Exchange on a DC

One question that often pops up in the Exchange world is whether it's a good idea (or not, as the case may be) to install Exchange on a domain controller. Generally, this has not been recommended in the past, with the two most common reasons being:

An increase in disaster recovery complexity. This was certainly true in an NT4 environment, but it would be fair to say that, since much of Exchange's configuration information is stored in Active Directory (assuming Exchange 200x), this is no longer so much of an issue.

The performance impact of locating these two services on the same machine. Logic dictates that separating these two roles will be best for performance, since the domain controller has plenty of other work to do.

Exchange 2003 running on a domain controller is supported, but you should be aware of the following additional reasons on why this isn't such a good idea:

The old "my Exchange server takes a long time to shut down" issue

When Exchange 2003 is installed on a domain controller, it will take around 10 minutes to shut this server down. The technical reason is because the Active Directory service shuts down before the Exchange services, causing DSAccess to go through several timeouts before terminating. The workaround, as before, is to manually stop the Exchange services before shutting down the server.

Memory management

I've heard it said to not use the /3GB boot.ini switch on the server if Exchange is on a domain controller to prevent Exchange from dominating the memory.

DSAccess will no longer failover

Normally, if Active Directory services are busy or not responding, the Exchange services will failover to use other domain controllers. When Exchange is on a domain controller, this failover will not occur; this is by design.

Security considerations

You can decrease your attack surface area by not installing Exchange on a domain controller. Since all services run under the LocalSystem context, any attacker that gains access to Active Directory will also be able to gain access to Exchange.

More security considerations

Your Exchange administrators will have log on locally rights to the Exchange server. Do you also want them to be logging on locally to your domain controllers?

Installing Exchange on a domain controller is best avoided. However, there are situations when you cannot practically avoid this. I know, as I've been involved in several projects where we've installed Exchange on a domain controller, mainly in the branch-office scenario. Outlook 2003's cached mode will now give us the chance to review this situation on future projects.

Account Deleted on February 18, 2004 at 07:44 AM in Useful Info
« Exchange 2003 Server Consolidation | Main | New Virus Alert! »


TrackBack URL for this entry:

Listed below are links to weblogs that reference Exchange on a DC:

» A Whole Bag of Exchange Stuff Part 2 from Adam's Mindspace
[Read More]

Tracked on Feb 21, 2004 2:56:00 PM



Posted by: CHARLES at Dec 3, 2004 8:07:15 AM

I have no other choice but to install Exchange 2003 0n my Windows 2003 DC. The scenario is we have only 1 server in the building and to use AD we need the server to be DC...What other options do I have? Will they still be able to access and utilize Exchange to its maximum?

Posted by: ted at Dec 12, 2004 10:49:56 AM