This article describes several important issues that you must consider when you install SharePoint Server 2010 on a Windows 2008 domain controller. Documented issues that may arise when installing SharePoint Foundation 2010 or SharePoint Server 2010 on a Domain Controller are:
When SharePoint has been installed on a Domain Controller, group membership for the WSS_ADMIN, WSS_WPG, and WSS_RESTRICTED_WPG_V4 groups are overwritten when adding additional SharePoint servers to a farm that have also been installed on Domain Controllers.
When uninstalling or disconnecting a SharePoint Server installed on a Domain Controller from a farm, the WSS_ADMIN, WSS_WPG, and WSS_RESTRICTED_WPG_V4 groups are removed from the domain controller and that removal is replicated to all Domain Controllers.
Installing SharePoint 2010 on a domain controller is supported, but highly discouraged for a number of security and performance reasons. The only two recommended scenarios:
Installation along with Small Business Server
To prevent a SharePoint uninstall from removing the WSS_ADMIN, WSS_WPG, and WSS_RESTRICTED_WPG_V4 groups from multiple Domain Controllers in the environment
Enable Advance Features in Active Directory Users and Computers
Add “Everyone” group in the Security Tab to each of the WSS_ADMIN, WSS_WPG, and WSS_RESTRICTED_WPG_V4 groups
Select “Deny” for "Delete All child Objects" permission to “Everyone” group for each WSS_* group
Click on the Advanced Button in the Security Tab for each WSS_* group
Select “Delete” and “Delete Sub tree” permissions under Deny for the “Everyone” group
To Prevent the Group membership overwriting for the WSS_ADMIN, WSS_WPG, and WSS_RESTRICTED_WPG_V4 groups on Domain Controllers, configure each WSS_* group as a Restricted group in the Domain Security Policy.
When you install SharePoint Server 2010 on a Windows 2008 domain controller (DC), you should also be aware of the following issues:
SharePoint Server 2010 requires the web server role, .NET Framework functions and other components to provide service, which are not mandatory for a DC. SharePoint server requires that additional ports are opened for normal functionality which are otherwise not necessary to open for a DC. Refer to the following article for planning security hardening and necessary ports:
Plan maintenance schedules and system updates carefully. After you install fixes on SharePoint Server such as cumulative updates or service packs, you may need to restart the server. In addition to that, you are also required to restart the server when you apply fixes for Internet Information Services (IIS), .NET Framework and other components.
SharePoint server 2010 uses processor, memory, disk and network resources depending on the roles and services you have configured. When you plan scale, hardware, sites and services for a SharePoint server farm, you should plan and estimate possible scenarios carefully since user load, search, and other SharePoint services can intensively use server resources. If SharePoint server is installed on a DC, the additional load and traffic might impact the DC's normal functions such as replication and authentication. Refer to the following articles for planning capacity management and best practices for operation: