Q: What software and roles are OK to install on a domain controller (DC)?

A: There is no definite right or wrong here (unless you want to install a major application, such as Exchange, on your DC). Generally, you want a DC to be just a DC, with nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime. Ideally, a DC should be easy to replace, just by standing up another DC. When you put other software and roles on a DC, you make it harder to replace it.

There are certain pieces of software and roles you probably will run on your domain controllers which are normal:

  • Anti-virus software (making sure you have the right exceptions configured to avoid conflict with AD, as detailed on this page)
  • Backup Agents (e.g., System Center Data Protection Manager)
  • Monitoring Agents (e.g., System Center Operations Manager)
  • Patching and Management (e.g., System Center Configuration Manager)
  • Identity Management agent or code (e.g., Forefront Information Lifecycle Management)
  • DNS role (because of the integration possible with Active Directory)
  • File Replication Service and Distributed File System Replication (used for SYSVOL replication)
  • Management scripts

While not recommended necessarily, you may also see the following on DCs, and they shouldn't be huge problems:

  • Security Policy software where Group Policy is not the primary tool
  • DHCP services
  • Network packet capture software for troubleshooting
  • WINS
  • Password filters
  • Event log consolidation programs
  • Key Management Services (KMS)

This isn't exhaustive, but should give you the right ideas about what is common. Just remember to keep your DCs light so they're easy to replace.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.