It used to be recommended that the Domain servers house no other functionality.
The CEO and outside IT firms keep bringing up that they would like to use these servers for additional functions - like FTP/Mail/etc.
Has security improved to make such a scenario ok? I'm not surprised by the CEO's suggestion, but I'm surprised that external IT firms would suggest such a thing. Am I that behind the times?
Compromise of the Domain servers seems so serious that I keep these machines completely locked down.
EDIT - THANKS FOR RESPONSES
It sounds like things haven't changed and nothing should be installed on DCs. I'm really puzzled by the external IT organization suggestions. They were all suggesting that this was ok.
My view is that a DC is a DC and nothing else goes on it. These are the most important servers in your org, and if anything goes wrong with one of them you could be in a position where you've lost everything before you know about it. Anyone who thinks along the lines of "that server is not doing much, let's load as many extra roles as possible onto it" is missing the point and probably doesn't know what they're talking about.
There is also the consideration that DCs don't have local accounts; third party software may not play nice without local accounts, and you may also find that some of it needs to run in an admin context in order to work. Would you let third party software that needs to run in an admin context onto a DC? Especially given that that's normally an indicator that the developers were sloppy enough to take the path of least resistance rather than doing it right? This software made by sloppy developers will be able to do anything to your entire network. (Note: I'm not talking hard and fast rules here, something like a backup agent you probably have no choice about.)
A read only DC is another matter entirely. I would relax the policy of "nothing else goes on it" in such a scenario, but would nonetheless retain a certain measure of caution.
Is here is nice bulleted list of why not to put Exchange 2003 (Mail) on the DC. I wouldn't put FTP on anything but a contained VM since is is old, and just plain terrible.
My Vote:
Stand your Ground
from an IT purist point of you i agree, a DC should only be a DC. How big is your operation & how many DC's do you have? If your small then it may not be such a sin. Small Business Server is a perfect example of everything on the one box & MS supports this config for up to 75 users!
The external IT firms are obviously getting messages like 'we can't afford more IT hardware' from your CEO, which is why they're suggesting DC's. They usually have plenty of capacity & are under-utilized. From your CEO's point of view, this is a great way to save money!
The way i see it, you have two options:
I wouldn't put anything too 'heavy' on it like Exchange or SQL, nor anything DMZ/client-facing but it should be able to handle smaller internally-facing services like acting as a print server, internal web, ftp, etc.
Aside from security, one of the reasons you want one function per server is to ensure the business doesn't have unnecessary interruptions - that is, if you have to reboot the file server, why should you also have to reboot the exchange server? But having separate servers for each function can be excessively costly, especially for smaller businesses. Virtual machines are great, but they still require licenses.
Some things may not be such a big deal - yes, IDEALLY you'd have a separate DHCP server (two for redundancy) and separate DNS servers and separate... you get the idea... but it's not uncommon and rarely an issue for a DC to also run DHCP and DNS.
What you combine depends on how much their combination will likely affect you. Combining DHCP, DNS, and AD will likely have little to no impact. Combining Exchange, SQL, AD, and IIS could have a huge impact.
As I touched on earlier, VMs are great, but they still live on on server that becomes the single point of failure (unless you properly cluster them over a redundant SAN... but then your costs easily move into the 5 figure range... maybe more.
As for putting Exchange on a DC - in general, it is recommended you do not. SBS and EBS are exceptions to this. It IS a supported configuration, but generally not a "Best Practices" configuration.
Hell. No. Resist at all costs.
I agree with the "No's" on this one. Once someone exploits a layered product / application vulnerability they have access to your AD files which is a bit more than slightly less than desirable. Most hacking attempts happen internally...
In years past I've had to deal with the odd compromised member server. One of the first things the attacker-bot toolkits do is suck the local password hashes. Rainbow tables are clearly in use, as I saw the timestamps between the hash extract and the clear-text version of the passwords differ by all of 15 minutes. And this was 3 years ago.
A compromise like that on a domain controller will give the attackers the entire AD hash list. Unless you completely disabled LM password hashes several years ago, this will completely compromise any password under 14 (or 16, can't remember which) characters in length. Regardless of complexity. THAT is a statistic you can take to the higher-ups in defense of keeping everything but DC/DNS (and maybe WINS if you need it) off of your domain controllers.
Generally the rule is NO, and it's a valid rule It's easy for PHBs to want the underutilized system to be more value for money, but a DC is a DC, and it should stay as one
Domain controllers can be hard enough to troubleshoot at the best of times, couple that with added services and your really asking for a PITA
Some of the services you listed are big no no's, and whilst a DC is usually a pretty underutilized system in anything but the larger enterprises, it's still one of the most important boxes in the company
Have you considered virtualization? are you trying to maximize use of hardware or minimize software licensing costs?
a DC requires a windows license, well, both of them do, you do have at least two right?
if it's a hardware utilization issue, you should really look into virtualization, DCs are prime candidates for virtualization, and you could easily handle the load of most DCs and additional services on a handful of virtualization hosts
With Microsofts datacenter edition licensing benefits when used on virtual systems, you can really cut down on licensing costs too given the right circumstances
Nope...especially not any modern version of Exchange which should really be ran on multiple stand-alone servers depending on scale. Also, what happens when it comes time to upgrade? You want to upgrade your DC to 2008 but your apps don't support it. Definitely keep them separate and clean.