How to Virtualize Active Directory Domain Controllers (Part 1)

re: How to Virtualize Active Directory Domain Controllers (Part 1)

rschleicher — Tue, 15 Jun 2010 13:07:45 GMT

I was reading a Microsoft Whitepaper if I remember correctly and it stated that Microsoft doesn't recommend virtualizing a DC that is a Global Catalog Server.

Has Microsoft changed their stance on DC's being virtualized when Exchange is installed on the network?

I would love to setup my DC's in Hyper-V R2 but I am hesitant after reading this.

Anyone have any input or experience?

Thanks,

Bob

re: How to Virtualize Active Directory Domain Controllers (Part 1)

Shravan_Msft — Mon, 14 Jun 2010 23:52:12 GMT

Artem - Thanks for pointing that scenario. We covered this scenario in further detail in the next part of this blog but I will share some info here for our other readers. We have seen a couple of customers do the exact thing you mention - consolidate all the servers in whole AD site into the one VM/HyperV host with the Host as a member of the same AD domain. The assumption is that the host will use the WAN for its authentication before the DC(s) it hosts are available for authentication. Later they find logon issues to the host when the WAN is down.

Regarding the suggestion not to "STOP" the VM's since a lot of times, the VM guest DC will be stopped and unaccounted for longer than TombstoneLifetime # of days leading to the risk of lingering objects.

Thanks everyone for the comments. Keep them coming.

re: How to Virtualize Active Directory Domain Controllers (Part 1)

Shravan_Msft — Mon, 14 Jun 2010 23:37:03 GMT

Mike - Good question. Regardless of what virtualization solution you use, its prudent to keep a few physical DC's around in case of any problem specific to virtual hardware. Microsoft has no official recommendation on what percentage should be physical vs virtual but use your own judgement and planning as a guidance. Personally I would keep some physical servers in my important sites where there are a lot of users, regional hubs, corporate offices with fewer but important users, or critical business servers that are the proverbial "bread-and-butter" for my business. Hope this helps.

re: How to Virtualize Active Directory Domain Controllers (Part 1)

Shravan_Msft — Mon, 14 Jun 2010 23:21:25 GMT

Manish - Microsoft doesn't have an official recommendation regarding P2V a DC or DCpromo a clean VM as each option has a different use case. Personally I look at this as the same way I look at server OS upgrade or vanilla installation on new hardware where depending on the business criteria, upgrade or new install is decided upon. I hope this answers your question.

re: How to Virtualize Active Directory Domain Controllers (Part 1)

Pronichkin — Sun, 13 Jun 2010 08:07:58 GMT

Regardless of all the other “all eggs in one basket” considerations, I would specifically push on one certain scenario. You should never (really never-never) place all the DCs of a single given location (e.g. your branch office) onto Hyper-V Cluster(s) *in case* if the cluster nodes are members of the same domain that is served by the DCs.

(Note that it's not true for stand-alone, non-clustered Hyper-V hosts, though—as well as for other third-party hypervisors. So it's perfectly okay to have a cluster *plus* one stand-alone Hyper-V host—running one DC on the cluster and another DC on the stand-alone host).

The reasons for this requirement are pretty obvious. But they are still overlooked sometimes when one tries to make a high-level architectural planning of small office virtualization.

> Do not stop or pause domain controllers.

The term “stop” usually means just hard power off of virtual machine. I agree that it's generally a bad thing for just *any* Guest OS. But I would argue it's not that strict “no-no” as, for example, the ban for snapshotting.

re: How to Virtualize Active Directory Domain Controllers (Part 1)

Mike Kline — Fri, 11 Jun 2010 14:31:48 GMT

Good post Shravan and Jason! I'm guessing this will become one of the most popular series as this topic gains more traction.

One big question that also comes up is do you virtualize every DC or still keep a few on physical servers. If you mitigate the risks you can virtualize them all but I'd have one or two on physical boxes to prevent the "eggs in one basket" issue that you all mentioned.

I'm also hoping that by Windows Server 2016 Hyper-V dominates VMWare :)

Thanks

Mike

re: How to Virtualize Active Directory Domain Controllers (Part 1)

Mike Kline — Fri, 11 Jun 2010 14:31:40 GMT

Good post Shravan and Jason! I'm guessing this will become one of the most popular series as this topic gains more traction.

I'm also hoping that by Windows Server 2016 Hyper-V dominates VMWare :)

Thanks

Mike

re: How to Virtualize Active Directory Domain Controllers (Part 1)

Konstantin Leontiev — Fri, 11 Jun 2010 13:36:31 GMT

While we recommend to disable time synchronisation between host OS and Guest OS for DC (and i'm completelly agreed with such recommendation especially in case of Host is a domain member machine) we need to provide some guidance to prevent Time Drift wot Windows Server 2003 DC's.

Because of Windows Server 2003 use TSC/ACPI PMTIMER for scheduling it is strongly recommended to set in boot.ini "/usepmtimer" option for all SP1 DC's and for all Win 2003 SP2 with singl virtual processor (because only ACPI/APIC Multiprocessor kernel use PMTIMER by default in SP2).

Also I would like to recommend to disable processor power management in BIOS settings in case of preparing Hyper-V/VS 2005 R2 virtualization servers on NUMA-enabled hardware.

re: How to Virtualize Active Directory Domain Controllers (Part 1)

mjuneja — Fri, 11 Jun 2010 03:19:24 GMT

Hi,

In a scenerio where we are converting some physical DCs to Virtual platform, will P2V be recommended or instead building a new and clean VM DC via dcpromo is recommended.

Regards

-Manish