Best practice methods for Windows 2000 domain controller setup

Before placing Windows 2000 domain controllers and member servers into production, system administrators may want to validate the servers' configuration. This checklist discusses some of the areas to focus on. Some of the topics mentioned require research beyond the scope of this article.

Review Installation and Boot Process in Event Viewer

Check Event Viewer (Eventvwr.msc) for error and warning messages associated with the installation or boot process. Resolve component and service-related events as required.

Set Event Viewer Log Size and Wrap Setting

Event Log size and log wrapping (overwrite as needed, clear log manually or overwrite after n days) should be defined to match business and security requirements. Consider implementing a system policy at the site, domain or organizational unit level that implements the appropriate configuration.

Review Service Startup

From the Services folder in the Computer Management snap-in, confirm that all services set to Automatic in the Start Up column started without user intervention or multiple retries.

Disable Unnecessary Services

Set the startup value for unnecessary or unused services to Manual. Candidates for review include:

• The Print Spooler service for computers not sharing or accessing printers. (At least one DC in every site must have the Print Spooler service running in order for the automatic management of printer objects in the Active Directory to function properly.) For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
  246269

  (http://support.microsoft.com/kb/246269/ )

  Requirements for proper function of the Directory Services Printer Pruner in the enterprise
• The messenger and alerter services on all servers.

Consider creating a system policy at the site, domain or organizational unit level that implements the desired service configuration.

Server Service Optimization

Set the Server Optimization setting in the Network tool in Control Panel to match the role the computer will play in your organization, particularly for computers changing roles from domain controllers to member servers if consolidating domains. The Server Service for dedicated Terminal Server or IIS servers should be optimized for "Maximize data throughput for network applications."

Check IP, DNS, WINS and Default Gateway Settings

From the command prompt, type IPCONFIG /ALL to verify correct IP, DNS, WINS, and default gateway configuration. For Windows 2000 servers (particularly domain controllers) that are WINS clients but also running the WINS Server service, both WINS addresses should point to either this server or a remote WINS server to avoid cross-Registration.

Run Netdiag to Test Network Connectivity and DNS\WINS Registration

From the command prompt, type netdiag /v >c:\netdiag.mmddyy.txt where mmddyy maps to today's date. Review the text file for good network connectivity and DNS\WINS registration. Save and update this file to a local folder on all servers so it can be reviewed whenever changes are made to the server configuration or network problems are encountered.

View the Fully Qualified Computer Name

From the command prompt, type net config rdr to view the fully qualified computer name. Compare the results against the Active Directory name to confirm they match or vary as intended.

Paging File Sizing and Placement

Set the paging file size and placement based on memory size and server usage. Paging file size may range from RAM size + 12 MB to RAM size * 2. For mission critical servers, a paging file equal to or larger than RAM size should be placed on the same partition as the operating system to allow crash dumps to be recorded. For better performance, the paging file can be placed on a dedicated physical drive separate from the drive hosting Windows NT, a hardware drive array, or staged across multiple physical drives where reads and writes occur in "round-robin-like" fashion until available space is consumed.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Add the /DEBUG Switch to the Boot.ini File to Debug

Add the /DEBUG switch to the Boot.ini file to enable post-mortem debugs of your servers. Adding the debug switch causes a 2-3 percent decrease in server performance but allows a debugger to be hooked up once a crash has occurred for post-mortem debugging. For additional information, please see the following article in the Microsoft Knowledge Base: Keep matching symbol files for the core operating system, service packs, and hotfixes on the server at all times.

FSMO Availability and Placement

Windows NT performs an initial placement of roles on domain controllers. This placement is often correct for directories with few domain controllers. In a directory with many domain controllers the default placement is unlikely to be the best match to your network. A discussion on DFSMO role placement is beyond the scope of this document but as a general rule:

• The schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled.
• The infrastructure master should not be located on the same domain controller holding the RID master and PDC emulator roles if it is also a GC server. Most importantly, confirm that all FSMO roles are available using one of the management consoles (such as Dsa.msc or Ntdsutil.exe).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Perform a Backup of the DS and Key Services

Use the Windows 2000 Backup System State option or equivalent to back up the system. Develop and maintain a backup process for the directory service and all critical services.

Practice restorations of the entire computer as well as authoritative and non-authoritative restorations of the DS and individual services in a lab environment that emulates your production network infrastructure in terms of speed, capacity, and hardware.

Back up the system state using Ntbackup.exe or another Windows 2000 Active Directory compatible backup utility. Save a copy of the backup image on the local drive of each promoted domain controller, as well as an offsite copy. Computer accounts, NTDS Settings objects, and the Active Directory/file system portion of System Policy cannot be re-created in the event of deletion. If you find that an important object has been deleted, remove replica domain controllers, particularly those in remote sites that might not have replicated the deletion from the network, so that an authoritative store can be performed. Microsoft recommends you backup:

• Domain controllers in the root domain of the forest.
• Domain controllers in domains that have child domains.
• Computer account objects for all domain controllers in the forest.
• Default Domain and default domain controllers policy residing in the Active directory and SYSVOL share for all domains in the forest.

EFS Recovery Policy

Develop a plan for storage and recovery of Encrypted File System (EFS) certificates that take into consideration security and personnel access at the times they will likely be needed. Servers are typically rebuilt during an off-peak hour some 6-36 months after the original deployment).

Offline SAM Password Policy

For information about this topic, please see the following article in the Microsoft Knowledge Base: