Should Production Windows Web Servers (IIS & SQL) be in a domain?
Solution 1:
The Powers That Be can clarify things of course, but the entire StackOverflow Network runs on IIS servers with an SQL back end in an Active Directory Domain. I'd say it works well.
- added complexity - it's one more "thing" running, and doing "things" that could go wrong.
Sometimes adding complexity allows you to remove some. Especially if you're worried about scaling out, having a domain can greatly ease the work of adding servers, changing config, and any number of things. Group Policy and centrally administered scripts can do amazing things to ease your life.
- risk - if a domain controller fails, am I now putting other machines at risk?
That's why you have two Domain Controllers, and don't make them reachable from the Internet. If someone penetrates your site, you're pretty much hosed anyway. This is why it's a very good idea to have your AD Domain be just for your application environment, if possible.
And finally, Microsoft designs their environment to work within AD. Inter-server communication is both easier and more secure when AD is involved to arbitrate authentication and encourage secure protocol usage.