Hmm.. I have never experienced this with either McAfee or Symantec AV on any
of the DC's that I have built and or maintened. Have you had a chance to
run chkdsk /r yet? More then likely the problem is bad clusters on the drive
which caused the NTDS.DIT file to become corrupt.
Was this server built using IDE /ATA/SATA drives?
Jose
----- Original Message -----
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Saturday, December 03, 2005 10:58 PM
Subject: [ActiveDir] Ntds.dit file corruption
SBS box [with Windows 2003 sp1 since September]
RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/[email protected]/msg32676.html
We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and
PSS have been banging on. Could not get the services back running,
changed the RPC service to local system and some service came back up [I
don't have all the details but the consultant opened a support case of
SRX051202605433].
Bottom line they are about going to give up and start a restore but before
they do that I'd like to get the view of the AD gods and goddesses around
here. From all that I've seen, read, seen in the SBS newsgroup, the
corruption of ntds.dit is rare to nil and an underlying cause is hardware
issues [raid, disk subsystem]. This doesn't just happen.
The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that I
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.
Are we right in being paranoid now about this hardware? For you guys in
big server land you'd just slide over another box into that server role.
---------------------------------------
Stupid question alert....
Okay so we know that having a secondary/additional domain controller is a
good thing even in SBSland...but question.... many times the second server
in SBSland is a terminal server box because we do not support TS in app
mode on our PDCs. So we've established that having a domain controller and
a terminal server is a security issue [see Windows Security resource kit,
NIST Terminal services hardening guide, etc etc....] If our second server
is a member server handing out TS externally, should that be a candidate
for the additional DC? Are the issues of TS on a DC ... true for 'any'
DC? Would it be better than to Vserver/VPC a Win2k3 inside a workstation
in the network if a third server box was not feasible?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
