Can windows domain controller be virtualized?

active-directory virtualization

Solution 1:

Yes, it can be done. The appropriateness for doing so is up for debate.

  • Make sure time stays synced! This is very important. A DC with incorrect time can cause havoc.
  • Disable and do not use snapshots. Reverting to an old snapshot in a domain with many DCs will result in massive chaos.
  • Do not suspend/pause the domain controller.
  • Make sure your VM server does not get overloaded.
  • I suggest you run at least one DC within your domain on real hardware, if you have a larger network.

Could you explain the snapshot chaos point? Isn't reverting to a snapshot going to act like restoring from backup, i.e. it will sync recent changes from the other DCs?

The active directory is not designed to support that. Once an update has been replicated, it will not be re-replicated. Normally if you are restoring the active directory you need to go through a special procedure. (http://technet.microsoft.com/en-us/library/cc779573.aspx). The KB article Sam Cogan, and gharper mentioned specifically address this point.

In particular, Active Directory does not support any method that restores a snapshot of the operating system or the volume the operating system resides on. This kind of method causes an update sequence number (USN) rollback. When a USN rollback occurs, the replication partners of the incorrectly restored domain controller may have inconsistent objects in their Active Directory databases. In this situation, you cannot make these objects consistent.

We also do not support using "undo" and "differencing" features in Virtual PC on operating system images for domain controllers that run in virtual hosting environments.

The Microsoft AD team just posted a new article about how to virtualize domain controllers which includes several recommendations.

Solution 2:

Yes, it can be virtualized, no we didn't run into any problems (VMWare ESX & VMWare Server 2), and in my experience, it's pretty much the same as running the DC on a physical server.

Microsoft has an article with things to consider that's worth reading.

Solution 3:

Yes, it can be done, I have done it and it works well. You do need to take some things into account when doing it. This KB article provides a good guide to these considerations.

Solution 4:

We've had virtualized DC's for years now. I'd recommend using at least two physical hosts setup with ESX and configured with DRS. Within DRS set up a rule to prevent the two VM's (I'm assuming you have a PDC and BDC) from running on the same host. If your hosts are already clustered with DRS enabled just setup the DRS rule.

You can configure your ESX hosts to use NTP for time updates, and within your DC's have the vmware tools sync their time with the ESX host.

Related

How do I know if I am running 32 or 64-bit Linux?
Clarification of why DNS zone files require NS records
Why does Heroku warn against "naked" domain names?
How do you setup ssh to authenticate using keys instead of a username / password?
Smoothest workflow to handle SSH host verification errors?
OpenVPN not default gateway for all traffic
Why drop caches in Linux?
Load balancing & NAT-ing multiple ISP connections on Linux
LAMP Server Performance Tips [closed]
escaping double quotes and percent signs (%) in cron
Allowing SSH on a server with an active OpenVPN client
Forcing the from address when postfix relays over smtp