Just wondering why a Domain Controller has a public IP address?
SnapOverflow
Just wondering why a Domain Controller has a public IP address?
Well, speaking as a guy who works for a company that, until earlier this year, had external ips for every...single...computer...in the whole company. I mean, the crappy pc in the break room? External ip. Junky laser printer in an office that hasn't been used in 5 years? External ip. Gotta get your money's worth out of that /16 block...
This is not a problem...There is nothing inherently wrong with having an externally routable ip...Hell, ip6 is based on the idea that that is the right way to do things. The real question is how much protection do you have on that machine? Because a domain controller is a fragile beast, and it shouldn't be allowed to play on the internet unsupervised. If it's compromised, your whole domain is compromised, all trusts are compromised, it's just a nightmare.
So make sure it's got plenty of firewalls and filters, and don't worry about the external ip.
All of our internal systems use public addresses. If you're concerned about network exposure, you may be more interested in the firewall. Even with a private IP, it is still possible for a rule to exist that allows traffic that should not be exposed to the internet.
One possibility is that someone wants AD public facing for authentication or directory services. If it's a machine on an internal network then my argument is that it's either a collosal mistake or an incompetent firewall admin.
A little more explanation of your environment would help to give better answers, unless you're wondering just in general.
I assume by a public IP you mean an externally routable IP, so accessible from the internet.
A domain controller does not have to have a public IP, and it is best that it does not. You domain controller is the directory of all the user and computer accounts on your network and should be kept as secure as possible. Keeping your DC off the public network is one way to help that.
Obviously, this is not always possible. Many small companies have a single server doing everything for them (such as Small Business Server) and if that is the case then they may need to have a DC with a public IP.
What Sam and Squillman said. If the setup is sane, it is possible that the DC is also running your public DNS in which case you want just those services opened up on the firewall. I would still keep the entire thing not exposed though and just set up a second bind server or something myself.
Also, the server itself having a public IP seems odd, normally it would have a private IP and would be NAT'd to I think.