Domain Controllers Are Evil

You may be confused by such a brash statement heading up this blog post, but like all things brash, a little context goes a long way.

Recently I had a customer engagement, which involved a broken OWA installation on an Exchange 2013 RTM server. Again nothing too unusual…OWA can break occasionally, and since it has a number of dependencies on a number of components, may on occasion, well, break. As a result, there can be a number of factors influencing why this OWA broke, however before we delve too deeply into the innards of Exchange 2013, and how and why OWA may break let us consider one more thing which I haven’t mentioned yet: Exchange 2013 in this instance was installed on a domain controller.

Those of you in the know may sigh deeply at remembering the lost hours, reading logs, chasing events, recycling application pools and IIS while simultaneously hopping on one leg. Troubleshooting IIS based applications on domain controllers is difficult. Fact. Troubleshooting Exchange installed on a domain controller is compound difficult.

In Chapter 13 of “Microsoft Exchange 2013: Design, Deploy and Deliver an Enterprise Messaging Solution” we cover a range of issues pertaining to Exchange, including preparing Active Directory. Active Directory is a very necessary and valuable repository of configuration information, while simultaneously providing services such as authentication and access. One of the things I’d like to point out in this post, is that while not all domain controllers are evil, the ones with Exchange installed on them decidedly are. Domain controllers should serve one function only, to be domain controllers.

But don’t just believe us, let’s review a Microsoft statement about the topic, titled “Installing Exchange on a domain controller is not recommended”. The article under this heading makes the following points:

If you install Exchange 2013 on a domain controller, be aware of the following issues:

  • Configuring Exchange 2013 for Active Directory split permissions isn’t supported.
  • The Exchange Trusted Subsystem universal security group (USG) is added to the Domain Admins group when Exchange is installed on a domain controller. When this occurs, all Exchange servers in the domain are granted domain administrator rights in that domain.
  • Exchange Server and Active Directory are both resource-intensive applications. There are performance implications to be considered when both are running on the same computer.
  • You must make sure that the domain controller Exchange 2013 is installed on a global catalog server.
  • Exchange services may not start correctly when the domain controller is also a global catalog server.
  • System shutdown will take considerably longer if Exchange services aren’t stopped before shutting down or restarting the server.
  • Demoting a domain controller to a member server isn’t supported.
  • Running Exchange 2013 on a clustered node that is also an Active Directory domain controller isn’t supported.

We recommend that you install Exchange 2013 on a member server.

Let’s recap: Active Directory domain controllers by themselves are decidedly not evil, however the domain controllers that have Exchange installed, with bits of Exchange that no longer work, decidedly are. One of the things that may happen is that Exchange and Active Directory may compete for resources on the same machine, with unpredictable results. Troubleshooting Exchange installed on a domain controller is significantly more difficult than troubleshooting Exchange installed on a member server. Lastly, if you install Exchange on a domain controller, you cannot demote the domain controller without installing Exchange.

For those of you considering installing Exchange 2013 on a domain controller, beware. Once Exchange and Active Directory are combined on the same machine, domain controllers may become evil.

Nicolas Blank has more than 15 years of experience with various versions of Exchange, and is the founder of and Messaging Architect at NBConsult. A recipient of the MVP award for Exchange since 2007, Nicolas is a Microsoft Certified Master in Exchange and presents regularly at conferences in the U.S., Europe, and Africa.

Nicolas will be running a two day Mimecast Exchange’ training event on the 31st of October and the 1st of November at Microsoft’s Cardinal Place in London. For your opportunity to win a place at the event, please read our previous blog post