A. Protecting your DCs from viruses is vital. Here are some important guidelines:

  • Ensure that the antivirus software is certified for the version of Windows you're running.
  • Use antivirus software that's Active Directory (AD)-aware.
  • Don't perform actions from a DC that might make it more susceptible to viruses (e.g., surfing the Web).
  • Avoid using a DC as a file share if load on the machine is a concern; the additional work involved in virus-scanning files on the shares will stress the DC.
  • Don't place the AD or File Replication Service (FRS) database and log files on a compressed NTFS volume.
  • Ensure that your virus scanner doesn't scan the following AD database files. (These are the default locations, so you might need to modify the pathnames if you specified nondefault folders during AD creation.) - %windir%\ntds\ntds.dit
    - %windir%\ntds\ntds.pat
    - %windir%\ntds\EDB*.log
    - %windir%\ntds\Res1.log
    - %windir%\ntds\Res2.log
    - %windir%\ntds\Temp.edb
    - %windir%\ntds\Edb.chk
  • Ensure that your virus scanner doesn't scan the following FRS files. (These are the default locations, so you might need to modify the pathnames if you specified nondefault folders during AD creation.)
    - %windir%\ntfrs\jet\ntfrs.jdb
    - %windir%\ntfrs\jet\sys\edb.chk
    - %windir%\ntfrs\jet\log\*.log
  • Also exclude these SYSVOL areas:
    - %windir%\sysvol\staging areas
    - %windir%\sysvol\sysvol