
- Server class hardware
- 2 GB of RAM
- Redundant power supplies
- Raid 1