4

Should the Active Directory PDC always be a physical machine or would it be okay to run it in a VM? What are the implications/trade offs/gotchas?

As a corollary to this, what about running a physical PDC that is also a Hyper-V host? Any implications there (especially for guest VM's that may also be SQL or Exchange Servers?)

Note: Performance implications are secondary. My main concern is gotchas.

Matias Nino
  • 1,392
  • 7
  • 25
  • 40

2 Answers2

3

If you're talking about the domain controller holding the PDC Emulator FSMO role I would strongly recommend running it on physical hardware. It's the master time sync source for the entire domain (and the entire forest, if in the forest root domain of a multi-domain forest). Clocks on virtual machines are notorious for drifting and time sync is pretty important since Active Directory bases authentication on Kerberos, which, in turn, has time sensitivity built-in (albeit you can configure it to be more "sloppy" if you really want to).

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Thanks! Any gotchas on using the PDC (excuse me, "FSMO Role") also as a Hyper-V host? – Matias Nino Oct 02 '09 at 06:49
  • I'm not aware of any specific issues. Microsoft's recommended best practice is to keep a Hyper-V host free from any other "Roles", but it will probably work fine. – Evan Anderson Oct 02 '09 at 12:38
1

I tend to error on the side of caution, but I have HyperV servers running DCs all the time... The hypervisor is joined to the domain for convenience, but that is all...

Philip Gardner
  • 11
  • 1
  • In the past few years, the guidance from MS has changed and time sync has gotten better for guests in the major virtualization platforms. – mfinni Nov 05 '14 at 20:52