Domain Controlled Networks and Management Servers

Trent Peters from Umbrella Medical Systems added an interesting comment on my previous post about Domain Controlled Networks and HIPAA that I thought really added to my original post. Plus, Trent goes into a nice list of other benefits of having a “Management” server in an office. It gets a little technical for some of my readers I’m sure, but is valuable if you’re office is embarking on this adventure.

Here’s Trent’s comment:

This is an interesting question and can be argued either way, but again it comes down to what’s “reasonable and appropriate”. A little background, my company is a IT Consultant group that works specifically in the healthcare arena offering services to medium-sized and small healthcare organizations, we have plenty of EMR implementation experience. Over 95% of our clients are in a domain environment and we always push for an Active Directory environment if one is not present. However, in the small offices (1 – 2 providers) this can be difficult because of the initial cost and the fact it’s “server” based. Many small offices will choose a “hosted” emr solution for the low up front cost and adding on the extra 5 -7K is not a valid option as the cost outweighs the benefits (from their perspective). The other 5% simply do not have the same security and manageability as the domain environments.

Any networks Security solution is only as strong as the weakest link. While not having a domain controller doesn’t necessarily equate to not being HIPAA compliant, it sure helps secure the environment to IT best practices. We call the Domain / Active Directory server the “Management” server because it provides more functions than just AD. For instance, WSUS patch management to make sure all computers have the latest security patches and don’t have the updates that may conflict with the EMR (some EMR software are not compatible with IE8 or SQL 2005 SP3, etc), centralized backup and client folder redirection for non-EMR critical data, centralized monitoring platform for servers (hardware + software), workstations, UPS, networks, VPN, etc, centralized AntiVirus protection is also important to notify the support team of malicious software and vulnerabilities. Group Policies is a big part of the overall security that can manage (if properly configured) all aspects of the network including password policies, computer and user permission rights, power setting, audit controls, etc. There are many benefits to a DC / Management and is the choice to achieve IT best practices (I believe MS recommend 3+ computers to be on a domain environment, although this is aggressive).

It’s nice to be able to bundle server roles (such as SQL or FAX) in order to justify the management server, but generally it comes down to cost. We hold our HIT practices to the highest standard, so our rule is that if the organization has +5 computers, you must have a Domain Controller / Management Server in order to qualify for our full support program. We can’t justify the extra effort required to properly manage the environment without it. In those rare cases where a small organization choses to not invest in a Domain Controller when we feel it’s required, then unfortunately we wish them the best of luck and turn down their business.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Quote from above: “Any networks Security solution is only as strong as the weakest link.”

    No offense to Mr. Peters, but most people equate “weakest link” with Windows. While OK to use for client computers, I would never recommend using a Windows server. Windows is simply too fragile (and proprietary) to entrust with server duties. And while “Active Directory” has some notable features, it is proprietary and quite weak on security.

    I would not buy or recommend a server solution not based on Unix or Linux, with Apache as the web server software foundation. (As a side benefit for Unix/Linux EMR developers, the tools are all included to develop a robust product — be it in C, Java, Perl, Ruby, PHP, whatever — and one generally doesn’t have to pay extra for procuring such tools as one does for Windows.)

  • David,
    Windows can be secured nicely and is a viable solution. Plus, when you look at the cost of a server with Windows Small Business Server on it, it’s quite cheap these days. At least for a small practice. The bundles they have are really a quite amazing price.

    Plus, I’d rather have a Windows server in an office where someone who has no expertise than a Linux server with Apache in an office where someone has no expertise. Windows servers have their weaknesses, but a poorly secured Linux box is even more of a hackers playground than any windows box ever could be.

    With 2 highly technical people both securing the boxes, I’d take Linux over Windows. However, where someone has little expertise, the Windows is likely the more secure solution. Crazy to consider I know, but it’s true.

Click here to post a comment