I often see my customers running things other than Active Directory Domain Services (ADDS) on Domain Controllers. These can range from the relatively innocuous (KMS) to the downright ludicrous (Exchange). Until now, I haven’t been able to point to anything official from Microsoft to state that this is not a good idea. Anyway, fellow Directory Services MVP Joe “Won’t Leave The Shire” Richards recently found this guidance in the new Best Practices for Securing Active Directory:
Domain controllers should be treated as critical infrastructure components, secured more stringently and configured more rigidly than file, print, and application servers. Domain controllers should not run any software that is not required for the domain controller to function or doesn’t protect the domain controller against attacks.