Dilema: IAS on DC or IAS on separate server?

Discussion in 'Active Directory' started by Gabriel/TFI, Aug 29, 2007.

  1. Gabriel/TFI

    Gabriel/TFI Guest

    We're going to implement a WPA/TKIP/EAP-TLS infrastructure to support secure
    wireless connectivity in a corporate environment (around 3.000 users spread
    over 30 sites).

    We have DCs at 2 hubs (US & EU) and some DCs at bigger remote sites (>50
    users).

    The question: is it better to install IAS on a separate machine or onto the
    existing DCs?
    What's the best practice/reccomendation?

    Thanks,
    Gabriele
     
    Gabriel/TFI, Aug 29, 2007
    #1
    1. Advertisements

  2. Gabriel/TFI

    Jorge Silva Guest

    Jorge Silva, Aug 29, 2007
    #2
    1. Advertisements

  3. I know a little bit about IAS and from what little I know, IAS is best on
    its own box. It is a security platform to manage security. Best to be all
    alone. I never ever put anything else on a DC as well.
     
    Paul Bergson [MVP-DS], Aug 29, 2007
    #3
  4. Gabriel/TFI

    Wayne Tilton Guest

    To add to that, if you install IAS on a DC, the IAS operators will need to
    be Domain Admins because of the way IAS works (or at the least, have logon
    rights to the DCs and muck with the perms on the IAS files). That is a big
    security risk IMHO.

    HTH,
    Wayne Tilton
     
    Wayne Tilton, Aug 29, 2007
    #4
  5. Gabriel/TFI

    Gabriel/TFI Guest

    I personally agree with Wayne and Paul, that's why I was pretty impressed to
    read MS article "IAS Best Practices" posted by Jorge:
    "To effectively balance the load of either a large number of authorizations
    or a large volume of RADIUS authentication traffic (such as a large wireless
    implementation using certificate-based authentication), install IAS as a
    RADIUS server on all of your domain controllers".

    Thanks to everybody, but my dilema is not solved yet... :-(

    Gabriele
     
    Gabriel/TFI, Aug 29, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.