Should Production Windows Web Servers (IIS & SQL) be in a domain?

windows configuration

Solution 1:

The Powers That Be can clarify things of course, but the entire StackOverflow Network runs on IIS servers with an SQL back end in an Active Directory Domain. I'd say it works well.

  • added complexity - it's one more "thing" running, and doing "things" that could go wrong.

Sometimes adding complexity allows you to remove some. Especially if you're worried about scaling out, having a domain can greatly ease the work of adding servers, changing config, and any number of things. Group Policy and centrally administered scripts can do amazing things to ease your life.

  • risk - if a domain controller fails, am I now putting other machines at risk?

That's why you have two Domain Controllers, and don't make them reachable from the Internet. If someone penetrates your site, you're pretty much hosed anyway. This is why it's a very good idea to have your AD Domain be just for your application environment, if possible.

And finally, Microsoft designs their environment to work within AD. Inter-server communication is both easier and more secure when AD is involved to arbitrate authentication and encourage secure protocol usage.

Related

Can a VM perform better when only two cores instead of four cores are presented to it?
PXE boot FreeBSD iso from pxelinux server
Reinstall MySql AND keep existing database tables and data
Take screenshot from server screen while disconnected from RDP
Is Selling Old Cisco Routers a Security Issue?
Unable to remove limit on memory usage for PHP script
Windows 2008 Server SP2 64bit - TCP Connections never releasing after TIME_WAIT
Should I be using LVM snapshots along with rsnapshot?
Processing Conflict: mysql55w-libs-5.5.36-3.w6.x86_64 conflicts mysql-libs < 5.5
Puppet configuration using augeas fails if combined with notify
Granting Domain Admin privileges to a cross-forest user account?
400 Error with nginx-ingress to Kubernetes Dashboard