Domain Controllers - virtualisation - advice please! 1

[James99999]

Hi


We are currently planning t to upgrade our Active Directory from 2003 to 2008. Incorporating in this upgrade is the intention to virtualise (Vmware) all the Domain Controllers.

Has anyone virtualized all their Domain Controllers and have any advice on the best practices fro virtualizing DC’s?

Many thanks

 

[cabraun]

Don't bother P2Ving any existing domain controllers. It is possible but not at all recommended. Build new VMs and DCPROMO them.

VMware recommends that the DC with the PDC Emulator FSMO role be physical and make sure it gets it's time from an external stratum 1 time source.

Make sure all your other DCs get their time from a reliable time source, such as your PDC emulator, preferably via group policy & WMI although you can use VMware Tools to synch time to your ESX Hosts, providing that your hosts get their time from a reliable source. Bottom line, do not use both NTP and VMware Tools. Pick 1. VMware tools is NOT recommended because if your guest time ever gets ahead of the host, time will not be slowed down to all your VM to become accurate. Only if time on your guest starts to lag behind will clock ticks be processed faster to "catch up" to real time.

Never snapshot a DC. In fact, build your VM with VMDKs as "Independent > Persistent disks" so that THEY CANT BE SNAPSHOT'd. I hope that the reason for this is self explanitory.

Make sure you are getting good backups, particularly of the System State. Keep your OS, AD Database and Logs and preferably on different spindles as well. Use tools like replmon, repadmin, dcdiag and ADBPA to monitor the health of your AD regularly. (Of course these rules apply regardless of physical or virtual)

Those are my tips. There is a fairly new book by Charles Windom and Hemant Galdhani called "Virtualizing Microsoft Tier 1 Applications With vSphere 4" that you should check out. Chapter 4 covers AD specifically.

Good luck

 

[Arisap]

cabraun makes excellent points and adherence to them will make your project successful. These are the exact guidelines I have used with many customers.

 

[ArizonaGeek]

Going to agree with cabraun on almost everything, especially NEVER do a P2V on a DC. A few people around here have said they've done it and it worked but a whole lot more have done it and spent a day forcing a demotion and recreating the DC from scratch. If you absolutely must do a P2V, use coldclone or platespin to do it from a turned off machine. And even then only if you absolutely positively can't do a new DC.

One thing about installing VMWare Tools. To get drivers (video, LAN, etc) you will need to install them but just turn off time sync afterwards.

Everything else I'd agree with, I have 4 DCs on 2 domains that work perfect. After learning the hard way not to P2v them. Good luck!

Cheers
Rob

The answer is always "PEBKAC!

 

[Roadki11]

Just want to add my 2 cents. I have done 6 or 7 P2V conversions of DC's, some with multiple DC's in the domain and never had an issue that wasn’t minor. I never had any issues with them keeping time or replicating. I have even restored a few of them from snapshots (vRanger) without issue. I wouldn’t be afraid to virtualize a DC, but the warnings are valid, your mileage may very as I also have heard of lots of horror stories. I did cold conversions on all the DC's I have P2V'ed and have had good success.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[pagy]

Roadki11,

How did the restore from snapshot not cause any problems? Is there something in vranger that helps with this, usually if you restore a DC from a snapshot you will end up with USN rollbacks.

Paul
VCP4

https://www.mcpvirtualbusinesscard.com/VBCServer/PaulP/profile

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

http://www.faqs.org/rfcs/rfc2795.html

Difficult takes a day, impossible takes a week

 

[Roadki11]

I don’t think there is anything special in vRanger to combat the USN rollback issue. Other than you can enable vss and disable queuescing, which I have read queuescing causes issues if it’s enabled. In a single DC environment it’s really not a problem, either the USN rollback doesn’t happen or the single DC environment just doesn’t care. I’ve done many restores from snapshot in a single DC environment, with no issues. In a multiple DC environment we either do Backup Exec or ntbackup system state backups to disk before the vRanger snapshots. I have never done a snapshot restore in a multiple DC environment, but if there is an issue you could restore the system state. We also do vRanger backups once a month on the DC's when they are shutdown. So, in a 2 DC environment we shut them both down and back them up with vRanger giving us a point in time restore option. We also use Unitrends D2D backups to supplement our vRanger backups. This gives us multiple restore options. We can do this because we have the luxury of 10-12 hours every night and all weekend that no one is on the network.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[pagy]

Ah okay, I was thinking more along the lines of a multi DC environment.
Nice backup solutions though, I wish my management would let us virtualise more of our environment so we could get stuff like that in place. We'll be lucky to hit 50% virtualised within the next 2 years though

Paul
VCP4

https://www.mcpvirtualbusinesscard.com/VBCServer/PaulP/profile

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

http://www.faqs.org/rfcs/rfc2795.html

Difficult takes a day, impossible takes a week