Windows 2003 domain controller configuration

Member servers have their own built-in local administrative account that is completely separate from the domain Administrator account. You can configure every member server to use a different administrator account name and password.

The idea is that if someone were to figure out the local administrator account name and password on one member server, you wouldn't want them to be able to use those credentials to hack your other servers too. Of course, if you have good physical security in place, no one should be able to gain access to a server to be able to use a local account. Service accounts Windows Server is designed in a way that minimizes the need for service accounts.

Even so, some third-party applications absolutely insist on a traditional service account. If possible, always use a local account as the service account instead of using a domain account, because if someone were to gain physical access to the server, they could dump the server's LSA secrets, and compromise the password.

If you use a domain password, the password can be used from any computer within the forest to gain access to the domain. If a local account is used, though, the password is useless from anywhere other than the compromised machine and doesn't provide any access to the domain.

System services There is a fundamental law of computing that states that the more code running on a system, the greater the chance that the code will contain a security vulnerability. One of the primary security strategies that you should focus on is to reduce the amount of code running on your server.

Doing so reduces security risks and will also improve the server's performance. In Windows , there were a lot of services that were running by default, but were totally unnecessary in most environments. In fact, a default installation of Windows even included a fully operational IIS server.

In Windows Server , Microsoft turned off most of the services that aren't absolutely necessary. Even so, there are some services that are running by default, but are open to debate. The DFS service was primarily designed to make a user's life easier. DFS allows an administrator to create a logical name space containing resources from multiple servers or partitions. To a user, all of these distributed resources appear to exist within a single folder.

I personally like DFS, especially because of its fault tolerance and scalability features. However, if you were to not use DFS, you would force users to know the actual path to a specific resource instead of being able to access all resources through a single path.

In some environments, this may translate to better security. In my opinion, though, the rewards of DFS far outweigh the risks. The FRS is used to replicate data between servers. This is a mandatory service on domain controllers because it's responsible for keeping the SYSVOL folder synchronized. For member servers, however, this service isn't mandatory unless you are running DFS. Disabling the FRS decreases an attacker's ability to replicate a malicious file across multiple servers. The FRS is enabled by default.

Another service worth taking a look at is the Print Spooler service. The Print Spooler manages all local and network print queues and controls all of the print jobs within these queues. The Print Spooler is required for all printing operations, and is enabled by default. The flip side to this is that not every server requires printing capabilities. Unless a server is acting as a print server, you should disable the print spooler. After all, why should a dedicated file server run the print spooler?

Normally, no one should be sitting at the server console working, so there should be no need to print locally or from across the network. I realize that often during disaster recovery operations, it might become necessary to print an error message or an event log. However, I recommend simply turning on the Print Spooler Service when it is needed rather than leaving it on all the time for non-print servers.

Believe it or not, the Print Spooler is one of the most heavily exploited Windows components. There are countless Trojans that work by replacing the Print Spooler's executable file. Assign this computer with a static ip address with the DNS pointing to itself. Then you go to manage my server should pop up. After that is done, it will need a reboot and voila! Go to manage this server and add the DHCP role.

The instructions are pretty straight forward. Choose your range, if your range will overlap with any static ip addresses you are using, you need to add them to the exceptions list. You probably aren't going to use any wins servers. When the dns window opens, right click the server and select authorize. You should now have working DHCP. If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem.

Server is not responding or is not considered suitable. Check that server finished GC promotion. Check the event log on server that enough source replicas for the GC are available.

Group Policy problems. I think I figured out whats going on. It would appear that something happened on the setup of the new domain controller when I was setting it up and there is no sysvol share.

I get this error in the event log. File Replication Service is scanning the data in the system volume. The initialization of the system volume can take some time.

The time is dependent on the amount of data in the system volume. Thank you for your reply. Sorry it took so long for me to see this and respond.

I have followed the KB article and made the changes in the registry for the current DC that is not working Properly. It is still not working and when I checked to see what was going on the registry setting on the DC thats having the issue is automatically set back to the default value everytime I start the service.

Any I dea why thats happening? Office Office Exchange Server. Not an IT pro? Microsoft Online Services TechCenter. Sign in. United States English. Ask a question.

Quick access. Search related threads. Remove From My Forums. Answered by:. Archived Forums.