Should IIS be installed on Domain Controller

  • Article

 

I have come across various scanarios where System Administrators have installed IIS on Domain Controllers. They do it to efffectively utilize that server hardware, to cut down cost by preventing a need for another server for IIS, some application that needs to be installed on the DC requires IIS etc.

 

Microsoft does NOT recommend IIS on a Domain Controller running Active Directory. There are 2 mains reasons behind this stand.

1. By installing IIS on a DC, we will end up increasing the surface attack area on that DC, hence causing a threat to the security database of the domain. This may also effect the servers performance and reliability.

2. IIS would NOT work correctly as it mainly works with local users and groups which will now become domain users /groups. This would cause permission issues if the ACLs set on different IIS folders and Metabase is not updated correctly.

Below are a few articles that would give you some idea of the issues faced when IIS is installed on a Domain controller.

DCPROMO does not retain permissions on some IIS folders
https://support.microsoft.com/default.aspx?scid=kb;EN-US;332097

How To Promote a Member Server Running IIS to a Domain Controller Running IIS
https://support.microsoft.com/kb/300432

FIX: ASP.NET does not work with the default ASPNET account on a domain controller
https://support.microsoft.com/default.aspx?scid=kb;EN-US;315158

Cannot install a Systems Management Server 2003 Management Point role on Windows Server 2003 domain controllers
https://support.microsoft.com/default.aspx?scid=kb;EN-US;886213

Avoid installing IIS on a domain controller
https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3a0742c4-f45a-4504-a232-83dd085bcfb3.mspx?mfr=true

Part from the above resources, I strongly recommend viewing the webcast below as it will talk in detail on why IIS is not recommended on DC. This webcast also covers the issues you may face when you install IIS on DC and how it deal with it.

TechNet Webcast: Successfully Running IIS on a Domain Controller - Level 200
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032245355&Culture=en-US

To summarize, we don’t recommend installing IIS on DCs, but if you have to install it you need to be prepared to deal with issue related to IIS.

 

- Abizer