1) Microsoft Best Practice of Leaving exchange server on-prem for management
“With the recent Exchange vulnerabilities allowing hackers into the LAN, Exchange is just giving them another entry point. So it becomes even more important to remove any unnecessary back doors. If Microsoft would give us a way of managing the Exchange A.D attributes without needing to maintain an Exchange server on-premise, we could get rid of one more headache to patch. monitor and update.”
2) Datacenter Domain Controllers
Physical Domain Controllers
In datacenters, physical domain controllers should be installed in dedicated secure racks or cages that are separate from the general server population.
If a domain controller is configured to use software RAID, serial-attached SCSI, SAN/NAS storage, or dynamic volumes, BitLocker cannot be implemented, so locally attached storage (with or without hardware RAID) should be used in domain controllers whenever possible.
Virtual Domain Controllers
If you implement virtual domain controllers, you should ensure that domain controllers run on separate physical hosts than other virtual machines in the environment.
Even if you use a third-party virtualization platform, consider deploying virtual domain controllers on Hyper-V Server in Windows Server 2012 or Windows Server 2008 R2, which provides a minimal attack surface and can be managed with the domain controllers it hosts rather than being managed with the rest of the virtualization hosts.
You should also consider separating the storage of virtual domain controllers to prevent storage administrators from accessing the virtual machine files.
3) Secure Administrative Hosts
Administrative hosts should be configured to require smart card logon for all accounts
Physical security includes controlling physical access to administrative hosts. In a small organization, this may mean that you maintain a dedicated administrative workstation that is kept locked in an office or a desk drawer when not in use.