Q: What software and roles are OK to install on a domain controller (DC)?
April 21, 2011
A: There is no definite right or wrong here (unless you want to install a major application, such as Exchange, on your DC). Generally, you want a DC to be just a DC, with nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime. Ideally, a DC should be easy to replace, just by standing up another DC. When you put other software and roles on a DC, you make it harder to replace it.
There are certain pieces of software and roles you probably will run on your domain controllers which are normal:
Backup Agents (e.g., System Center Data Protection Manager)
Monitoring Agents (e.g., System Center Operations Manager)
Patching and Management (e.g., System Center Configuration Manager)
Identity Management agent or code (e.g., Forefront Information Lifecycle Management)
DNS role (because of the integration possible with Active Directory)
File Replication Service and Distributed File System Replication (used for SYSVOL replication)
Management scripts
While not recommended necessarily, you may also see the following on DCs, and they shouldn't be huge problems:
Security Policy software where Group Policy is not the primary tool
DHCP services
Network packet capture software for troubleshooting
WINS
Password filters
Event log consolidation programs
Key Management Services (KMS)
This isn't exhaustive, but should give you the right ideas about what is common. Just remember to keep your DCs light so they're easy to replace.
About the Author
You May Also Like