none
Applying Domain controller policy to only one DC on a domain

    Question

  • We want to apply the Microsoft supplied group policy "MSFT Windows Server 2012 R2 Domain controller Baseline" to only 1 out of our 6 Server 2012 R2 Domain controllers. This server is also set-up as an RODC and is in a DMZ hence hardening.

    Some of the settings within this policy would seem to be applicable to a domain rather than an individual server (DC), even though they are listed under "Local Policies".

    The following are only some examples, there may be others.......

    Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies/Security Options, Other

    • Domain member: Digitally encrypt or sign secure channel data (always)
    • Microsoft network server: Digitally sign communications (always)

    Computer Configuration, Policies, Windows Settings, Security Settings, Local Polices/Security Options, Domain Controller

    • Domain Controller: LDAP server signing requirements - Require signing

    Computer Configurati......, Local Policies/Security Options, Network Security

    • Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients (and Servers) - Require NTLMv2 session security and Require 128-bit encryption


    My question is - If we apply this group policy to one DC only, will it affect any other Domain wide communication e.g. PCs to other DCs, Member servers to other DCs, DCs to DCs etc? I understand that after policy application, the DC may not function properly and we will need to test it and potentially relax some of the settings but we cannot afford to risk the rest of the domain from being affected. We are particularly concerned with the forcing of Digitally signing or encypting communications.

    Can anyone help?

    

    
    Friday, December 12, 2014 12:25 PM

Answers

  • If configured incorrectly the policy might disable communication from or to the dc.

    That being said, I think you are pretty safe applying the listed policy items.


    MCP/MCSA/MCTS/MCITP

    Friday, December 12, 2014 1:59 PM