Any issues with Virtualizing a domain controller - ESXi 4

Hi

We have 7 sites - all domain controllers at head office are physical

We are looking at installing a new server at one of our larger remote sites

The idea is to install ESXi - 2 hosts maybe 3

Host 1

Win2k3 Domain Controller (GC)
File sharing
Print sharing

Host 2  
Win2k3 Exchange 2007

Host 3 (If needed)
Win2k3 SQL2008

The server for this project is a Dell R710  24GB ram  raid 1 for ESXi and a raid 5 for VM's

The reason for virtualizing this server is that this site will become our DR site in the future, and once we virtualise our head office we may add additional Server's to this remote site to handle vmotion and site to site backups.

My question is are there any issues in virutalising Domain Controllers when using multiple sites over VPN's in a mixed environment i.e. Physical and Virtual Domain controllers? I havent been able to find a best practices guide for our scenario. I know in older versions of vmware there were TIMING issues with domain controllerS.
pancho15Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
So your head office will still have physical DCs?  The PDC emulator in the root will still be the authoritative time source.  

Having remote DCs as virtual machines is ok.  One of my favorite threads on this topic is from activedir

http://www.activedir.org/ListArchives/tabid/55/forumid/1/tpage/1/view/topic/postid/38204/Default.aspx

as you can see the time issue is discussed there but you can get around it.

USN rollbacks are another common issue but you can avoid those and if you do run into it you can recover  http://blogs.technet.com/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx


You have probably seen this link but for others that come to this via google/bing  http://support.microsoft.com/default.aspx/kb/888794?p=1

I would personally never virtualize every DC what you are doing is fine.

Thanks

Mike
0
coolsport00Commented:
You will have no problems at all virtualizing DCs. Here are a couple articles:
VMware:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006996

And, from MS:
http://support.microsoft.com/kb/888794 (same as Mike's post)

You may hear from some to keep 1 DC, but I'll be honest with you, I have yet to hear any sound reasons why. I have *all* my DCs virtualized without a hitch...and have had them virtualized for 4yrs now.

As far as time goes...just create an authoritative time server (see: http://support.microsoft.com/kb/816042 for assistance), and that can even be a VM. One recommendation I have is, for your VMs, configure VMware Tools to NOT sync time with the ESX host the VM resides on. This will ensure synchronization with the auth time server.

Regards,
~coolsport00
0
coolsport00Commented:
I meant to say "keep 1 DC *a physical box*..."

~coolsport00
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Matthew EnglandTechnology ConsultantCommented:
While I feel the answer to the virtualized DC & timing issue has been quite well addressed, I would like to make one recommendation which is slightly off topic.

Given the importance of the DC/GC, I would recommend splitting the file and print on to a different server, mainly for security reasons, and use the DC solely for Authentication/Authorization, DNS, and Time purposes.

Other than that I agree with the previous comments and like coolsport00 have been running virtualized DC's in various mixes of environments for the past 3+ years now with no issues, although I do like to set the disks on my "primary(s)" as persistent to avoid any data loss or replication issues which COULD potentially result from improper use of snapshots, although in all those years, this has never happened, still I error on the side of caution. I also never sync my VM's time with their hosts. I always since time in the following manner:

{trusted external time source} --> {router/firewall} --> {network devices & PDC's for the root domain} --> {domain servers/workstations & child domain DC's} --> {child domain servers/workstations}

As Mikes article on time indicates, this type of setup is relatively easy to setup, since it's other than pointing the PDC & Firewall to the proper sources, it's what Windows domains default to.

A last note, you can also configure your ESXi server to use either your DC or router/firewall as it's time source as well. This way, even if host time synchronization is accidentally enabled everything will still be in sync throughout your entire network/domain.

0
coolsport00Commented:
One thing I forgot to mention "pancho15"...if you do plan on using the VMotion functionality, ESXi doesn't provide that. Just FYI. You get that beginning with the 'Advanced' edition of ESX; see edition comparison here:
http://www.vmware.com/products/vsphere/buy/editions_comparison.html

Regards,
~coolsport00
0
Matthew EnglandTechnology ConsultantCommented:
Correction to the previous post: VMotion IS supported by ESXi, which is indicated in the comparison chart which was linked to. The versions being compared on that chart are for vSphere... essentially feature packs, which can be purchased to increase the base functionality provided by ESX or ESXi.

ESXi is a suitable host platform for deployment, although, since there is no service console, some disaster recovery operations can be more complicated than with ESX. And since you're planning on using local disks, make sure you keep good backups and are familiar with DR scenarios.

0
coolsport00Commented:
Hmm...I wonder if that is a change with vSphere and VMware's new 'Editions' they came out with end of last year, or I was misinformed in my research a couple yrs ago when I implemented VMware. I want clarification from VMware. Thanks for pointing that out "pacific..".

~coolsport00
0
coolsport00Commented:
Ah...I forgot; VMotion is a VCENTER function, not ESX/i (doh!..I knew that). But, for whatever reason, I 'assumed' ESX was required. Maybe I was snowballed by our vendor/reseller. Anyway, ESXi should work for you. I personally don't like the lack of service console and how to go about enabling it in ESXi, as well as backup issues with ESXi. Here's a link that compares differences between ESX/ESXi:
http://kb.vmware.com/kb/1015000

Regards,
~coolsport00
0
pancho15Author Commented:
So I guess I need to ensure my VM Domain Controller does not sync it's time with the ESXi host (1)
Ensure my VM Domain controller receives it's time from a reliable source *Primary Domain controller* (2) How do I check this ? Ensure the Primary domain controller receives it's time from a reliable souce (3)
Configure the Primary Domain controller - wether it be virtual or not with an external time source (Configuring the Windows Time service to use an external time source)

Is this correct?

So is the easiest way to put in place a GPO that ensures all new servers and DC get the correct time source?


0
Mike KlineCommented:
Sounds good but you don't need to configure GPOs for time.  Once you set the PDCe in the forest root let the Windows time hierarchy do the rest.

Thanks

Mike
0
coolsport00Commented:
You just 1. configure your DC according to the article I provided above on authoritative time (post ID: Author:coolsport00Date:04/06/10 08:45 PMYour Comment) and, 2. Uncheck the option to sync time with host in VMware Tools on the DC VM.

You don't have to configure anything else for time...meaning GPO-wise. Your authoritative time server will be in your domain; if you have other DCs, those DCs will look to your authoritative time server for time synchronization; PCs that authenticate against those DCs will get their time from the DC that syncs with the authoritative time server. :)

~coolsport00
0
pancho15Author Commented:
Thanks Coolsport00-

I did a net time /querysntp and received the following SNTP value is : time.windows.com,0x1

This is a remote domain controller - I was expecting my PDC??
0
coolsport00Commented:
Do you have an authoritative time server? What external location is your ATS pulling time from? I assume time.windows.com. (IP: 192.5.41.209).
0
pancho15Author Commented:
I also tried w32tm /monitor  /computers:localhost
NTP: Error error_timeout - no response from server in 1000ms...  should i expect something different
0
pancho15Author Commented:
my PDC has the w32time\config\AnnouceFlags value of A - I assume this means it's been configured to use the internal hardware clock ?
0
pancho15Author Commented:
So if I leave my PDC using the internal clock and leave my virtual remote DC as default just ensure the vm does not update the time from the ESXi host - I assume this would be fine.

If I virtualise my PDC It becomes important that the time source on the PDC is Exnteral?
0
coolsport00Commented:
Hi "pancho...", please read through the ATS KB I provided above. It explains the questions you're asking. It is not recommended to have the DC housing the PDC Master role to sync with itself (there is more info provided in the MS KB as to why). Will it work?...probably, but there are ramifications. Whether you virtualize your DC or not has no bearing on the relevance of internal vs. external time source.

Configure your ESXi host to sync with your ATS by configuring the Time Settings on the host (Host -> Config tab -> Time Config -> Properties link). Configure VMware Tools on your DC VM (remote DC) to not sync with the host by unchecking the box to do so.

Hope that helps.

Regards,
~coolsport00
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pancho15Author Commented:
Thanks Guys for all your help

0
pancho15Author Commented:
coolsport00

1 further comment, I've added our NTP server address into the ESXi  physical Server  - configuration - Time configuration. Now I've purposely lagged the time to see if the NTP updates the clock but it doesnt . Should it be updating?
0
coolsport00Commented:
Yes, it should; did you check the box that says "NTP Client Enabled"? And, did you click the "Restart" button after entering the NTP server IP? I have noticed it takes several minutes to sync (can't give exact time because I don't monitor it, but it does 'catch up' eventually). If you're still having a problem, I suggest posting another EE question and we can further assist you.

Regards,
~coolsport00
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.