Running other things on Domain Controllers

By | May 29, 2013

I often see my customers running things other than Active Directory Domain Services (ADDS) on Domain Controllers.  These can range from the relatively innocuous (KMS) to the downright ludicrous (Exchange).  Until now, I haven’t been able to point to anything official from Microsoft to state that this is not a good idea.  Anyway, fellow Directory Services MVP Joe “Won’t Leave The Shire” Richards recently found this guidance in the new Best Practices for Securing Active Directory:

Domain controllers should be treated as critical infrastructure components, secured more stringently and configured more rigidly than file, print, and application servers. Domain controllers should not run any software that is not required for the domain controller to function or doesn’t protect the domain controller against attacks.

Source: http://www.microsoft.com/en-us/download/details.aspx?id=38785

One thought on “Running other things on Domain Controllers

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.