ntds.dit and EFS

[jamestulloch]

Hi,

Has anyone out ther completely encrypted a 2003 DC using EFS including
the AD database itself?

I have been asked to do this for my client but I am not confident that
it is a good idea. They want to protect themselves if someone walks off
with a DC.

TIA

James

 

[Jorge de Almeida Pinto [MVP - DS]]

encrypting system files (NTDS.DIT is one as being the DB for AD) can make
your system unbootable. I not even sure if it supported...

It is not possible to encrypt the NTDS.DIT using EFS as the DB is being used
by the system.

For your issue at this moment you have the following solutions:
* Make sure the DC is placed within a SECURE location
* Place that DC within a virtual machine on a host and then encrypt the
virtual machine files...

Windows Server Longhorn will have a better solution for you introducing a
Read-Only domain controller

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[jamestulloch]

Thank you Jorge. I will follow your advice.

Regards

James