Deploying secure domain controllers - Part 5

Click here to read the previous parts of this tip: Part 1, Part 2, Part

    Requires Free Membership to View

3 and Part 4.

When upgrading a Windows 2003 Server member server to a domain controller, it is important to make secure choices for the settings required to install and configure Active Directory. Even if you plan on automating the installation of subsequent domain controllers in a large environment, most security experts recommend manually configuring your first domain controller which establishes a forest or a domain.

To automate the domain controller promotion process during the initial setup of a new system, add the following line to your unattend.txt file in the [GUIRunOnce] section:

DCpromo /answer:%systemroot%\system32\$winnt$.inf%

Then add a [DCInstall] section to your unattend.txt file containing the exact parameters you wish. A great source of details on the parameters that can be used in this section is Knowledge Base article 223757 "Unattended Promotion and Demotion of Windows 2000 Domain Controllers." Yes, this article was originally written for Windows 2000, but the details are exactly the same for Windows 2003 Server.

By default, DCPromo will place the Active Directory database, its log files, and the SYSVOL folder on the system volume (i.e. the same place where the main Windows folder is located along with the default paging file). For a more secure configuration, place these items on a different physical drive. This will provide greater security and improved performance.

If your environment is using only Windows 2000 and Windows 2003 servers, make sure the AllowAnonymousAccess control is set to No. This pre-Windows 2000 compatible feature allows for backwards compatibility for those applications or services that need to query the domain database using anonymous access. Unless you specifically need this feature, be sure to disable it.

Be sure to set a strong and complex password for the administrator account. Also, define a password for the SafeModeAdminPassword. This is the password that will be required to access the offline administrator account in directory services repair mode.

In the next tip I'll talk about maintaining physical security for your domain controllers.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in March 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.