Best Practices
All domain controllers should be stored in network server rooms secure from nonauthorized personnel. A domain controller should not be used as a desktop computer. The domain controllers ideally should be stored in a card-key-access room where access is restricted to network administrators.
Domain controllers should have consistent application of security settings. You can ensure that the same security settings are applied to domain controllers by keeping all domain controllers in a common OU. The Domain Controllers OU is defined by default as the Active Directory storage location for domain controller computer accounts. Ensure that the domain controller computer accounts remain in this default OU.
Defining the security settings in a security template ensures that the security settings are reproducible. You can import the security template into a GPO linked to the Domain Controllers OU to ensure consistent application. In addition, the security template provides documentation of the security settings defined by your company for domain controllers.
By applying the security template in a GPO other than the default domain controllers policy, you allow users to disable the security template settings by either unlinking the GPO from the Domain Controllers OU or deleting the GPO entirely. If the security template is imported into the Domain Controllers OU, it will be more difficult to modify changes and reverse the settings of the security template.
Auditing should be defined in a GPO applied at the domain controller s OU to ensure that the Security Log contains relevant information about potential attacks against your company s domain controllers.
To ensure that version control is maintained, maintain a single store for all security templates or use version control software such as Microsoft Visual SourceSafe. Version control ensures that a single master version of the security template is maintained and applied to computers.
You can protect domain controllers from incorrect security settings by restricting who is delegated permissions to modify the GPO that applies the security settings. In addition, you can restrict which users and groups can link GPOs to the Domain Controllers OU.
By installing two or more domain controllers in each domain, you ensure that at least one domain controller exists for the domain in case a domain controller fails. The second domain controller ensures that a domain controller is available to handle authentication requests and modifications to Active Directory objects in the event of a domain controller failure.