Deploying secure domain controllers - Part 5

Part five examines configuring your domain controller.

Click here to read the previous parts of this tip: Part 1, Part 2, Part 3 and Part 4.

When upgrading a Windows 2003 Server member server to a domain controller, it is important to make secure choices for the settings required to install and configure Active Directory. Even if you plan on automating the installation of subsequent domain controllers in a large environment, most security experts recommend manually configuring your first domain controller which establishes a forest or a domain.

To automate the domain controller promotion process during the initial setup of a new system, add the following line to your unattend.txt file in the [GUIRunOnce] section:

DCpromo /answer:%systemroot%\system32\$winnt$.inf%

Then add a [DCInstall] section to your unattend.txt file containing the exact parameters you wish. A great source of details on the parameters that can be used in this section is Knowledge Base article 223757 "Unattended Promotion and Demotion of Windows 2000 Domain Controllers." Yes, this article was originally written for Windows 2000, but the details are exactly the same for Windows 2003 Server.

By default, DCPromo will place the Active Directory database, its log files, and the SYSVOL folder on the system volume (i.e. the same place where the main Windows folder is located along with the default paging file). For a more secure configuration, place these items on a different physical drive. This will provide greater security and improved performance.

If your environment is using only Windows 2000 and Windows 2003 servers, make sure the AllowAnonymousAccess control is set to No. This pre-Windows 2000 compatible feature allows for backwards compatibility for those applications or services that need to query the domain database using anonymous access. Unless you specifically need this feature, be sure to disable it.

Be sure to set a strong and complex password for the administrator account. Also, define a password for the SafeModeAdminPassword. This is the password that will be required to access the offline administrator account in directory services repair mode.

In the next tip I'll talk about maintaining physical security for your domain controllers.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in March 2004

Dig deeper on Windows Server and Network Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close