KMS and Server Isolation clarification
I have implemented KMS on a Windows 2008 R2 member server according to the information in the following document (Using
Server Isolation to Protect the Key Management Service (KMS)) and everything is functionly perfectly.
Can someone explain the technical reasons for the following statement in the document? Are they just saying it is best practice to use MAK for domain controllers to prevent a service outage or is there another reason.
"Restricting the Scope of the Policy
This policy should only be applied by Windows Vista and Windows Server “Longhorn” computers. Additionally, it should never be applied by Active Directory
Domain Controllers. This step sets the appropriate permissions and WMI filters to enforce this scope."
Dave
December 10th, 2010 8:15am
Hi,
The statement clarifies that this policy should not be applied by AD DCs. Because the policy only requires authentication for communications initiated
from the KMS clients to the KMS hosts. The KMS hosts will still be able to initiate communications to any host on the network, including Domain Controllers and DNS servers. To restrict the group policy from being applied by DCs, the Enterprise Domain Controllers
group is added and denied the Apply Group Policy permission.
Best Regards
DalePlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
December 12th, 2010 10:22pm
Thank you for the clarification.Dave
December 18th, 2010 6:19am