ISA Server 2004 on a Windows 2003 Domain Controller

Our configuration manager has indicated that our next installation of a new lan to a company will have 3 servers. Lets call them 1-3. They're insisting that 2 be DCs and the other an Exchange Server (2003). All Servers OSs will be Windows 2003 Starndard 32-Bit. 1 of the DCs will also be an ISA Server (2004). So they want it to look like this:
Server 1. DC (primary-w/All FSMO Rolls)
Server 2. DC (Secondary). Also as an ISA Server
Server 3. Member Server. Installed with Exchange Server
The client will only have a maximum of about 140 clients doing business on this lan and will be in its own Domain (not a subDomain).
Based on the limited information I've been able to assertain so far, this configuraion is not preferred and indeed not support by Microsoft (Unless this was a SBS setup which it is NOT). What I'd like to see is this:
Server 1. DC (primary-w/All FSMO Rolls)
Server 2. Member Server. ISA Server2004.
Server 3. Member Server. Installed with Exchange Server 2003
Please help me to convince our configuration manager that the later configuration would be preferred and why. Or, if the later configuration isn't/shouldn't be the preferred setup, what would?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike ThomasConsultantCommented:
ISA should really be installed on a standalone server, it can be a member server but it's not advised usually and I have certainly not heard of anyone installing it on a DC.

Mike ThomasConsultantCommented:
I must add that I doubt anything will explode if you did install it on a DC, just try and stear clear of it if at all possible.

hadtechAuthor Commented:
I 'Roger' the fact that ISA Server should be on a Standalone Server and will make that suggestion but I'am still looking for Facts as to why and comments on my orginal question...
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

Mike ThomasConsultantCommented:
Why is because its your foirewall solution and uts not recomended that your firewall be a part of your domain or running on your domain controller, you cannot and would no do this with any other firewall solution hardware or software.

And I agree that latter config is preferd from the 2 but IMO if thats all the hardware you can muster make 2 DC's and install exchange on the second dc and have the ISA on a standalone (or even a pc) installing exchange on a DC is not ideal but at least you will have another DC and it is preferable to have ISA on a DC.
hadtechAuthor Commented:
All... Due to constrains placed on us by the configuration manager that i care not to get into we're stuck with a 3 server configuration. I would indeed prefer 4. Due to the the somewhat limited activity/use of this lan i wouldn't even have a problem with 2 of these hosts being Laptops but we're kinda stuck with the 3 number. Certainly if i had my way it would be:
Server 1 DC Primary
Server 2 DC Secondary
Server 3 Member Server: Exchange Server
Server 4 Standalone Server: ISA Server
Unfortunately I probably won't get my way here so...
MojoTech: I hear what your saying and in previous configurations at other sites we'd been configured with similar products on only 2 Server i.e. :
Server 1 DC (Primary w/all FSMO Roll, and Exchange Server 2000)
Server 2 DC (Secondary, and ISA Server 2000)
The above configuration can, has and will work but again is far from ideal. I guess that i look at this from a differant place than most. My primary focus is to:
1. Not buck the system. Let's configure this and future LANs as Microsoft (MS) suggests and not fight the MS way of doing things especially since we're going to have to lean on them at some point along the way for support if something breaks...  And it will as you know...  
2. If we have to buck the MS way of setting up a LAN, what documentation tells me i'm putting myself in jeopardy and why... This is kinda what i'm looking for now because the lan going in is yet to be setup so i might have some input for change. If not for this one but the next. I'm pretty certain that i'm stuck with 3 servers this time around but maybe can improve on that in the the future ie. 4 server.
3. Recoverability: To me, being stuck with 3 servers, having Exchange on a non-DC as well as ISA Sever and then only having 1 DC would make recoverability easier for the folks who'll shortly after the install taking over the Administration. I know it might seem lame but my experience when dealing with recovery is that easiest is best. If we don't HAVE TO throw a 2nd DC into the mix let's not. i.e. less thought needs to go into a recovery (full server failure) for all the reasons you know about in a multi-DC environment.
So, as not to beat this to death any more, i guess i'm still looking to find hard reasons i.e. life experiences for you folks who've been doing this a lot longer than me and/or other documentation with good hard facts why:
An ISA server shouldn't be on a DC
An Exchange Server shouldn't be on a DC
An ISA server should always be a standalone Server
If i can put something together indicating that we've been doing it wrong all along and are continuing to do it wrong when setting up these lans, I might not get my way with the next one which is scheduled to start being configured soon buy maybe the one after that and future deliveries.
Mike ThomasConsultantCommented:
I doubt you will find such hard facts as the configurations will work, they just are not ideal. the main argument you have is that anyone failing server will take down multiple services and cause more issues, than you might otherwise have had. You may also find that any call made to MS might result in a "your configuration is not supported comment"


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I can add from personal experience with ISA 2004 on a 2003 DC its a nightmare to get running. I was forced down this path by a client and after reading numerous articles on ports to be opened and registry tweaks to ad settings I did finally get replication working consistently, but there was a significant drop in the speed at which the server would process logons or perform a/d functions. After a week of performance issues I got my way and it was removed. I would never install it on a dc and in most cases I have it running in a hyper-v vm. I do however have all of the isa servers as domain members so they link with a/d accounts for logging and security, they generate a couple of warning and erros here and there in the event logs but on the whole its smooth sailing. Hope this helps
hadtechAuthor Commented:
Reason for the Grade of B was that a complete solution was not assertained. I don't believe the was the fault of anyone except that it was a most Difficult Question to comment back on and resolve fully.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.