3

I have come here to ask a question that is bothering me. What is the best way to virtualize Active Directory when I have two physical servers and a disk array. I know that I need at least two domain controllers. To achieve this, I need to put two virtual servers on hyper-v.Then i can to do: Run both virtuals on a disk array where the hyper-v service is in a failover cluster? Should I put these VMs outside the failover cluster, put one on node1 and the next on node2? Maybe there is some other better way? For me, scenario, when AD has been on disk storage is week option. Storage get faulty and AD is lost. Please give your opinion.

dog_1
  • 31
  • 1
  • Active Directory does not support failover clustering. – Greg Askew Feb 02 '23 at 13:57
  • @GregAskew I wonder why Microsoft doesn't program such an option. This would save on the licenses needed to run two VMs exclusively for Active Directory. – dog_1 Feb 02 '23 at 14:04
  • Most organizations don't have this problem. "Active Directory" usually provides enough services such as DNS/DHCP/Certificates that two servers are merited. Also for a physical Windows Hyper-V host, that includes licensing for two Windows server guests (Standard) or unlimited guests (Enterprise). – Greg Askew Feb 02 '23 at 14:13

3 Answers3

5

Having a DC as a VM on cluster shared volume inside the cluster is not the best idea since sometimes a cluster cannot be started if the domain controller that is located on the clustered resource is unavailable. The unavailability of the DC may cause connection or authorization issues, which makes it impossible to get the cluster working. There is a vicious circle, which takes a lot of time to break it.

Deploying Active Directory services alongside Hyper-V and Microsoft Failover Cluster roles is not recommended, but the situation described above can be avoided if the DC is deployed as a local virtual machine that is located on directly attached storage alongside the host OS.

Here are some related vendor-specific recommendations and more details by Microsoft that might help as well.

Net Runner
  • 6,169
  • 12
  • 34
4
  1. You virtualize your Domain Controller (DC). Virtual DCs is a standard practice blessed by Microsoft since at least 2012 (10+ years in a row).

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v

  1. You HA your DC. It has built-in replication mechanism you need to configure to avoid your Domain Controller turning AWOL with its physical host going down for whatever reason (planned downtime, BSOD, fire etc).

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts

  1. You never mix up DC role with anything else on the same machine, physical or virtual - doesn't matter! It's nothing but begging for troubles.

https://www.hyper-v.io/combining-hyper-v-dc-role-server-bad-idea/

BaronSamedi1958
  • 13,676
  • 1
  • 21
  • 53
0

Here is what I do: I run the critical AD controllers on multiple of my VM servers - on a separate SSD.

Rule one for AD: NO SINGLE POINT OF FAILURE.

TomTom
  • 51,649
  • 7
  • 54
  • 136