Heya folks, Ned here again. Today I clear up an old idiosyncrasy of Windows Server: if the SMB Server service is always installed, why is there a role called "File Server" and what does enabling it d...
Updated Nov 07, 2022
Version 2.0
Blog Post
NedPyle , Might be slightly of topic. What does this role do for security? For sure less is more.
The challenge I face is the following. When enabling DFS namespaces on a domain controller it automatically enables the File Server role as well. If you might wonder why would you install DFS namespaces on a DC then the answer is, that it is coming from MS Guidance on this topic: "Server Hosting Domain-Based Namespaces ==> Must be a member server or domain controller in the domain in which the namespace is configured. (This requirement applies to every namespace server that hosts a given domain-based namespace.)"
The challenge I now encounter is that it is considered a best practice NOT to run anything else on a DC than AD, AD integrated DNS and I was hoping to add potentially Domain-Based Namespaces. The process is relatively lite and we need a DC in each location anyways. Especially as no specific requirements system are given for DFS namespaces. On a DC the netlogon folder access requires SMB to be openend up 445/TCP and DFS-R is used to replicate the netlogon with other DC's so enabling the file server role does not seem to dramatically change the setup other than triggering some flags in the security community... file server on a DC.. No Way!!
So assuming that we will not turn this DC into a file server, does the Filer Server role further reduce security for a DC when installing the DFS namespaces and thus File Server role?