Im trying to understand why its not recommended to use a win2008 r2 domain controller as a witness server in a dag. - I understand that the group has to then be in the domain admin group of the domain. But Im struggling with the reason why this poses as a problem. The group just contains the ex2010 exchange server accounts right? - so with just computer accounts in the dom admin group - what security threat is that???