Anivirus on a Domain Controller

sara2000
sara2000 used Ask the Experts™
on
I need an experts opinion on installing anti-virus on domain controllers.  Would you recommend to install antivirus on DCs if so do we have to exclude any folders?
I took over the AD admin and noticed the users log on take a while. The network has all new DCs with plenty of memory. I seen the GPs part loading for long time.
Can that be with antivirus and need to be excluded some folders?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
View Solution Only
Senior Infrastructure Analyst
Commented:
https://support.microsoft.com/en-gb/help/822158/virus-scanning-recommendations-for-enterprise-computers-that-are-runni


yes it should be on there plus this has the best practice for you


IF you don't want to click

Running antivirus software on domain controllers
Because domain controllers provide an important service to clients, the risk of disruption of their activities from malicious code, from malware, or from a virus must be minimized. Antivirus software is the generally accepted way to lessen the risk of infection. Install and configure antivirus software so that the risk to the domain controller is reduced as much as possible and so that performance is affected as little as possible. The following list contains recommendations to help you configure and install antivirus software on a Windows Server domain controller.

Warning We recommend that you apply the following specified configuration to a test system to make sure that in your specific environment it does not introduce unexpected factors or compromise the stability of the system. The risk from too much scanning is that files are inappropriately flagged as changed. This results in too much replication in Active Directory. If testing verifies that replication is not affected by the following recommendations, you can apply the antivirus software to the production environment.


Note Specific recommendations from antivirus software vendors may supersede the recommendations in this article.
Antivirus software must be installed on all domain controllers in the enterprise. Ideally, try to install such software on all other server and client systems that have to interact with the domain controllers. It is optimal to catch the malware at the earliest point, such as at the firewall or at the client system where the malware is introduced. This prevents the malware from ever reaching the infrastructure systems that the clients depend on.
Use a version of antivirus software that is designed to work with Active Directory domain controllers and that uses the correct Application Programming Interfaces (APIs) to access files on the server. Older versions of most vendor software inappropriately change a file's metadata as the file is scanned. This causes the File Replication Service engine to recognize a file change and therefore schedule the file for replication. Newer versions prevent this problem.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
815263 Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service
Do not use a domain controller to browse the Internet or to perform other activities that may introduce malicious code.
We recommend that you minimize the workloads on domain controllers. When possible, avoid using domain controllers in a file server role. This lowers virus-scanning activity on file shares and minimizes performance overhead.
Do not put Active Directory or FRS database and log files on NTFS file system compressed volumes.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
318116 Issues with Jet databases on compressed drives
Turn off scanning of Active Directory and Active Directory-related files
Exclude the Main NTDS database files. The location of these files is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File
The default location is %windir%\Ntds. Specifically, exclude the following files:
Ntds.dit

Ntds.pat
Exclude the Active Directory transaction log files. The location of these files is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path
 
The default location is %windir%\Ntds. Specifically, exclude the following files:
EDB*.log
Res*.log
Edb*.jrs
Ntds.pat
Note Windows Server 2003 no longer uses the Ntds.pat file.
Exclude the files in the NTDS Working folder that is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory
Specifically, exclude the following files:
Temp.edb
Edb.chk
Turn off scanning of SYSVOL files
Turn off scanning of files in the File Replication Service (FRS) Working folder that is specified in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory
The default location is %windir%\Ntfrs. Exclude the following files that exist in the folder:
 
edb.chk in the %windir%\Ntfrs\jet\sys folder
Ntfrs.jdb in the %windir%\Ntfrs\jet folder
*.log in the %windir%\Ntfrs\jet\log folder
Turn off scanning of files in the FRS Database Log files that are specified in the following registry key:
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory
The default location is %windir%\Ntfrs. Exclude the following files:

Note Settings for specific file exclusions is documented here for completeness. By default, these folders allow access only to System and Administrators. Please verify that the correct protections are in place. These folders contain only component working files for FRS and DFSR.
Edb*.log (if the registry key is not set).
FRS Working Dir\Jet\Log\Edb*.jrs
Turn off scanning of the NTFRS Staging folder as specified in the following registry key.
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage

By default, staging uses the following location:
%systemroot%\Sysvol\Staging areas
Turn of scanning of the DFSR Staging folder as specified in the msDFSR-StagingPath attribute of the object CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DomainControllerName,OU=Domain Controllers,DC=DomainName in AD DS. This attribute contains the path to the actual location that DFS replication uses to stage files.
Exclude the following files:

Ntfrs_cmp*.*
*.frx
Turn off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder.

The current location of the Sysvol\Sysvol or SYSVOL_DFSR\Sysvol folder and all the subfolders is the file system reparse target of the replica set root. The Sysvol\Sysvol and SYSVOL_DFSR\Sysvol folders use the following locations by default:
%systemroot%\Sysvol\Domain
%systemroot%\Sysvol_DFSR\Domain

The path to the currently active SYSVOL is referenced by the NETLOGON share and can be determined by the following registry value name:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters
SysVol
 
Exclude the following files from this folder and all its subfolders:
*.adm
*.admx
*.adml
Registry.pol
*.aas
*.inf
Scripts.ini
*.ins
Oscfilter.ini
Turn off scanning of files in the FRS Preinstall folder that is in the following location:
Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
The Preinstall folder is always open when FRS is running.

Exclude the following files from this folder and all its subfolders:
Ntfrs*.*
Turn off scanning of files in the DFSR database and working folders. The location is specified by the following registry key:
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File=Path >
In this registry key, "Path" is the path of an XML file that states the name of the Replication Group. In this example, the path would contain "Domain System Volume."

The default location is the following hidden folder:
%systemdrive%\System Volume Information\DFSR
Exclude the following files from this folder and all its subfolders:

If any one of these folders or files is moved or is put in a different location, scan or exclude the equivalent element.
$db_normal$
FileIDTable_*
SimilarityTable_*
*.xml
$db_dirty$
$db_clean$
$db_lost$
Dfsr.db
Fsr.chk
*.frx
*.log
Fsr*.jrs
Tmp.edb
Turn off scanning of DFS files
The same resources that are excluded for a SYSVOL replica set must also be excluded when FRS or DFSR is used to replicate shares that are mapped to the DFS root and link targets on Windows Server 2008 R2-based, Windows Server 2008-based, Windows Server 2003-based member computers or domain controllers.
 
Turn off scanning of DHCP files
By default, DHCP files that should be excluded are present in the following folder on the server:
%systemroot%\System32\DHCP
Exclude the following files from this folder and all its subfolders:
*.mdb
*.pat
*.log
*.chk
*.edb
The location of DHCP files can be changed. To determine the current location of the DHCP files on the server, check the DatabasePath, DhcpLogFilePath, and BackupDatabasePath parameters that are specified in the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters
Turn off scanning of DNS files
By default, DNS uses the following folder:
%systemroot%\System32\Dns
Exclude the following files from this folder and all its subfolders:
*.log
*.dns
BOOT
Turn off scanning of WINS files
By default, WINS uses the following folder:
 
%systemroot%\System32\Wins
Exclude the following files from this folder and all its subfolders:
 
*.chk
*.log
*.mdb
Paul MacDonaldDirector, Information Systems

Commented:
"Would you recommend to install antivirus on DCs..."
Yes.

"...if so do we have to exclude any folders?"
Not unless you were having problems with false positives.

There can be many reasons for a long  login process.  I wouldn't assume it was the antivirus.  Does your product have a firewall with it, or do you use the built-in Windows Firewall?  Something like that might be an issue.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Would you recommend to install antivirus on DCs if so do we have to exclude any folders?

Yes, on all servers.   In addition to the above suggestions, you may need to make exclusions for applications as well. Anti Virus can ruthlessly quarantine good applications that it does not know about, making you reinstall the applications. I have had to do this.

But server antivirus picks up files with viruses that users have (inadvertently) uploaded.

So do not go without protection.
masnrock
Distinguished Expert 2018

Commented:
I need an experts opinion on installing anti-virus on domain controllers.  Would you recommend to install antivirus on DCs if so do we have to exclude any folders?
YES YES YES install AV. You probably do need sets of exclusions. Alex's post probably has a lot of what you need. But whatever AV you get, make sure that it's a version that's designed for servers!

I took over the AD admin and noticed the users log on take a while. The network has all new DCs with plenty of memory. I seen the GPs part loading for long time.
Can that be with antivirus and need to be excluded some folders?
This could be a number of things, including AV. But exclusions MIGHT help. You should look at the log of what is getting scanned. Adjust appropriately for your environment. Better yet, work with support from your antivirus vendor.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial