SBS box [with Windows 2003 sp1 since September]
RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/[email protected]/msg32676.html
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
and PSS have been banging on. Could not get the services back running,
changed the RPC service to local system and some service came back up [I
don't have all the details but the consultant opened a support case of
SRX051202605433].
Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here. From all that I've seen, read, seen in the SBS
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
cause is hardware issues [raid, disk subsystem]. This doesn't just
happen.
The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that I
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.
Are we right in being paranoid now about this hardware? For you guys in
big server land you'd just slide over another box into that server role.
---------------------------------------
Stupid question alert....
Okay so we know that having a secondary/additional domain controller is
a good thing even in SBSland...but question.... many times the second
server in SBSland is a terminal server box because we do not support TS
in app mode on our PDCs. So we've established that having a domain
controller and a terminal server is a security issue [see Windows
Security resource kit, NIST Terminal services hardening guide, etc
etc....] If our second server is a member server handing out TS
externally, should that be a candidate for the additional DC? Are the
issues of TS on a DC ... true for 'any' DC? Would it be better than to
Vserver/VPC a Win2k3 inside a workstation in the network if a third
server box was not feasible?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
