Best practice methods for Windows 2000 domain controller setup
Article ID: 216899 - View products that this article applies to.
This article was previously published under Q216899
NoticeThis article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000)is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy
Before placing Windows 2000 domain controllers and member servers into production, system administrators may want to validate the servers' configuration. This checklist discusses some of the areas to focus on. Some of the topics mentioned require research beyond the scope of this article.
Review Installation and Boot Process in Event ViewerCheck Event Viewer (Eventvwr.msc) for error and warning messages associated with the installation or boot process. Resolve component and service-related events as required.
Set Event Viewer Log Size and Wrap SettingEvent Log size and log wrapping (overwrite as needed, clear log manually or overwrite after n days) should be defined to match business and security requirements. Consider implementing a system policy at the site, domain or organizational unit level that implements the appropriate configuration.
Review Service StartupFrom the Services folder in the Computer Management snap-in, confirm that all services set to Automatic in the Start Up column started without user intervention or multiple retries.
Disable Unnecessary ServicesSet the startup value for unnecessary or unused services to Manual. Candidates for review include:
Server Service OptimizationSet the Server Optimization setting in the Network tool in Control Panel to match the role the computer will play in your organization, particularly for computers changing roles from domain controllers to member servers if consolidating domains. The Server Service for dedicated Terminal Server or IIS servers should be optimized for "Maximize data throughput for network applications."
Check IP, DNS, WINS and Default Gateway SettingsFrom the command prompt, type IPCONFIG /ALL to verify correct IP, DNS, WINS, and default gateway configuration. For Windows 2000 servers (particularly domain controllers) that are WINS clients but also running the WINS Server service, both WINS addresses should point to either this server or a remote WINS server to avoid cross-Registration.
Run Netdiag to Test Network Connectivity and DNS\WINS RegistrationFrom the command prompt, type netdiag /v >c:\netdiag.mmddyy.txt where mmddyy maps to today's date. Review the text file for good network connectivity and DNS\WINS registration. Save and update this file to a local folder on all servers so it can be reviewed whenever changes are made to the server configuration or network problems are encountered.
View the Fully Qualified Computer NameFrom the command prompt, type net config rdr to view the fully qualified computer name. Compare the results against the Active Directory name to confirm they match or vary as intended.
Paging File Sizing and PlacementSet the paging file size and placement based on memory size and server usage. Paging file size may range from RAM size + 12 MB to RAM size * 2. For mission critical servers, a paging file equal to or larger than RAM size should be placed on the same partition as the operating system to allow crash dumps to be recorded. For better performance, the paging file can be placed on a dedicated physical drive separate from the drive hosting Windows NT, a hardware drive array, or staged across multiple physical drives where reads and writes occur in "round-robin-like" fashion until available space is consumed.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/197379/ )Configuring page files for optimization and recovery in Windows Server 2003, in Windows 2000, and in Windows NT
Add the /DEBUG Switch to the Boot.ini File to DebugAdd the /DEBUG switch to the Boot.ini file to enable post-mortem debugs of your servers. Adding the debug switch causes a 2-3 percent decrease in server performance but allows a debugger to be hooked up once a crash has occurred for post-mortem debugging. For additional information, please see the following article in the Microsoft Knowledge Base:
121543Keep matching symbol files for the core operating system, service packs, and hotfixes on the server at all times.
(http://support.microsoft.com/kb/121543/EN-US/ )Setting Up for Remote Debugging
FSMO Availability and PlacementWindows NT performs an initial placement of roles on domain controllers. This placement is often correct for directories with few domain controllers. In a directory with many domain controllers the default placement is unlikely to be the best match to your network. A discussion on DFSMO role placement is beyond the scope of this document but as a general rule:
(http://support.microsoft.com/kb/223346/ )FSMO placement and optimization on Windows 2000 domain controllers
Perform a Backup of the DS and Key ServicesUse the Windows 2000 Backup System State option or equivalent to back up the system. Develop and maintain a backup process for the directory service and all critical services.
Practice restorations of the entire computer as well as authoritative and non-authoritative restorations of the DS and individual services in a lab environment that emulates your production network infrastructure in terms of speed, capacity, and hardware.
Back up the system state using Ntbackup.exe or another Windows 2000 Active Directory compatible backup utility. Save a copy of the backup image on the local drive of each promoted domain controller, as well as an offsite copy. Computer accounts, NTDS Settings objects, and the Active Directory/file system portion of System Policy cannot be re-created in the event of deletion. If you find that an important object has been deleted, remove replica domain controllers, particularly those in remote sites that might not have replicated the deletion from the network, so that an authoritative store can be performed. Microsoft recommends you backup:
EFS Recovery PolicyDevelop a plan for storage and recovery of Encrypted File System (EFS) certificates that take into consideration security and personnel access at the times they will likely be needed. Servers are typically rebuilt during an off-peak hour some 6-36 months after the original deployment).
Offline SAM Password PolicyFor information about this topic, please see the following article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/223301/ )Protection of the Administrator account in the offline SAM