Monday, January 26, 2009

Windows Admin Laundry List

Gleening my dusty notes from my days of doing sysadmin work, and briefly as a consultant.  Some of these are rather obvious to most geeks.  I'm sure it's a summary but hopefully it helps someone.

Keep a log of all Active Directory account or structural changes (renaming OUs, special accounts or objects, etc.).  It will come in handy when you need to do a restore of deleted objects and you can't figure out why the ntdsutil "restore subtree" command fails to find the objects you're trying to restore.

If you're running Windows Server 2003 and have installed SP1 on your domain controllers, be sure to pay attention to the new tombstone feature that allows you to increase it from 60 to 180 days.  Factor this into your backup plans.

Treat your AD schema like it's your bank account.  Don't tinker with it unless you have a ROCK SOLID reason to do so.  If you f**k up your AD schema, you can recover it using a full forest recovery.  I've done it in a lab setup and it works, but it's not without risk.

When installing a new domain controller, use the install from backup option.  It will cut down replication traffic and catch-up time.

Change the DSRM administrator password using NTDSUTIL on a regular basis.  Especially after key personnel changes.

Use Group Policy to configure standard settings on multiple computers or users whenver possible.  Things like restricted accounts, firewall exceptions, remote desktop settings and so forth.  If any particular computers or users need unique settings, put them in a separate OU and still strive to use Group Policy for managing settings.

Capture key file/print/web servers using P2V for "plan B" recovery needs.

Virtualize at least one DC for fault tolerance and recovery.

No comments: