Because domain controllers provide critical services to their clients, it is crucial to minimize the risk of any disruption of these services that may be caused by malicious code.

You can generally use antivirus software to mitigate the risk of malicious code. However, installing antivirus software from any vendor on a domain controller and configuring it to scan everything is not a reliable or recommended solution because the antivirus software may interfere with domain controller performance. Specifically, the scanning procedures that most antivirus applications use require exclusive locks on files. In many cases, these locks can interfere with the real-time data replication that domain controllers use to stay synchronized with the rest of the network.

The antivirus software that you use must be compatible with Windows operating systems in general and domain controllers in particular. Antivirus software must be installed in a manner that protects against attacks as much as possible while not interfering with domain controller performance. For example, antivirus software must be able to scan Distributed File System DFS files that are replicated by File Replication Service FRS or DFS Replication in a way that does not initiate full synchronization of files and folders in SYSVOL or of DFS roots and links. Any antivirus vendor should provide specific instructions to correctly configure their product to work with domain controllers that are running versions of Windows Server and that have Active Directory Domain Services AD DS installed.

We cannot guarantee the interoperability of any antivirus software with DFS Replication, including any tests recommended in this guide. The need for extensive testing can be avoided completely by asking their antivirus software vendor to disclose their tested interoperability with DFS Replication. Vendors that have tested their software are happy to stand by their products. For a list of antivirus software vendors, see article 49500 in the Microsoft Knowledge Base 22381.

Follow the guidelines from your antivirus software vendor. Verify that the antivirus software you select is confirmed to be compatible with your domain controllers. Test your chosen antivirus software solution thoroughly in a lab environment to ensure that the software does not compromise the stability of your system.

Antivirus software has been known to cause blue screens on domain controllers. Before you install antivirus software or any update to that software on domain controllers in a domain, test lab domain controllers for the following issues:

Stability issues

Memory leaks

High CPU usage

Interruptions or failure of inbound and outbound replication

The following recommendations are general and should not be construed as more important than the specific recommendations of your antivirus software vendor. These guidelines must be followed for correct Active Directory file replication operation:

Antivirus software must be installed on all domain controllers in the enterprise. Ideally, such software should also be installed on all other server and client computers that have to interact with the domain controllers. Catching the virus at the earliest point at the firewall or at the client computer on which the virus is first introduced is the best way to prevent the virus from ever reaching the infrastructure systems on which all client computers depend.

Use a version of antivirus software that is confirmed to work with AD DS and that uses the correct application programming interfaces APIs for accessing files on the server. Some versions of antivirus software inappropriately modify file metadata as it is scanned, causing the FRS replication engine to perceive a file as having changed and to schedule it for replication. Some newer versions of antivirus software prevent this problem. For more information about antivirus software versions and FRS, see article 815263 in the Microsoft Knowledge Base 120540 and see the vendor-specific sites for compliant versions.

Verify antivirus compatibility with DFS Replication, as described in Testing Antivirus Application Interoperability with DFS Replication 122787.

Prevent the use of domain controller systems as general workstations. Users should not use a domain controller to surf the Web or to perform any other activities that can allow the introduction of malicious code. Allow browsing of known safe sites only for the purpose of supporting server operation and maintenance.

When possible, do not use a domain controller as a file sharing server. Virus scanning software must be run against all files in the shared folders, and it can place a large resource load on the processor and memory resources of the server. For the same reason, the SYSVOL and Netlogon shares that are automatically created on domain controllers should not be used to distribute software or for to store data.

Date

Revision

November 15, 2010

The list of files and folders to exclude on a domain controller was replaced with a reference to KB 822158 in order to eliminate inconsistencies and avoid duplication of content.

Apr 04, 2011  Active Directory lets companies manage users, computers, printers, and more from a centralized location. Have you wanted this functionality at home but don.

I realize that this thread is quite old, but I felt that the topic wasn t discussed completely, as the only mention was in regards to Anti-Virus aka, AV software protection on the DC server.

1. In my opinion software AV s have come a long way in effectiveness, yet there are pitfalls. Not only is the AV potentially buggy, AV s have a tendency to consume memory and not release it, not good, in a production environment, can you really afford that. Ouch.

2. Think about it If your first line of defense starts on your DC and on other servers, you are already more than halfway defeated. Why should anyone want to begin their defense scheme on the inside of their servers. To begin the effort of putting up active resistance against threats at the core of the network universe is insane. Putting up an active defense at this layer of your security model should mean that your network has been obliterated by hackers and you are trying to save your network in a last ditch attempt yes, your network is no longer connected to anything on the outside and you are actively fighting the infection internally, that is how bad this should be in order to begin your defense on the DC and other servers. Filter out and actively defend against threats long before the threat is on your servers. How so. Item 3.

3. This is why some CCIE/CCNP s make the big bucks. Any organization worth their salt will buy some type of hardware from Cisco / Barracuda / Juniper, or otherwise to get a hardware solution in place because software AV doesn t come close to cutting the mustard. Most software AV s even the often touted as Enterprise versions of Symantec, McAfee, Norton, etc, etc, etc simply do not come close to providing you the same protection as an IronPorts setup from Cisco, or other similar products from any major vendor. For a paltry 10k out of your IT Dept budget, you can have very respectable protection that software AV s simply won t provide you.

4. I ve chopped software AV s down to size, so allow me to build them back up. Software AV s, for me, are a must on any User Workstations/PC s, no exceptions. They prevent the unknowing or malicious from hurting/destroying your networks from outside sources, for instance they brought in their flash drive from home and attempted to copy some work they did at home the previous night onto their Workstation. This area is the single biggest reason for having a good software AV. This is why software AV was invented Vienna virus, for no other reason, woops. almost forgot the real reason to heist your money ok ok, nm.

5. Anyways Your DC is not really going to benefit or be hindered from having software AV on it. Your DB Servers, Web Servers are going to suffer, no software AV on them unless you really are under a known and sustained attack you ll know of this firsthand because of IronPorts, etc, mentioned in point 3.

6. Last but not least, if you cannot afford a nice setup from Cisco or Juniper, go Linux. If you ve got a spare machine or two laying around, check out your options with some of the OpenSource solutions available for your network They are powerful and as the chosen answer above highlighted, they must be configured correctly. Remember that CCIE/CCNP guy I was talking about Yep.

How to relocate the SYSVOL tree on a domain controller that is running NT File replication service for SYSVOL.

Problem: Applied some updates to my Server 2008 R2 domain controller which required a reboot. Tried to login to the DC and was stuck on applying computer or.

Should I install an AV product on my domain controllers?

How to Disable Domain Advisor. The Anti-phishing Domain Advisor security software from Visicom Media automatically redirects your Web browser when it detects that.

Problem: The time on my Windows 2008 Active Directory was 10 min fast. I have tried to change the time through the control panel but as soon as I.

Date Posted: May 2, 2012. Author: Jared Heinrichs. Posted in Active Directory 2003.

Managing Antivirus Software on Active Directory Domain Controllers