Using virtualized domain controllers only

For a long time there has been a question whether it is best practice to have a least one physical server acting as a domain controller even if you are running a virtualized environment. Some say you should, but if you are looking at this issue without having legacy software to deal with, I think you can do with only virtual domain controllers.

This requires a few things of course, one being that your domain controllers must run Windows Server 2012, and that can of course be an issue for many. Second, you need to have a virtualized environment that is distributed and preferably uses HA and DRS in Vmware, but you can do without HA and DRS, they simply speed things up a bit in case of failure. I do not cover Hyper-V in this post, but the idea is basically the same.

Third, your vSphere hosts must be using NTP to sync their time against a reliable source. Time syncing and issues with time drift has been a major concern in virtualized environments for years. One could easily think that you should use Vmware tools to sync your domain controllers with vSphere, but actually you should not. Instead you should set the domain controller that has the PDC role to sync it’s time using NTP (w32time basically) against the same time source as your vSphere hosts. Then let your other domain controllers sync against the PDC. As the PDC role can be moved to different domain controllers, use a WMI filter to make sure that the domain controller that runs as a PDC always syncs time. Thanks to Markus Lassfolk for teaching me this, good tip.

There are two other things I would like to cover in this post, and those being domain controller cloning which allows for the safe cloning of domain controllers instead of having to go through the installation and dcpromo thing. A domain controller may have other software running on it as well as specific settings which would be nice to just keep when deploying an additional domain controller. Again, your Windows Server version must be 2012 for this to work. There are a few steps to do when cloning a domain controller and I will not cover them here. I just want to point out that the possibility exists. For more details about any of this, see the link at the bottom of the post.

Last but certainly not least is the question about what happens when you perform a restore from snapshot on a domain controller? In the past, before Windows Server 2012, this could cause some serious issues. Active Directory keeps track of all the changes it implements, such as adding users and so on, but when a domain controller is restored to an earlier date, that logic fails. It fails because the restored domain controllers simply put use the wrong change numbers, number that the other domain controllers have already marked as used. This means that the domain controllers are out of sync with each other which is not good. So, what has happened with 2012 of Windows Server? With 2012 Microsoft introduced VM-Generation ID, which is a way to keep track of the state of the virtual machine, whether it has been cloned or restored from a snapshot. Active Directory then uses this information to realize if the domain controller is up to date or not, before the domain controller processes transactions. That way, a domain controller which is restored from a snapshot will make sure it syncs all the changes from the other domain controllers before attempting a write operation. This is a great feature which will make life a lot simpler.

As for Vmware, you must be running vSphere and Virtual Center 5.0 update 2 at least, to support this. This is just a brief overview of the concept, but please read the Virtualizing Active Directory Domain Services On VMware vSphere for all the details.

One thought on “Using virtualized domain controllers only”

Leave a Reply

Your email address will not be published. Required fields are marked *