Active Directory Virtualization

Question

My company is looking to try and virtualize all our servers, and we are trying to figure out if virtualizing active directory is a good idea. Is it even something that can be done, and if so are there any drawbacks to having it setup this way. My network is setup with multiple physical servers, multiple virtual servers, and a SAN.

If you need any more information, please let me know.

http://serverfault.com/questions/15196/can-windows-domain-controller-be-virtualized — Zoredache, Dec 01 '11 at 22:18
@Ward, It might take some re-writing of both questions and the some of the answers. The other question is asking if a 'DC' can be virtualized, this one seems to be about virtualizing all the domain controllers. — Zoredache, Dec 02 '11 at 07:42

Skyhawk · Accepted Answer · 2011-12-01T20:15:36.417

19

Microsoft recommends maintaining at least one physical domain controller in each domain.

For most environments, this doesn't need to be very much of a server. Even a 64-bit dual-core rackmount Atom server, consuming 25 watts of power and costing less than $500 when configured with 4GB of RAM and a pair of 2.5" hard drives in RAID1, can provide a very serviceable physical domain controller/DNS/DHCP server running Server 2008 R2.

The main real-world benefit of always maintaining a physical domain controller is to prevent "cold start" issues when restarting your virtualized environment after updates/upgrades, power outages, etc. This is especially relevant if you use Hyper-V servers as virtualization hosts, as these machines will expect to be able to find a domain controller at startup.

edited Dec 01 '11 at 20:15

answered Dec 01 '11 at 19:59

Skyhawk

14,200
4
53
95

6

Miles has a great point about cold starts. It also solves the time issue if the physical machine holds the PDC emulator role. – Jim B Dec 01 '11 at 20:18
1

@Jim B: Having the PDC Emulator role on the physical DC is a good thing but you still need to make sure your guests are configured for the hypervisor vendor's best practices. – Evan Anderson Dec 01 '11 at 20:27
Furthermore, if you're using Windows DCs for DNS services, then the hypervisor O/S (VMware/Hyper-V/etc) will be expecting to use the DNS for name resolutions even before the guest VMs (including virtualized DCs) are started... all the more reason to have at least one physical DC around. – ewall Dec 01 '11 at 21:48
@evan Anderson true but for the most part they echo microsofts recommendations for virtual guests and when they conflict you need to make a judgment. – Jim B Dec 01 '11 at 22:45
For some of the same reasons previously presented, I don't recommend installing the hypervisor on a physical installation of Windows that is a member of the domain but NOT a DC. You may have better results if the host is not even joined to the domain. – Jonathan J Dec 01 '11 at 23:20

Evan Anderson · Answer 2 · 2011-12-01T20:26:43.910

16

The main problem I've seen with virtualized Active Directory (DC) Domain Controller (DC) computers relates to time synchronization issues. AD is very reliant on good time sync between your DCs so make sure that your hypervisors configured per the manufacturer's specifications to allow the guest VMs to have solid time sync.

Beyond time sync I don't have any bad experiences with virtualized DCs to report. Don't do anything with them that you wouldn't do with physical domain controllers. Be sure that you're not rolling DC VMs back using features like snapshots because you could cause database replication issues (equivalent to restoring an old backup of a physical DC). Don't clone DC VMs (equivalent to disk-imaging physical DCs).

Edit:

I strongly recommend keeping at least one physical DC around, as well, to echo @MilesErickson's answer. I'd go so far as to say that you need one physical DC in each location where you're hosting server computers to allow those machines to be able to be "cold started" when WAN connectivity is down.

edited Dec 01 '11 at 20:26

answered Dec 01 '11 at 19:50

Evan Anderson

141,881
20
196
331

3

I concur - I have a number of virtualized DCs running around without issue. Time can be a problem if you don't configure them properly though. – Driftpeasant Dec 01 '11 at 19:51
1

Me as well. No problems to speak of. – joeqwerty Dec 01 '11 at 20:03
6

Ah, the smell of USN rollback in the morning... – Massimo Dec 01 '11 at 20:21
1

I've run multiple sites for years with a physical DC and a virtual DC with no problems. – Keith Stokes Dec 01 '11 at 23:55
Funny how you read about USN rollback in a ServerFault post after not having heard about it for a while... and then it suddenly pops up the next day at a customer's site. – Massimo Dec 02 '11 at 11:34

score 4 · Answer 3 · answered Dec 01 '11 at 23:26

Awhile back we virtualized Domain Controllers for AD/Server 2003. It worked well except for when one of the machines had an older version of it's VM started in place of the latest version. This caused a SERIOUS problem - and made it so the AD Server stopped replicating and trusting the other servers.

What I later found out was triggered was a USN Rollback - It's very unpleasant to fix. http://support.microsoft.com/kb/885875

I was able to correct the problem and we continued our virtualization. However - this time around I just had a ready-made VM on standy in the event a Domain-Controller host failed I would just join the standy to the domain as a new Domain Controller - this worked well.

This is more updated and may be useful: http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx

Active Directory Virtualization

3 Answers3