Virtualize all of your domain controllers? Why not?
Today, I was asked if I thought it made sense to virtualize all of an organization’s domain controllers. My response was “Why not?” The person asking the question indicated that he had read guidance indicating that organizations should maintain at least one physical domain controller in the event that the virtual environment somehow created problems on a virtual DC. Sure, there are quite a few ways by which a virtual environment can create AD problems, such as:
- An administrator unwittingly restores a snapshotted domain controller. Mitigation: Don’t! Never recover a DC from a snapshot. Always restore a DC using native Windows tools.
- All of the virtual domain controllers end up running on a single host. Mitigation: Make sure this doesn’t happen. Under VMware, use DRS rules to prevent the possibility. Or, manually assign DCs to hosts so that there is tolerance for host failure.
- Time between host and DC gets out of sync. Mitigation: Time synchronization issues are AD killers. Make sure your virtual hosts are using an authoritative NTP source to keep time in sync, especially if you allow your domain controller server’s time to sync with the virtual host.
- An administrator pauses the domain controller, creating a potential sync issue. Mitigation: Don’t pause DCs! This can create replication issues within the domain if the DC tays paused for too long.
- You P2V’d an existing domain controller using a hot migration method. Mitigation: Never do this. The cloned domain controller will be out of sync with the rest of the domain. By the way, if you decide to P2V a domain controller, never turn on the physical server again. You will end up with serious, serious AD problems if you bring up that old domain controller accidentally. By the way, consider simply creating a new domain controller rather than P2Ving an existing one. It’s easier and safer.
You will notice that every one of these issues is caused by some kind of human error. There is nothing inherently wrong with virtualizing all of your domain controllers unless you’re running in such a large environment that your virtual machines simply can’t be scaled to a level that would support the AD workload. Beyond that, and assuming that you can ensure that virtual domain controllers run on different virtual hosts, there is no reason that you can’t run all of your DCs on virtual hosts. That said, there are differences of opinion out there on this topic.
For more on this, read Microsoft’s document entitled Things to consider when you host Active Directory domain controllers in virtual hosting environments.
Do you feel differently? Is keeping a physical DC around a must for you? Leave a comment!