Re: Real Issue
This is just lazy, boring and uninformed Microsoft bashing.
There is no reason a DC would need IIS to run DNS over HTTPS. You don’t need IIS to unwrap data in a HTTP/S request. AD servers commonly expose several RESTfull / SOAP APIs, AD web services is an example.
And the remark about IIS being a buggy insecure turd? Have you seen the number of vulns in Tomcat for example? IIS is commonly run on DCs and required for some roles on Enterprise CAs. It’s also required for AD Federation Services that manage SSO and other auth mechanisms. Both those roles often are placed on domain controllers. How often do you hear a large corporation was hacked because the IIS site running web enrollment was breached or someone hijacked their domain because insecure IIS was running on the ADFS server? You don’t.
I’m no MS fan, but it grinds my gears when people talk rubbish, slagging a big company off cause it’s cool, when they obviously don’t know much about the subject in question.