I have been visiting a few customer sites where they are virtualizing their Domain Controllers. This always makes me a little nervous as this should always be coupled with strong control and management of this environment. If this is not well managed this can cause serious implications to your Active Directory Forest.
If this is something you do or are thinking of doing then there are some very important tasks and configurations which you should implement to ensure this works well and consistently across your environment.
This is well documented in the following two articles and should be read from COVER to COVER if you are looking to virtualize Domain Controllers.
Running Domain Controllers within Virtual Server 2005
For virtual machines that are configured as domain controllers, the Host time synchronization feature of Virtual Machine Additions should always be disabled. Instead, accept the default W32time domain hierarchy time synchronization.
The Host time synchronization feature allows guest operating systems to synchronize their system clocks with the system clock of the host operating system. Because domain controllers have their own time synchronization mechanism, Host time synchronization must be disabled on virtual machines that are configured as domain controllers. If domain controllers synchronize time from their own source and also synchronize time from the host, the domain controller time can change frequently.
Use the Administration Website to disable Host time synchronization when the virtual machine is turned off. You can disable Host time synchronization during or after installing Virtual Machine Additions.
For information about how to use the Administration Website, see the “Virtual Server 2005 Administrator’s Guide” on the Web at http://go.microsoft.com/fwlink/?linkID=27540
So based upon the above the following steps are recommended.
1. Follow the Domain Hierarchy. E.G. all Domain Controllers EXCEPT the PDCE should be set to NT5DS.
2. The PDC(E) should be configured NTP to a reliable time source. See an earlier blog entry of mine which has an excellent article all about time.
3. In the Virtual Machine Additions of Virtual Server ensure the option "Host time synchronization is disabled (I.E. unticked).
I also suggest reading the following KBARTICLE to further underline the importance of strong management and maintenance of Domain Controllers if you intend running on a virtualized environment.
The above information holds true for Hyper-V too. There will be updates to the documentation in the future.
Hi a few weeks ago I blogged about recommended best practises of Virtualizing your Domain Controllers