-
8/12/2019 Virtualizao de DC
1/6
Is domain controller virtualization really a good
idea?Editor's note: For the latest on domain controller
virtualization, check out Gary's follow-up article
on virtualizing Dsfrom !une "#$#%
Server virtualization has received increased attention from IT
managers who see it as a way tostretch their already thin budgets.
Getting one machine to act like and do the work of two or more
machines is a really powerful tactic and one that is gaining
popularity for application servers. Withvirtualization software
supporting 6!bit platforms and soon to be supporting I"!6
Itanium
microprocessors# the limits may be e$panding !! and that%s good
news for IT managers.
In general# virtual application servers are working &uite
nicely# but many IT managers are also
e$ploring the idea of virtualizing domain controllers '()s*.
That enthusiasm# however# leaves theadministrator with several
unanswered &uestions+ Is it really a good idea to virtualize
domain
controllers, What are the ramifications, (oes -icrosoft support
it,
Microsoft's view of domain controller virtualization
-icrosoft has published a white paper# unning (omain )ontrollers
in /irtual Server 0112# as well
as 34 article 5557# entitled 8)onsiderations when hosting "ctive
(irectory domain controllers invirtual hosting environments8 to
address this issue. We can deduce that it is indeed possible to
host
()s on virtual machines merely by the fact that these documents
provide 89ow to8 guidelines for
accomplishing the task.
9owever# there are some very specific guidelines for virtual
()s. Some important points include+
ecommended placements of virtual ()s include branch office sites
with asmall population '01 or less*
ecommendations for where not to place virtual ()s+
:. (on%t place them in locations where mission!critical services
like;$change re&uire a domain controller
0. (on%t use them to host
-
8/12/2019 Virtualizao de DC
2/6
replication B"G site*. This company does not virtualize all ()s
because of possible IC=
bottlenecks. "nother issue is security. In a virtual server#
since the domain controller is basically afile# it could get saved
and later mistakenly booted from that file# having the effect of an
out!of!date
() coming back online and inAecting lingering obAects in the "(.
=f course# that file can be
compromised# mistakenly deleted or even copied to steal
data.
What about support?
"nother issue to keep in mind is supportability. (oes -icrosoft
support virtualization of ()s if youcall for it, The answer is D it
depends. "ccording to -icrosoft 34 article 576:2# -icrosoft
will
support ()s loaded on its /irtual Server product. 9owever# if
you use ;-) )orp.%s /-ware
product 'which I prefer*# then the level of support will
vary.
9ere are some other points to remember# according to 34
576:2+
If you are not a -icrosoft ?remier Support customer# then you
will have to
reproduce the problem on a single physical machine to remove the
virtualizationsoftware.
If you are a -icrosoft ?remier Support customer# then the
company has said it
will make efforts to investigate any potential issues# but may
still re&uire you to
reproduce it on a physical machine.
In other words# if you aren%t using /irtual Server# then all
bets are off. Thus# when deciding whether
to virtualize your domain controllers# you must determine if you
are prepared to live with thissupport condition. "re you really
willing to reproduce a critical error that is stopping replication
and
affecting application of Group ?olicy on a separate machine
rather than the one it is failing on, Thiswill obviously take time
Aust to set up and you may never be able to repro the problem#
which may
or may not be the fault of the virtualization software.
Best practices for virtualizing DCs
To summarize a few best practices for virtualizing ()s+
:.
-
8/12/2019 Virtualizao de DC
3/6
don%t know how many times -icrosoft has re&uired a customer
to do this# but it
is definitely worth considering.
"ny domain controller virtualization design should come with a
great deal of analysis and testing.
While there are not a lot of case studies out there to prove or
disprove many of the points madehere# it should be sufficient to
convince any IT manager or administrator that virtualization of
()s
is possible and supported. Eour mileage may vary+ Implement it
in very limited# non!critical roles#and go from there.
AB!" "#$ A!"#R%
Gary Olsen is a systems software engineer for *ewlett-+ackard in
Gloal )olutions Engineering%*e authored indows "###: .ctive
Directory Design and Deploymentand co-authored indows
)erver "##/ on *+ +ro0iant )ervers%Gary is a icrosoft (+ for
Directory )ervices and formerlyfor indows File )ystems%
http+CCsearchwindowsserver.techtarget.comCtipCIs!domain!controller!virtualization!really!a!good!idea
http://www.quepublishing.com/bookstore/product.asp?isbn=1578702429&redir=1&rl=1http://www.hp.com/hpbooks/prentice/ptr_0131467581.htmlhttp://www.hp.com/hpbooks/prentice/ptr_0131467581.htmlhttp://www.hp.com/hpbooks/prentice/ptr_0131467581.htmlhttp://searchwindowsserver.techtarget.com/tip/Is-domain-controller-virtualization-really-a-good-ideahttp://searchwindowsserver.techtarget.com/tip/Is-domain-controller-virtualization-really-a-good-ideahttp://www.quepublishing.com/bookstore/product.asp?isbn=1578702429&redir=1&rl=1http://www.hp.com/hpbooks/prentice/ptr_0131467581.htmlhttp://www.hp.com/hpbooks/prentice/ptr_0131467581.htmlhttp://searchwindowsserver.techtarget.com/tip/Is-domain-controller-virtualization-really-a-good-ideahttp://searchwindowsserver.techtarget.com/tip/Is-domain-controller-virtualization-really-a-good-idea
-
8/12/2019 Virtualizao de DC
4/6
"a&ing a second loo& at domain
controllervirtualization
" while back I wrote an article about the then controversial
issue of virtualizing domain controllers
'()s*. The big issue at the time was -icrosoft%s aversion to
providing support for ()s hosted onvirtual machines for anything
other than its own virtualization software# /irtual Server 0112.
4ackthen# -icrosoft re&uired admins to reproduce their ()s on
physical hardware something that is
pretty tough to do with domain controllers.
With the entire IT industry going fast and furious down the
virtualization path and so much new
technology available# it seems appropriate to take another look
at the issue of domain controllervirtualization.
The first thing to understand about virtualizing domain
controllers is that you can%t treat a () as
you would any other serverH it isn't any other server. " domain
controller is a key security
component in your infrastructure# and it simply plays by
different rules than a member serverrunning applications.
=f course# you could make the argument that there is really no
8one size fits all8 method for
determining how a server can be virtualized.
-
8/12/2019 Virtualizao de DC
5/6
inconsistencies such as certain obAects being on some domain
controllers and not others. The only
fi$ for this is to demote the problem () and re!promote it.
(on%t confuse this process with doing /olume Shadow )opy Service
'/SS* backupswithin the/-. I like "ctive (irectory e$pert Sean
(euby%s statement that you should never do anything to a
virtual () that the () itself and the directory service isn%t
aware of.
-
8/12/2019 Virtualizao de DC
6/6
more attractive. 9yper!/ for Windows Server 0115 0 S?:includes
support for dynamic
memory and better connection support for ()s. 9ot!add memory and
storage in 9yper!/0 allows for e$pansion of resources without
re&uiring downtime.
. @se common sense !! avoid single points of failure and make
sure your backup and recovery
plan works. "lso# monitor performance to make sure the domain
controller is handling theload# Aust as you would for a physical
server.
I%ve heard some discussion about the wisdom of putting all
domain controllers on virtual machines#or maybe leaving Aust one or
two as physical machines. I have talked to one admin who said# due
tobudget restraints# he was forced to virtualize all of his ()s. 9e
has run them all on virtual machines
for several months and 'so far* has not e$perienced any trouble.
I think most people want to hold on
to physical machines simply because they are comfortable with
them.
So the takeaway here is that it ispossible to successfully
virtualize domain controllers# but you mustfollow the best
practices noted here and in the -icrosoft references to ensure
success.
?erhaps someday we will feel comfortable in a completely
virtualized "ctive (irectory
environment.
AB!" "#$ A!"#R%
Gary Olsenis a systems software engineer for *ewlett-+ackard in
Gloal )olutions Engineering%
*e authored indows "###: .ctive Directory Design and
Deploymentand co-authored indows)erver "##/ on *+ +ro0iant
)ervers%Gary is a icrosoft (+ for Directory )ervices and
formerly
for indows File )ystems%
http+CCsearchwindowsserver.techtarget.comCtipCTaking!a!second!look!at!domain!controller!virtualization
http://searchwindowsserver.techtarget.com/news/1514630/Windows-7-and-2008-R2-service-packs-go-beyond-virtualizationhttp://www.quepublishing.com/bookstore/product.asp?isbn=1578702429&redir=1&rl=1http://www.hp.com/hpbooks/prentice/ptr_0131467581.htmlhttp://www.hp.com/hpbooks/prentice/ptr_0131467581.htmlhttp://www.hp.com/hpbooks/prentice/ptr_0131467581.htmlhttp://searchwindowsserver.techtarget.com/tip/Taking-a-second-look-at-domain-controller-virtualizationhttp://searchwindowsserver.techtarget.com/tip/Taking-a-second-look-at-domain-controller-virtualizationhttp://searchwindowsserver.techtarget.com/news/1514630/Windows-7-and-2008-R2-service-packs-go-beyond-virtualizationhttp://www.quepublishing.com/bookstore/product.asp?isbn=1578702429&redir=1&rl=1http://www.hp.com/hpbooks/prentice/ptr_0131467581.htmlhttp://www.hp.com/hpbooks/prentice/ptr_0131467581.htmlhttp://searchwindowsserver.techtarget.com/tip/Taking-a-second-look-at-domain-controller-virtualizationhttp://searchwindowsserver.techtarget.com/tip/Taking-a-second-look-at-domain-controller-virtualization
