In this case, I'm talking about Active Directory Domain Controllers.
For many years, Microsoft has sold a product called Small Busines Server, which rolls into a single physical box the functions of Domain Controller, File Server, Print Server, and Exchange Server. And for 4 or 5 users, Microsoft SBS works perfectly well.
When you scale up from 4 or 5 users to, say, 10 or 15 users, the story changes a bit.
Active Directory is the logical backbone of every Microsoft-based network. It contains accounts, passwords, certificates, software keys, and related sensitive information. Performance issues with non-dedicated DCs aside, one of the basic tenets of network security is to separate out sensitive data to make it easier to secure. This is why our firm's best practice is to use only dedicated domain controllers.
A dedicated domain controller should NOT run:
- File Services
- Print Services
- Database Services
- Applications (e.g., SharePoint)
- Web Services (e.g., IIS or Apache)
A list of common services that CAN run on dedicated domain controllers includes (but isn't limited to):
- Domain Services
- NTP Source (DC holding the PDC FSMO role only)
- Certificate Services
- Active Directory Federation Services
- Azure Active Directory Connnect (replaces the old Azure Active Directory Sync product)
- Third-Party SSO integration modules (such as Barracuda's AD Agent for its web filter product)
- Backup agent
That's pretty much it. DCs should run only products and agents that are directory-function-specific (or backup-enabling).
Once you've configured your domain controllers, there are two more things you need to remember to do with them:
- Secure them with an antivirus product of your choice. Sounds obvious, but I've lost count of how many times I've walked into a new site and found no antivirus on some or all of the domain controllers.
- Back them up using a product which will back up the System State (meaning the Active Directory database). While restoring Active Directory from a System State backup after a disaster is ugly, it's a lot less ugly than not having a backup to restore from.
In addition to the above, I like to use Microsoft's BGINFO utility to automatically put up wallpaper on the desktop of each DC, giving, at a minimum:
- System Name
- Type of System and Functions Supported (e.g., "Physical DC (DNS, DHCP, All FSMO Roles. NTP Server, KMS)".)
- IP address and Network Information (Gateway, DNS, DHCP server, etc.)
- OS Version
- Last Boot Date/Time
I usually create a batch file to run BGINFO, and place a shortcut to the batch file under the Startup directory so it'll run whenever I log on.
Using BGINFO wallpaper saves me a lot of time when I'm bouncing between multiple DCs during, for example, an Active Directory health check.