- When SharePoint has been installed on a Domain Controller, group membership for the WSS_ADMIN, WSS_WPG, and WSS_RESTRICTED_WPG_V4 groups are overwritten when adding additional SharePoint servers to a farm that have also been installed on Domain Controllers.
- When uninstalling or disconnecting a SharePoint Server installed on a Domain Controller from a farm, the WSS_ADMIN, WSS_WPG, and WSS_RESTRICTED_WPG_V4 groups are removed from the domain controller and that removal is replicated to all Domain Controllers.
Installing SharePoint 2010 on a domain controller is supported, but highly discouraged for a number of security and performance reasons. The only two recommended scenarios:
- Installation along with Small Business Server
- To prevent a SharePoint uninstall from removing the WSS_ADMIN, WSS_WPG, and WSS_RESTRICTED_WPG_V4 groups from multiple Domain Controllers in the environment
- Enable Advance Features in Active Directory Users and Computers
- Add “Everyone” group in the Security Tab to each of the WSS_ADMIN, WSS_WPG, and WSS_RESTRICTED_WPG_V4 groups
- Select “Deny” for "Delete All child Objects" permission to “Everyone” group for each WSS_* group
- Click on the Advanced Button in the Security Tab for each WSS_* group
- Select “Delete” and “Delete Sub tree” permissions under Deny for the “Everyone” group
To Prevent the Group membership overwriting for the WSS_ADMIN, WSS_WPG, and WSS_RESTRICTED_WPG_V4 groups on Domain Controllers, configure each WSS_* group as a Restricted group in the Domain Security Policy.
- SharePoint Server 2010 requires the web server role, .NET Framework functions and other components to provide service, which are not mandatory for a DC. SharePoint server requires that additional ports are opened for normal functionality which are otherwise not necessary to open for a DC. Refer to the following article for planning security hardening and necessary ports:
- Plan security hardening (SharePoint Server 2010)
- Plan maintenance schedules and system updates carefully. After you install fixes on SharePoint Server such as cumulative updates or service packs, you may need to restart the server. In addition to that, you are also required to restart the server when you apply fixes for Internet Information Services (IIS), .NET Framework and other components.
- SharePoint server 2010 uses processor, memory, disk and network resources depending on the roles and services you have configured. When you plan scale, hardware, sites and services for a SharePoint server farm, you should plan and estimate possible scenarios carefully since user load, search, and other SharePoint services can intensively use server resources. If SharePoint server is installed on a DC, the additional load and traffic might impact the DC's normal functions such as replication and authentication. Refer to the following articles for planning capacity management and best practices for operation:
- Capacity management and sizing for SharePoint Server 2010
- Best practices for operational excellence (SharePoint Server 2010)
- Installing SharePoint on a DC also has following restrictions:
- You cannot install the single server with built-in database version of SharePoint Server on a domain controller. See this TechNet article:
Deploy a single server with a built-in database (SharePoint Server 2010)
- You cannot install Office Web Apps on a computer that is configured as a domain controller. See this TechNet article:
Plan Office Web Apps (Installed on SharePoint 2010 Products)
Article ID: 2637209 - Last Review: Jul 5, 2013 - Revision: 1