The servers running Exchange Server in your environment should have unique, complex local administrator passwords. The passwords should also ideally be unknown by anyone in the organization.
The first practice is important. Using different local admin passwords to mitigate lateral movement by attackers who have been able to compromise one host in your environment. Having domain admin credentials is not all that important to an attacker if they know the one password that gains them access to every server anyway.
The resistance to unique local admin passwords is usually due to the technical debt of old build practices resulting in the same password used everywhere in an environment today. Fixing build processes to create unique passwords is one thing, but faced with the task of generating unique passwords and updating every host in the environment causes a lot of admins to put the task somewhere on their “to do” list, where all good ideas go to die.
Fortunately, Microsoft provides the Local Administrator Password Solution (LAPS) tool that can help you roll out the change to your environment. You can read about LAPS and see a demonstration of how to use it here.
The second practice is also important, but I receive a lot more push back on that one. The idea that local admin passwords are unknown is scary to some admins who are concerned that one day they’ll have one of those “break the glass” emergencies where they need a local account to fix it.
Again, LAPS can help you by making the passwords retrievable even though nobody happens to know it at any given time (well, sort of). But if you have a highly available Exchange deployment, meaning multiple servers are deployed, and you subscribe to the “cattle not pets” methodology of server management, the type of situations where local admin access would be required are really the type of situations where you would consider doing a clean OS build and recovery of Exchange instead.