Should I install an AV product on my domain controllers?

Posted by mhud on Server Fault See other posts from Server Fault or by mhud
Published on 2009-07-29T23:06:33Z Indexed on 2012/10/05 21:41 UTC
Read the original article Hit count: 183

Should I run a server-specific antivirus, regular antivirus, or no antivirus at all on my servers, particularly my Domain Controllers?

Here's some background about why I'm asking this question:

I've never questioned that antivirus software should be running on all windows machines, period. Lately I've had some obscure Active Directory related issues that I have tracked down to antivirus software running on our domain controllers.

The specific issue was that Symantec Endpoint Protection was running on all domain controllers. Occasionally, our Exchange server triggered a false-positive in Symantec's "Network Threat Protection" on each DC in sequence. After exhausting access to all DCs, Exchange began refusing requests, presumably because it could not communicate with any Global Catalog servers or perform any authentication.

Outages would last about ten minutes at a time, and would occur once every few days. It took a long time to isolate the problem because it was not easily reproducible and generally investigation was done after the issue resolved itself.

© Server Fault or respective owner

Related posts about active-directory

Related posts about antivirus