ADAM runs as network service if installed on DC (NETIQKB70474)

  • 7770474
  • 03-Jul-2007
  • 08-Feb-2011

Environment

Directory and Resource Administrator 8.x

Situation

ADAM runs as network service if installed on DC.

What are some reasons not to install DRA 8.x versions on a domain controller?

Is it recommended or 'best practice' to install DRA 8.x versions on domain controllers?

Resolution

If DRA 8.x versions are installed on domain controllers as opposed to member servers, one specific item to note is that the ADAM service (instance) will run under the credentials of the Network Service account instead of the DRA service account.

There is a Microsoft Technet article that recommends to run ADAM under an AD account that does not have administrative priviledges in that situation.

http://technet2.microsoft.com/windowsserver/en/library/db9893df-3209-4b66-8a68-a17d9bbbd56d1033.mspx?mfr=true


To help maintain ADAM replication security, the following best practices are recommended:

  • Use the highest level of replication security that your environment can support.
  • In Active Directory environments, run ADAM on member servers, rather than on domain controllers, whenever possible.
  • If you run ADAM on a domain controller in an Active Directory environment, do not use the Network Service account as the ADAM service account. Instead, use a domain user account that does not have administrative privileges.
  • In workgroup and Windows NT 4.0 environments, do not use an account with administrative privileges as an ADAM service account.
  • Use separate configuration sets for applications with strict isolation requirements.

Additional Information

Formerly known as NETIQKB70474

See the Microsoft article below for general advice on installing applications on domain controllers.  While it can be done, even Microsoft recommends for security and performance that additional applications on domain controllers be avoided. This would apply to most any software (Security Protection, Management, Backup, etc.) which would include DRA.

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/a373e5d4-de7a-4eaf-8eac-d30044d9b769