Managing Domain Controllers
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Managing domain controllers involves the following tasks:
Create an additional domain controller in an existing domain. This task involves preparation steps of gathering information and configuring the TCP/IP and Domain Name System (DNS) client settings. You can use the following methods to install Active Directory to create an additional domain controller in an existing domain:
Run the Active Directory Installation Wizard, and use Active Directory replication to create the Active Directory replica and File Replication Service (FRS) replication to create the System Volume (Sysvol) replicas.
Run the Active Directory Installation Wizard, and use restored system state backup media to create the Active Directory and Sysvol replicas.
Create an answer file and use the Unattend.txt file to provide the information that the Active Directory Installation Wizard requires.
Perform tests to verify that Active Directory is properly installed and the domain controller is functioning.
Add domain controllers to remote sites. When you prepare and ship an additional domain controller to a remote site, you can either install the domain controller before shipping or install the domain controller in the remote site.
When you install a domain controller in a hub site or staging site before shipment, you must disconnect the domain controller for a period, which requires careful preparation. When you reconnect the domain controller, Active Directory replication brings the domain controller up to date.
When you install the domain controller in the remote site, you can use a restored system state backup to avoid having to replicate Active Directory over a wide area network (WAN) link.
Remove Active Directory from (decommission) a properly functioning domain controller. This task includes first removing operations master roles (also known as flexible single-master operation (FSMO) roles) and the global catalog, if necessary.
Force the removal of a nonfunctioning domain controller from a domain. If a domain controller is not functioning properly on the network, the Active Directory Installation Wizard cannot contact other domain controllers and DNS servers that are required for Active Directory removal. In this case, a special version of the wizard can be invoked to forcefully remove objects that represent the server as a domain controller from Active Directory.
Rename a domain controller. You can now rename a domain controller without removing Active Directory. New functionality is available in the Netdom tool when the domain functional level is Windows Server 2003. This new functionality provides better preparation for DNS and service recognition of the new domain controller name. You can also use System Properties, which does not require a domain functional level and does not provide the same preparation, but which relies solely on replication to update the domain controller DNS name and service principal name (SPN). This method can result in a longer delay before clients can use the renamed domain controller.
In addition, to protect domain controllers from infection by viruses that can corrupt directory data or cause software or hardware failure, an integral step in installing any domain controller is to install antivirus software.
Managing Antivirus Software on Domain Controllers
Because domain controllers provide critical services to their clients, it is crucial to minimize the risk of disruption of these services caused by malicious code.
Antivirus software is the generally accepted way to mitigate the risk of such malevolent activity. However, one cannot simply install the antivirus software (from any vendor) on a domain controller and tell it to scan everything. Instead, it must be installed in a manner that mitigates the risk to the highest possible level while not interfering with the performance of the domain controllers in performing their directory service duties.
Installing effective antivirus software on domain controllers minimizes the risk that their activities will be disrupted by malicious code.
Guidelines for Managing Antivirus Software on Domain Controllers
Follow the guidelines established by your antivirus software vendor.
Note
Verify that the antivirus software you are adding is confirmed to work on domain controllers.
The following recommendations are general and should not be construed as more important than the specific antivirus software vendor’s own recommendations. These guidelines must be followed for correct Active Directory and FRS operation.
Note
Test the chosen antivirus software solution thoroughly in a lab environment to ensure that the software does not compromise the stability of the system.
Antivirus software must be installed on all domain controllers in the enterprise. Ideally, such software should also be installed on all other server and client systems that have to interact with the domain controllers. Catching the virus at the earliest point, at the firewall, or the client system on which the virus is first introduced is best—that will prevent the virus from ever reaching the infrastructure systems upon which all clients depend.
Use a version of antivirus software that is confirmed to work with Active Directory and uses the correct APIs for accessing files on the server. Older versions of most vendors’ software inappropriately modified file metadata as it was scanned, causing the FRS replication engine to think the file was changed and to schedule it for replication. Newer versions prevent this problem. For more information about antivirus software versions and FRS, see article 815263, "Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service" in the Microsoft Knowledge Base on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=4441), and see the vendor-specific sites for compliant versions.
Prevent the use of domain controller systems as general workstations. Users should not be using a domain controller to surf the Web or perform any other activities that could allow the introduction of malicious code.
When possible, do not use the domain controller as a file sharing server. Virus scanning software must be run against all files in those shares and could place an unsatisfactory load on the processor and memory resources of the server.
Known Issues with McAfee VirusScan 8.0 Antivirus Software
McAfee VirusScan version 8.0 is known to cause problems when it is installed on a domain controller. Patching levels for McAfee VirusScan might also affect domain controller performance. If you have installed McAfee VirusScan version 8.0 on a domain controller, make the following changes:
Disable the Buffer Overflow Protection feature in the VirusScan Console. Buffer Overflow Protection is intended to be used on workstations only and might cause problems if used on a server role computer with a high IO load.
Disable the following driver:
File name and location: C:\Windows\System32\Drivers\mfetdik.sys
Company name: McAfee, Inc.
File description: Anti-Virus Mini-Firewall Driver
The driver is known to cause system crashes. To reduce complexity and increase system reliability, perform the following steps to disable the Anti-Virus Mini-Firewall Driver MVSDTi5x.SYS on servers:
In Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\naiavtdi1.
Set Start to a value of 4, which is disabled.
Files Not at Risk of Infection
Exclude the following files and folders from being scanned. These files are not at risk of infection and including them could cause serious performance problems due to file locking and excessive replication between domain controllers. Furthermore, they may cause Active Directory and FRS to work improperly, causing Active Directory or FRS data loss. Where a specific set of files is identified by name, exclude only those files rather than the entire folder. In some cases, the entire folder must be excluded.
Do not exclude any of these based on the file name extension (that is, do not exclude all files with a .dit extension). Microsoft has no control over other files that might choose to use the same extension as those shown here. AV software must not modify any data files in the logs, database, and/or DSA working directories specified below.
Main NTDS database files. The location of these files is specified in:
HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File
Default location is %windir%\ntds
The file to exclude is: NTDS.dit
Active Directory transaction log files. The log directory on any given server is specified in:
HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
Default location is %windir%\ntds.
The specific files to exclude are:
EDB*.log (notice the wildcard—there can be several)
RES1.log
RES2.log
NTDS Working folder specified in:
HKEY_LOCAL_MACHINE \System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
Specific files to exclude are:
TEMP.edb
EDB.chk
SYSVOL. Use the following table for folders and files to scan or exclude:
Folder or File Scan or Exclude %systemroot%\SYSVOL
Exclude
%systemroot%\SYSVOL\domain
Scan
%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
Exclude
%systemroot%\SYSVOL\domain\policies
Scan
%systemroot%\SYSVOL\domain\scripts
Scan
%systemroot%\SYSVOL\staging
Exclude
%systemroot%\SYSVOL\staging areas
Exclude
%systemroot%\SYSVOL\sysvol
Exclude
FRS Working Directory specified in:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory
Files to exclude:
<FRS Working Directory>\jet\sys\edb.chk
<FRS Working Directory>\jet\ntfrs.jdb
<FRS Working Directory>\jet\log\*.log
FRS Database Log files specified in:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\DB Log File Directory
Default location is %windir%\ntds.
Files to exclude:
<FRS Working Directory>\jet\log\*.log (if registry entry is not set)
<DB Log File Directory>\log\*.log (if registry entry is set)
FRS Replica_root files specified in:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Root
Staging directory found in:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage
FRS Preinstall directory located at:
<Replica_root>\DO_NOT_REMOVE_NtFrs_PreInstall_Directory.
The Preinstall directory is always open exclusively when FRS is running.
The following tasks for managing domain controllers are described in this objective: