4

I know this question has been asked quite a while.
But still it isn't really clear to me.

Why am I not clear?
People suggest sometimes that it is preferable to have 1 DC on physical Hardware. (Even Microsoft says this). Also it is planned to have Exchange Server and other cirtical Company data on the same physical machines on diffrent VMs. I heard that people could still break through the guest system and comprimise every Virtual machine, is that true?

So is it good to virtualize all domain controllers?

Edit: Try to make my question more On-topic.

Something about me and my situation

Currently I'm a junior Developer and try to learn a lil bit more about system administration, so I help small companys in my free time. I try to help them with their infrastructure, like planning, administrating and setup new servers / hardware.
One of my company asked me if it is possible to virtualize Domain Controllers.

Setup

Their current Setup are 3 Servers, where every Server has a certain role.
Roles of the 3 Servers:

  • DC and Exchange on the same machine
  • Fileserver
  • Terminalserver for CRM and Office.

A tape drive is makes backups of the 3 servers.
They also have 3 servers that aren't connected to power, who acts as a drop in replacement for the other servers, if one server fails.
I told them that it is a waste of money if these server won't get used until they got replaced.

So they worked on a new IT concept with a new IT company.

New Conecpt

2 Servers virtualized with Hyper-V in a active/passive configuration. Virtualize everything:

  • DC
  • Exchange
  • Fileserver
  • Terminalserver with CRM and Office

The concept seems to be really good, but I had something in my mind that there could be some problems with the virtualization of an Active Directory.

Why am I concerned

I came to this conclusion since I experimented with FreeIPA (something like Active Directory) on my local company, since we try to integrate some Linux Devices and looking for a Synchronization with FreeIPA.
We virtualized FreeIPA on Hyper-V and KVM and had massive problems with the time synchronization service, so we also had problems with the login of our systems.

I also searched the whole Internet and the Microsoft related sites about this specific topic, but every link says that it's still recommend to run 1 DC on physical hardware.

Here is the technet article which confused me.

http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(v=ws.10).aspx

Maintain physical domain controllers in each of your domains. This mitigates the risk of a virtualization platform malfunction that affects all host systems that use that platform.

Which risks could occur?

Which bugs / exploits / whatever could occur on a virtualization platform?
And still if we have 2 virtualized server (which are the same hardware, 2 Dell Servers R520) is there a huge risk that the bug/exploit hit both servers?

Also we still making backups so we could still recover everything if we would hit a bug.
Anyway the company didn't have a redundant setup before and they said that it isn't their biggest concern. They don't want to lose data and they don't want to have any security risk.

I already have 1 good answer from MDMarra and he clears up something for me.

But still he said its more a availability question than a security one, but when the hyper-v platform has a catastrophic failure i would still lose data/have a security hole.
Maybe I'm a little bit paranoid, but as more components are thrown at some hardware the more will security risks occur.

Maybe I need more answers to solve my questions correctly since I'm still wouldn't say to any customer that Its a good way to virtualize everything.

Community
  • 1
Christian Schmitt
  • 143
  • 8
  • I will flog myself for being nitpicky on this...it's nothing against you Christian, but I voted to close this as "Questions seeking product, service, or learning material recommendations are off-topic __because they tend to become obsolete quickly__. Instead, describe your situation and the specific problem you're trying to solve." IMO, "So is it good to virtualize all DCs?" the answer varies and _good_ is very subjective. Environments/risk-taking/security/culture/mindsets/etc. all vary between organizations. – TheCleaner Aug 22 '13 at 13:39
  • @TheCleaner I don't understand how this is a shopping question? – Michael Hampton Aug 23 '13 at 04:34
  • @MichaelHampton - I explained in the Comms Room yesterday that I didn't consider it shopping, but rather the bolded part and "learning material". Whiile I definitely agree that Mark's answer is the "textbook" answer, this is a very gray area nowadays. For instance, Mark's answer states that 1 phy DC is still a good idea but also notes it is possible to 100% virtualize. His answer is completely valid for the question, and I could see this Q in either light TBH. – TheCleaner Aug 23 '13 at 13:00
  • The thing is he said that it's possible. Microsoft didn't say that exactly. They still recommand me to use a physical DC. Yes it is learning material. But how could I learn such things, if nobody tells me whats the truth now? There are always things that should be written somewhere. – Christian Schmitt Aug 23 '13 at 15:52

2 Answers2

8

The recommendation to have a physical DC is not a security recommendation, it is an availability one. In the event of a catastrophic hypervisor failure (bug, exploit, whatever) if your virtualization solution is offline, you still want at least one DC outside of that environment to provide directory services.

Of course, it is entirely possible to go 100% virtual. Instead of keeping a physical host around, some people will have a separate management cluster so that DCs can be run there as well as the production data cluster, which offers some diversity. If an organization does something like vSphere in production and Hyper-V in DR, then they may keep a hot DC in DR and have platform diversity that way. The MS party line is still to keep one physical DC, but there are other ways to accomplish the spirit of that recommendation and be 100% virtual.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • Currently I am working in a very small company, but we have a friendship with a bigger company that wants to migrate their complete infrastructure on one server. they have 25 people who will using the ad. they have a data server, a dc, a terminal server and an exchange server. i think they don't care about 100% availability, they have a second server, but he isn't on. they online want to turn it on when the main server fails. they use backup tapes for backup. currently my company runs freeipa, and we had problems with the time so we wanted to help but i have no idea about ad. – Christian Schmitt Aug 22 '13 at 21:02
  • 1
    Sorry, is there a question that you were trying to ask there? – MDMarra Aug 22 '13 at 21:28
  • nah it was just a better explanation of my situation. and your answer helped me a lot. – Christian Schmitt Aug 23 '13 at 15:51
  • Ok good. Glad to help :) – MDMarra Aug 23 '13 at 15:56
3

Originally I think this recommendation came from the problems hypervisors had with accurate time (needed for AD for Kerberos authentication). It's also easy to end up with an unintended single point of failure (the physical host, the SAN) if you are in a mid sized environment.

Now days I think the biggest concern is what will you do if you can't login to vCenter

TheFiddlerWins
  • 2,999
  • 1
  • 15
  • 22