VMware Question? 1

[upinflamezzz]

One of my domain controllers is an old physical box with Server 2003 only functioning as the second instance of the active directory. My other DC is a VM with all my Network Shares and File Server, Print Server, etc. I have another VMware host in a separate building serving as a DR site where my replica jobs go to and wanted to get rid of the old 2003K DC and create a new VM on the DR site host. My questions are:

1. Is it O.K. to have both DC's in a virtual environment?
2. Can I just create a new VM from one of the backups of the other VM and assign it the same IP of the old 2003 DC and use a new product key for 2008R2?
3. Not interested in P2V because we want to get off 2003.

Thanks for any answers.

 

[cabraun]

Save yourself a lot of pain and frustration and just create a new 2008R2 VM and DCPromo it. Transfer any FSMO roles that the old DC has to one of the 2008R2 DCs and demote the old one when done. Make sure both your VM DCs are pointing to a reliable external time source (not getting time from the vSphere host) and you should be pretty much set.

The problem you may run into with all VM DCs vs having at least 1 physical is your DCs will likely also be your DNS servers. If your entire environment dies due to a disaster or something tragic, you might have a problem getting everything functioning again without getting DNS and AD running first. This is why most people keep a physical DNS / DC server around. So that they can get that running to speed in the recovery of all of your VMs and everything else. As long as you are able to connect to your host that you know has your VM DCs on it by IP address though you will probably be OK.

You might want to consider rebuilding the 2003 physical box when you are done as a 2008R2 box as well and DCPromoing so that you have it as a DC/DNS server.

 

[upinflamezzz]

First of all, thanks for the reply. So what's the recommended way to go? I was going to buy a 2008 server 32 bit CD and key and just upgrade the 2003K server. This looks pretty easy to do, but we'd still have the old box. I can get the CD and license off Ebay for $160. A found a new 2008R2 64bit server for $699 on Ebay or I could just buy the product key for a 2008R2 server and create a VM.

I know I can have them both as VM's, but I'm just a little concerned that I can't see it boot up without VSphere or VCenter. So if there's a disaster I'll just have to trust that the backup DC/DNS VM would boot up with the host since I won't be able to see it with remoting into it or using the above VMware software.

How many can DC/DNS can you have?

Thanks for all the insight.

 

[Provogeek]

How many can DC/DNS can you have?

Who many do you have the patience to build? The max is 1,200. But the more you have, the more latency you introduce to the replication. 2 is the minimum you should have, 4 seems to be the count I most commonly see.

There is nothing wrong with virtualizing your primary DC, but it can pose some difficulties as cabrun pointed out. Most of my customer choose to hold onto a physical DC for time synchronization reasons than anything else. You never want to sync time with a virtual server, it causes time drift (virtual CPU, virtual clock as well). Plus, by default, Windows network sync time with the primary DC. So there are less things to muck with using a physical DC.

When the DC must be virual, you need to do some tweaks to minimize the nuisances that go with it. Be sure to optimize the guest machine per the VMWare best practice for DC. Was going to type that out, but this link has a great doc on doing this Virtualizing Active Directory Domain Services On VMware vSphere®





Brent Schmidt Keep IT Simple[/color red]
Se±or Network Engineer

http://www.kiscc.com

 

[ArizonaGeek]

I am going to sort of disagree with my two counterparts slightly. What they say is all true but you also have to look at your environment as a whole. I have a 100% virtual environment with two DCs that are virtual. But I also have a highly redundant and mostly bulletproof infrastructure. Sure nothing is 100% but if you have quite a few hosts I see nothing wrong with virtualizing all your DCs. Set up affinity rules so they don't land on the same host when doing maintenance. I would follow cabraun's suggestion in creating a new VM then running DCPromo and transfer the roles. I would take it a step further and then upgrade to 2012 R2 (since 2008 R2 is already past its mainstream support, you still have 5 years though) but that depends on your own environment and whether your infrastructure can support 2012 R2.

Once again cabraun and Provogeek are correct in what they say. But you should also look at your environment and do what you feel is safe. To give you an example of my environment, I have a blade chassis (my only single point of failure) with 12 Dell m620 blades on a 4 shelf Compellent SAN all running on a redundant 10 gig network.

The answer is always "PEBKAC!

 

[upinflamezzz]

Thanks for all your replies. I was going to buy a 2008R2 key from go2keys.com for $99, but didn't feel safe using their keys for any or my servers. So, I picked up 2012R2 from an Ebay seller for $299 with a COA and 2CPU, 2VM install. This was a pretty good price. I'll follow some walk through's and set this up DC up. Doesn't look too difficult. Once, I get things pointed away from the physical 2003K server I may spend $150 to upgrade it to 2008 32 bit, which is as far as it'll go. This will put it to some use and provide a little assurance.

I checked my hosts and they aren't in the Active Directory so the DC's should boot with the host without issue. Also set the configs to

restrict 127.0.0.1
restrict default kod nomodify notrap
server 0.vmware.pool.ntp.org
server 1.vmware.pool.ntp.org
server 2.vmware.pool.ntp.org
driftfile /var/lib/ntp/drift

Once again, thanks.