Domain and Domain Controller Policy

• Must deploy a minimum of 2 domain controllers and not more than 3
• Must have physically-secure domain controllers
• Must have trustworthy and competent staff as domain administrators. Domain admin account privileges should go only to UW staff, who are accountable to federal and state laws, as well as UW administrative policy.
• Must promptly patch all domain controllers
• Must service pack all domain controllers within a reasonable period
• Will notify Forest email list of any extended (24+ hours) domain controller outage or security compromise.
• Must not run any unnecessary services/applications on a domain controller. Examples include:
  • Simple TCP/IP Services
  • SNMP Trap
  • SNMP Monitor
  • SMTP
  • IIS
  • FTP
• A domain controller compromise may necessitate a complete domain rebuild.
• All domain trust external to the forest must have sidfiltering enabled.
• Must apply the Required Group Policy settings to ensure baseline security
• "managedBy" contact information must be populated on domain and DC objects in Active Directory
• Must not inhibit connectivity between your Domain Controllers and all other Domain Controllers in the forest, i.e. any firewall must not inhibit forest operational functionality.