What are the drawbacks of making all of the windows servers domain controllers

domain-controllerwindows-server-2003windows-server-2008

As the question states, what are the drawbacks of making every capable Windows 2003 or 2008 Server in my organization a domain controller for the domain? Is it just overkill? Will many 3rd party applications explode? Something else I'm not thinking of?

Are there any advantages?

Best Answer

  • Domain controllers have no local accounts. So everything running on those machines will have to be reconfigured to work with domain accounts.
  • Domain controllers should never be snapshotted or reverted to a previous image of any form, or you will encounter USN rollback scenarios. This means that if you run any kind of imaging solution or virtualisation, you will lose the use of snapshotting features.
  • Any local administrator of a domain controller is a domain administrator.
  • Network and replication traffic will increase significantly.
  • Servers located in network segments seperated by switch ACLs or firewalls will require a number of additional access rules configuring to support sufficient replication traffic.
  • Your odds of corruption in the AD databases increases
  • You're violating the general security principle of least priveledge.
  • When in future you wish to upgrade your domain functionality level, you'll have to upgrade every single server you have to the appropriate version, rather than just the dedicated domain controllers.
  • The exploitable surface area of your domain will increase by orders of magnitude, as any applications on any of these servers will then become potential attack vectors for your domain infrastructure (e.g. a SQL exploit may subsequently lead to your entire domain being compromised)
  • Some services will not function or are strongly discouraged on domain controllers (e.g. Terminal Services).

Best advice I can give you is to run domain controllers as very discrete entities wherever possible i.e. load no services onto a domain controller that is not essential to the operation of the domain controller. This is commonly overlooked with very small shops and especially Small Business Server for practical/cost reasons, but once you scale beyond that you ideally want to be heading towards a point where DCs are JUST DCs, and you only run as many DCs as you realistically need for adequate replication and fault tolerance.

Related Topic