Home > Lync Server / OCS / UC > Joining OCS Edge Servers to an Internal Domain

Joining OCS Edge Servers to an Internal Domain

September 19, 2009

All OCS Edge servers have been designed to have no dependency on membership of an AD Domain. Therefore OCS edge servers can be run either as servers in a workgroup, or as members of a domain.

Edge server deployment guide recommends :

              “Deploy edge servers in a workgroup rather than a domain. Doing so simplifies installation and keeps the Active Directory® Domain Services out of the perimeter network.
                Locating Active Directory in the perimeter network can present a significant security risk.

This follows the ‘Best practice’ not to join servers in a perimeter network to an internal domain or forest. On the other hand the traditional rigid model of a tightly cordoned DMZ is being replaced by a per server or service risk analysis that leads to a security implementation that is specifically tailored to that server and the risks associated with an outage or other type of intrusion.

Note that the service accounts and administrative that are used on the OCS Edge servers are intended to be machine local accounts, and that that will further reducing the chance of intrusion.

Advantaged and disadvantages

When considering membership of the internal xxx.contoso.com domains a number of benefits and disadvantages are:

Some advantages of Members servers in a perimeter zone

  • Limited local SAM database on each servers
    • Less password maintenance
    • Generally leads to better passwords and better password maintenance
    • only a few accounts with very long very complex passwords can be used.
      (as they will not be used during normal operation.)
  • Patch management can be done via same mechanisms as other internal servers
    This is a very limited advantage as generally speaking Perimeter servers , including OCS Edge servers should be under a  different update regime or policy than internal servers
  • Smart-card logon for server management is possible.

Some disadvantages of Members servers in a perimeter zone.

  • Need additional procedures and security pre-cautions to make sure non-DMZ personnel cannot access DMZ servers
  • Need to open more ports in the inner firewall compared to non-domain members
  • It is harder to separate hostile traffic from a defaced server as all servers will frequently connect to the internal Domain Controllers.

Technical Limitations

With regards to domain membership of OCS Edge server there are no limitations to the functions of any of the OCS Edge servers.


Microsoft will support OCS Edge servers in a deployment model where they are joined to the Contoso internal domain.

To assure secure operation of the system the additional risk should be balanced with addition security measures, some of which are already be in place in the Contoso perimeter network and in the OCS architecture and design for Contoso.

  • Make sure the patch management process is well implemented for all OCS Edge servers.
    This should include an option to deploy security updates with priority to systems in the Perimeter network
  • Scan the systems for intrusion or use a more holistic intrusion detection system
  • Implement OCS Directors servers in the internal Contoso network to place an additional authentication layer between the Edge servers and the OCS Pool Servers
  • Use machine local service accounts with complex passwords.
  • Store and maintain the edge server configuration of all Edge servers in a secure location to facilitate a correct and rapid rebuild process in case of suspicious activity.

Taken from and courtesy of the OCS team blog ….http://communicationsserverteam.com/archive/2007/12/11/36.aspx

%d bloggers like this: