Problems with Exchange 2003 Installed on Domain Controllers
Why is it NOT recommended to install Exchange Server 2003 on a computer that is also a Domain Controller?
There are a few issues you should be aware of before installing Exchange Server 2003 on a computer that is also configured as a Domain Controller.
- The server must NOT be a cluster. Exchange 2003 clusters co-existing on Active Directory servers is not supported by Microsoft.
- Installing Exchange 2003 and Active Directory on the same server has a significant performance impact.
- The server must be a Global Catalog server (not just a DC).
- DSAccess/DSProxy/Cat will not load-balance or fail-over to another DC/GC.
- Avoid the use of the /3GB switch, otherwise the Exchange cache might monopolize system memory. Additionally, the number of user connections should be very low, therefore the /3GB switch should not be required.
- All services run under LocalSystem so there is a greater risk of exposure should a security bug be found (e.g. a bug in AD which allows an attacker to access the AD will also allow them to access Exchange, and vice-versa)
- If Exchange administrators will be able to logon to the local server. Because they have physical console access to a DC, potentially they can elevate their permissions in the AD.
It may take approximately 10 minutes for the server to shutdown. This is because the AD service (LSASS.EXE) shuts down before the Exchange services, and DSAccess will go through several timeouts before shutting down. The workaround for this issue is to manually stop the Exchange services (specifically the Store) before initiating a system shutdown or restart.
Note: You may want to read the following article for more info – Slow Shutdown of Exchange 2003 Server Installed on DC.