Installing SQL Server on a Domain Controller: What You need to know

Author by Nick Adams

When configuring your data environment and planning servers and installs, it is important to understand that Microsoft does not recommend that you install SQL Server on a Domain Controller.  While you technically CAN, there are some dangers involved that you should be aware of before you do this.
  1. SQL Server Services cannot be run using a Local Service account.
  2. A Domain Controller with SQL Server installed on it cannot be demoted to a Domain Member or promoted to a Domain Controller.
  3. Having your Domain Controller host SQL Server installs poses security risks.
  4. Failover clustering best practices will not be supported in this configuration.
Let’s take some in depth looks at each condition…
 
SQL Server Services cannot be run using a Local Service Account
A Local Service Account only has access levels up to a member of the Users group.  This poses problems with running services that require higher access such as SQL Server Agent services.  In short, you will be able to access data to a point but not have full Administrative functionality of SQL Server.
 
A Domain Controller with SQL Server installed on it cannot be demoted or promoted
Now, you actually can do this however it will cause serious headaches.  To promote to a controller or demote to a member, you must uninstall SQL Server and then reinstall it on that member/controller.  SQL Server anchors down that member because of the accounts that are created on that local system and to change those would break domain rules.
 
Having your Domain Controller host SQL Server installs poses compounding security risks
If this Domain Controller becomes compromised, your data will also be compromised especially if you have SQL Server Management Studio on this server.  Your local install and data files will be exposed and if you are using SQL authentication, directly data querying will be allowed in SSMS.  Ideally this shouldn’t happen in the first place but if it does, this makes the breach exponentially worse.
 
Failover clustering best practices will not be supported in this configuration
If a cluster node is a Domain Controller, the setup will simply fail during setup.  
 
With this information, you can decide on how to set up your infrastructure appropriately with SQL Server.  Some organizations understandably want to stay lean with their hardware and use one or two servers for many different purposes such as a Domain Controller and a SQL Server.  Use this as a tool and not a deterrent.