Does an Active Directory need to have only AD domain controllers?

Expert Laura E. Hunter explains to a reader why it is preferred to have an Active Directory with AD domain controllers.

We are going to rebuild our Windows 2003 Active Directory Servers. Our AD servers are currently being used as SMS and antivirus servers also. I have talked to others and have been advised that the AD should have AD controllers only. I cannot find anything on the Microsoft Web site to support this comment. Your input is appreciated. Thanks in advance.

While it's not a hard-and-fast rule, most AD administrators will tell you that a domain controller should not run

other applications. Since your domain controllers are the "keys" to your network "kingdom", you should do your best to isolate them from attack. By adding additional applications to run on a DC, you are increasing the number of ways that a malicious user can attack that DC. Depending on the size of your network, having dedicated domain controllers may also improve performance in terms of user authentication, logon times, etc.

This was first published in March 2006

Dig deeper on Microsoft Active Directory Design and Administration



Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: