I have seen lot of people installing a File Server Antivirus on Domain Controllers which is actually a good Idea but my question is “What are the best Practices to Install the Antivirus on the Domain Controllers”? As we all know that Domain Controllers are very critical for lot of activities especially when they have got DNS role installed on them. There are some critical files which should be excluded from the Antivirus on the Domain Controllers to improve the performance and security both.
Turn off scanning of Active Directory folder and related files
The default location is %windir%\Ntds. specifically, exclude the following files:
-
EDB*.log
-
Res*.log
-
Res*.jrs
-
Ntds.pat
-
Ntds.dit
Note Windows Server 2003 does not use the Ntds.pat file.
Turn off scanning of SYSVOL files
The current location of the Sysvol\Sysvol folder and all its subfolders is the file system reparse target of the replica set root. The Sysvol\Sysvol folder uses the following location:
%systemroot%\Sysvol\Sysvol
Exclude the following files from this folder and all its subfolders:
-
*.adm
-
*.admx
-
*.adml
-
Registry.pol
-
*.aas
-
*.inf
-
Fdeploy.inf
-
Scripts.ini
-
*.ins
-
Oscfilter.ini
Turn off scanning of DNS files
By default, DNS uses the following folder:
%systemroot%\System32\Dns
Exclude the following files from this folder and all its subfolders:
-
*.log
-
*.dns
-
BOOT
Note: Instead excluding the files I would suggest you to exclude the Folder the files are mentioned for granular settings.
I am back again with a different kind of problem which I faced with one of my clients. My Customer was having a Windows 2008 R2 server with 3 Guest operating systems running Windows 2008 Server Member Servers. The Problem was when ever my customer was running a video file on the server the performance of the server went down completely though the CPU spikes showed normal behavior and memory was not consumed but still the Operating System's behavior unexpectedly sluggish. After trying different methods I noticed that the issue used to happen when ever graphic Intensive Applications were run on the server. At last I completely removed the driver and tried it again and all of a sudden the server started behaving normally which made me very much sure that the Hardware Drivers is causing a problem. So I tried to update the VGA drivers on the server from the vendors website but faced the same problem. I started searching on Internet and found !!! Guess What ??????????????????
When you enable the Hyper-V role in Windows Server 2008 or in Windows Server 2008 R2, do not install the drivers for high performance accelerated graphics adapters.
I know its very weird but unfortunately its the HardCore truth that Windows 2008 R2 Hyper-V enabled server doesn't supports the high performance accelerated graphics adapters. Please see this newly released KB article.
http://support.microsoft.com/kb/961661
In this Post I will show you some of the Active Directory command tools which will benefit the administrators to write the bat FILES and scripts.
DSADD: This command is used to add the computers,groups,user,ou's and some other objects in the Active directory using command Prompt.
Dsadd computer
Dsadd contact
Dsadd group
Dsadd ou
Dsadd quota
Dsadd user..............................Adds objects to the directory
Example:
dsadd ou "ou=sales, dc=virmansec, dc=com"
This command tells Active Directory to create an OU called Sales in the Vimansec.com domain.
dsadd user "cn=John doe, ou=sales, dc=virmansec, dc=com"
This command will create an user named John Doe in sales OU.
DSGET:This command is used to display the properties of objects in the directory like users,groups,computers etc.
Dsget computer
Dsget contact
Dsget group
Dsget ou
Dsget partition
Dsget quota Dsget server
Dsget site
Dsget subnet
Dsget user.............................. Displays properties of objects in the directory.
Example:
dsget user "CN=John Doe,CN=users,dc=virmansec,dc=com" -memberof -expand
The above command will show the list of groups, recursively expanded, to which the user John Doe belongs.
DSQUERY: This command finds objects in the directory that match a specified search criteria which includes users,computers,printers etc.
Dsquery computer
Dsquery contact
Dsquery group
Dsquery ou
Dsquery partition
Dsquery quota ..............................Finds objects in the directory that match a specified search criteria
Dsquery server
Dsquery site
Dsquery subnet
Dsquery user
Example:
dsquery ou dc=virmansec,dc=com
This command will produce a listing of all OUs
dsquery user cn=users,dc=virmansec,dc.com
It is going to show all the users in the users container.
dsquery servers -hasfsmo schema or (rid, name, infr and pdc.)
It is going to show which server(s) has the schema role
Combinig dsquery with other commands like dsget
To find all users in an organizational unit (OU) named sales whose name starts with "joh" and to show their descriptions, type:
dsquery user OU=sales,dc=virmansec,dc=com -name joh* | dsget user -desc
DSMOD: This command modifies selected attributes of an existing object in the directory like user,computer,ou's etc
Dsmod computer
Dsmod contact
Dsmod group
Dsmod ou .............................. Modifies select attributes of an existing object in the directory
Dsmod partition
Dsmod quota
Dsmod server
Dsmod user
Example:
dsmod computer CN=Server,CN=Computers,DC=virmansec,DC=Com -disabled yes
To disable computer account
dsmod user "CN=John Doe,CN=Users,DC=Virmansec,DC=Com" -pwd A1b2c3d4 -mustchpwd yes
To reset password and force him to change his password the next time
he logs on to the network
DSMOVE: This command moVes selected object in the directory like user,computer,ou's etc to a different location.
Example:
dsmove "CN=John Doe,OU=sales,DC=virmansec,DC=Com" -newname "John Comb"
Renames a user object from John Doe to John Combs.
dsmove "CN=John Doe,OU=Sales,DC=virmansec,DC=Com" -newparent
OU=Marketing,DC=virmansec,DC=Com
Moves Kim Falls from the Sales organization to the Marketing organization
DSRM: This command removes an object, the complete subtree under an object in the directory, or both.
Example:
dsrm -subtree -noprompt -c OU=Marketing,DC=virmansec,DC=Com
Removes an organizational unit called "Marketing" and all the objects
under that organizational unit
dsrm -subtree -exclude -noprompt -c "OU=Marketing,DC=virmansec,DC=Com"
Removes all objects under the organizational unit called "Marketing,"
but leaves the organizational unit intact.
I was called to troubleshoot an Installation of a RODC server at one of my customers place last 3 days back. I beleive it was really a very good troubleshoot which I want to share with you guys. The scenario was as follows.
The Customer was having Windows 2008 Writable Domain Controllers and some Windows 2003 ADC'S. So before introducing RODC in the environment we full filled all the requirements like running ADPREP /rodc was ran so schema is extended and all other things which Microsfot recommends to Do from the following guide http://technet.microsoft.com/en-us/library/cc731243(WS.10).aspx inspite of that Whenever we ran DCPROMO and checked RODC and hit next a failure message poped up stating "An error occurred while loading the default Password Replication Policy. The error was: The network address is invalid.".
Solution:
My customers missed to precreate the RODC account so that there is Password Replication Policy to find. Once that was done the promotion went on through using the dcpromo /UseExistingAccount:Attach command.
http://technet.microsoft.com/en-us/library/cc732887(WS.10).aspx
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/07/13/4-methods-to-add-server-core-rodcs-to-your-environment.aspx
http://technet.microsoft.com/en-us/library/cc754629(WS.10).aspx
Active Directory forms a critical backbone for the support of Enterprise Infrastructure. A POORLY maintained and functioning Active Directory environment can land your infrastructure into a disaster causing significant impact to your business. To avoid these situation before they rise Microsoft came up with a tool called ADRAP which can actually do an in-depth analysis of an organization’s Active Directory. ADRAP generates a report and based on that report System Administrators can analyze a series of data points to identify areas for remediation. Listed below are some of the key places where ADRAP puts its efforts.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=22205827-c164-4b62-9f8d-c3cd6077bd82
Directory Service Replication
Replication Status
AD Convergence
Bridgeheads and ISTGs
Large Groups
File Replication Service
SYSVOL Convergence
Orphaned GPTs, Unlinked GPOs
SYSVOL Consistency
SYSVOL Information
Name Resolution
DNSLint
DCDIAG-DNS
WINS 1B and 1C
IPCONFIG (WINS and DNS)
Domain Controllers Health
DCDIAG - General
Performance Statistics
Time Configuration
OS Information
AD Database Analysis
Database Information
Partition ACLs
AD Object Count
Others
Exchange DSACCESS
Account Information
Account Lockouts
Backup and Disaster Recovery
Conclusion: Its the best tool Microsoft has ever intruduced to analyze Active Directory.
Microsoft today revealed two new desktop virtualization features that will be included in the upcoming Windows Server 2008 R2 Service Pack 1 and an updated Remote Desktop client for Windows 7 SP1.Windows Server 2008 R2 SP1 will have 2 new features called Dynamic Memory and RemoteFX.
Now whats Dynamic Memory Feature ?
Dynamic memory is an enhancement to Hyper-V in R2 and allows IT administrators to pool all the memory available on a physical host and dynamically distribute it to virtual machines running on that host as necessary.
http://blogs.technet.com/virtualization/archive/2010/03/18/Dynamic-Memory-Coming-to-Hyper-V.aspx
Now whats RemoteFX Feature ?
RemoteFX is the latest addition to Microsoft’s desktop virtualization stack and functions independently of any graphics stack and supports any screen content, including rich content like Silverlight or Flash. RemoteFX works on a wide array of target devices, including both thick and thin client hosts and a wide variety of network configurations.
Note: Windows 7 SP1 will client have new Remote Desktop Client which will take advantage for RemoteFX feature.
http://blogs.technet.com/b/virtualization/archive/2010/03/18/explaining-microsoft-remotefx.aspx
Home