Baseline Registry Settings for new Domain Controllers
I have a list of baseline registry settings which I put on any new domain controller. I thought I'd share the VB Script below which sets all these as well as enables some performance counters. Many of the settings are applicable outside of a Domain Controller.
Note: These settings have been tested countless times with Windows Server 2003 domain controllers. I indicated where possible which settings do not apply to a Windows Server 2008 (or better) domain controller. I've used these on Windows Server 2008 domain controllers however not nearly as many times as prior versions.
Feel free to use this and leave a comment if you have any suggestions for additions, etc.
'==========================================================================
' NAME: Baseline Registry Settings for new Domain Controllers
'
' AUTHOR: Brian Desmond, brian@briandesmond.com
' DATE : 8/1/2009
'
'=========================================================================
' Version Date Author Note
' -----------------------------------------------------------------
' 1.0 01Aug09 Brian Desmond Initial Release
'==========================================================================
Option Explicit
Dim shl
Set shl = WScript.CreateObject("WScript.Shell")
' Enable Remote Desktop
WriteRegistry "HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections", 0, "REG_DWORD"
' Set crash config settings
WriteRegistry "HKLM\SYSTEM\CurrentControlSet\CrashControl\NMICrashDump", 1, "REG_DWORD"
WriteRegistry "HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters\CrashOnCtrlScroll", 1, "REG_DWORD"
' WS03 pre SP2 requires KB244139 for the following to be effective
' WS08 pre SP2 requires KB971284 for the following to be effective
WriteRegistry "HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters\CrashOnCtrlScroll", 1, "REG_DWORD"
' log DIT whitespace info
WriteRegistry "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\6 Garbage Collection", 1, "REG_DWORD"
' Expensive/inefficient queries
WriteRegistry "HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering", 5, "REG_DWORD"
' JET Perf counters
WriteRegistry "HKLM\system\currentcontrolset\Services\ESENT\Performance\Open", "OpenPerformanceData", "REG_SZ"
WriteRegistry "HKLM\system\currentcontrolset\Services\ESENT\Performance\Collect", "CollectPerformanceData", "REG_SZ"
WriteRegistry "HKLM\system\currentcontrolset\Services\ESENT\Performance\Close", "ClosePerformanceData", "REG_SZ"
WriteRegistry "HKLM\system\currentcontrolset\Services\ESENT\Performance\Library", "%systemroot%\system32\esentprf.dll", "REG_SZ"
WriteRegistry "HKLM\system\currentcontrolset\Services\ESENT\Performance\Squeaky Lobster", 1, "REG_DWORD"
' === Shouldn't be necessary on WS08
' set the path to the install binaries
WriteRegistry "HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePath", "C:\", "REG_SZ"
WriteRegistry "HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath", "C:\", "REG_SZ"
' Import JET perf counters
' === Path under WS08 is %windir%\inf\ESENT\0000\esentprf.ini
shl.Run(shl.ExpandEnvironmentStrings("%SystemRoot%\System32\lodctr.exe %SystemRoot%\System32\esentprf.ini"))
' === Shouldn't be necessary on WS08
' Disable manage server wizard
WriteRegistry "HKEY_USERS\.Default\Software\Microsoft\Windows NT\CurrentVersion\Setup\Welcome\srvwiz", 0, "REG_DWORD"
WriteRegistry "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Setup\Welcome\srvwiz", 0, "REG_DWORD"
' === Shouldn't be necessary on WS08
' Disable SP2 SNP stuff
WriteRegistry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPChimney", 0, "REG_DWORD"
WriteRegistry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPA", 0, "REG_DWORD"
WriteRegistry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableRSS", 0, "REG_DWORD"
' writes a given value to a given registry path
' use readregistry to validate success
' this function will throw an error up the stack
Sub WriteRegistry(path, value, regType)
Dim sbShl
Set sbShl = WScript.CreateObject("WScript.Shell")
sbShl.RegWrite path, value, regType
Set sbShl = Nothing
End Sub
Comments, Trackbacks, & Pingbacks
#1 re: Baseline Registry Settings for new Domain Controllers
Sunday, August 02 2009 3:48 AM by Mike Kline#2 re: Baseline Registry Settings for new Domain Controllers
Wednesday, August 12 2009 9:10 PM by Rick SheikhHi Brian,
Do you leave the MaxPosPhaseCorrection and MaxNegPhaseCorrection registry entries at default (for pre-08 DCs) ?
Rick
#3 re: Baseline Registry Settings for new Domain Controllers
Monday, August 17 2009 9:51 PM by KamleshBrian,
What about setting static network ports for NTDS & FRS replication, AD client authentication ? TimePhaseCorrection entries ?
I also set staging directory size for SYSVOL.
What is your recommendation on those?
#4 re: Baseline Registry Settings for new Domain Controllers
August 1, 2009 12:05 PM by Active Directory Diagnostic Logging « Ramblings of an IT ConsultantPingback from Active Directory Diagnostic Logging « Ramblings of an IT Consultant
#5 re: Baseline Registry Settings for new Domain Controllers
August 1, 2009 6:29 PM by Baseline Registry Settings for new Domain Controllers : Brian … | WEBMASTERLIB.COMPingback from Baseline Registry Settings for new Domain Controllers : Brian … | WEBMASTERLIB.COM
Good entry Brian!! I saw Eric Fleischman speak in the spring and he also stressed that field engineerring logging be on for all DCs.
Your script is going to help a lot of people out for sure.
For readers wondering about squeaky lobster
msexchangeteam.com/.../427966.aspx
...all because of a cute girl
Talk to you later
Mike