A question that is often asked of me is “Can we virtualise our domain controllers?” I try to never answer that question, instead I let them answer it themselves, by a process of elimination. Firstly I always feel obliged to quote Microsoft’s KB Article 897615
Microsoft does not test or support Microsoft software running together with non-Microsoft hardware virtualization software.
If the customer is still wishing to virtualise their Domain Controllers, certain other factors then come into play and must be considered.
Day to day operational processes and deemed best practices may have to change, considerations include (but are not limited to):
Configuring DC guests to point to themselves as primary for name resolution causes domain controllers to hang while applying network connections during OS start-up. Virtualized domain controllers should point to one or two reliable off-box DNS Servers to insure faster OS start-up (If you have Active Directory integrated DNS, this could be an issue if all DC’s are virtualised).
An Active Directory domain controller requires regular system state backups to recover from user, hardware, software, or environmental problems (Does the Virtual environment cater for system state backups?).
You must disable the write cache for all components that use Extensible Storage Engine (ESE) as their database format. These components include Active Directory, the File Replication Service (FRS), Windows Internet Name Service (WINS), and Dynamic Host Configuration Protocol (DHCP).
Things to consider when you host Active Directory domain controllers in virtual hosting environments KB Article 888794
Security and Integrity:
Domain Administrators and Virtual environment administrators are rarely the same team or person – is this permitted?
Once the Domain Controllers are moved to a virtual environment in many organisations a degree of trust is lost around the integrity of the Active Directory. On a physical Domain Controller the only way to logon to the server and gain access to the disk that hosts the Active Directory database (NTDS.DIT) is to be a privilege user, in a virtual environment this is often not the case. The administrators of the virtual estate often have access to the machine files that host Active Directory and as such easily export them for offline interrogation.
When Active Directory was architected time was expected to be linear and never go backwards; unlike many other types of server Active Directory does not work well with virtualisation snapshot techniques and can introduce a Domain Controller based issue called “USN Rollback”. Snapshots of the Active Directory therefore must not be taken or restored, but again this responsibility does not always lay with the Domain Controller administrators, but the virtualisation administrators.
How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 875495
Does your virtual estate work without Active Directory? If the Active Directory were to fail, could your SAN function without an Active Directory being present, thus allowing the Active Directory to be recovered or restored?
Other KB articles relating to virtualisation include:
Time Synchronization issue in Windows Server 2003 systems running as VMware Guests KB 953797
This posting is still a work in progress.