Posted on 2010-11-17
Medium Priority
Last Modified: 2012-05-10

I recently reviewed the VMware  video file , “Best Practices for virtualizing Active directory”, presented by Chris Skinner of VMware  at  VMworld in February 2009. It is remarkable presentation and extremely informative.

Since this presentation was made, ESXi has changed and the products that work with it are also different.
I have some  questions concerning virtualizing Domain Controllers and in particular backups (for recovery and / or Disaster recovery).

I run a small environment for 70 users and there are 7 Physical Servers (Windows 2003 Server is the O/S):

2 x domain controllers
1 file server
1 Firewall server (ISA 2006)
1 Front End Exchange Server (Exchange 2003)
1 Backend Exchange server (Exchange 2003)
1 application servers (Blackberry Enterprise Server, which has SQL installed)

I would like to virtualize all servers (I have done so in a test environment) using ESXi 4.1 along with the license for vSphere Essentials Plus (which is perfect for our environment), using two ESxi servers connected to a SAN and employing HA. My goal would be to virtualize all servers. do not want to keep (if it is recommended) any of the current servers. I would implement 2 ESXi servers connected to a SAN.
In my test Virtual environment, for the ESXi server ,  in terms of backup, I would like to use Symantec Backup Exec 2010, with all the necessary agents – SQL, Exchange, Active directory, and the VMware agent (which interfaces with the VCB for backup) as I am using this software to currently backup my physical machines (and it seems to work well).
Regarding the ESXi server and VM Server image backups,  I spoke with my technical contact at Symantec concerning the VMware agent. He explained that this agent will allow full backups of each server image as well as differential backups as long as the appropriate agents are installed (which I have installed). It can also perform granular restore (i.e. restore  individual files). I would schedule a full backup once per week and a differential backup for the remaining 6 days.

In the presentation, Mr. Skinner explains Disaster Recovery best practices for Domain controllers and identiifes several issues to be aware of. If I understand correctly, it is mentioned not to recover from a backup copy of an old virtual disk.  

In my environment,  if I need to restore a DC, and if I do not have to go to offsite storage, then I would (in theory) be able to restore to an image that is no more than 24 hours old. So I have the following questions:

1. Is it necessary to perform system state backups if I have a complete virtual image of the DC backed up?

2. Would there be issues of update sequence number and issues when referencing USN (or USN out of sync)?

3. For non-authoritative Restore of a DC, would it not be sufficient to use the DC image that is 24 hours old?  Would it still replicate with the other DC (I have two DC’s, and only had to restore 1) ? Would it be better just to build a server from scratch , and then DCPromo it since I have one good DC?

4. If I had to perform an Authoritative restore of the DC, could I not restore the VM of the DC, boot into Directory Services Restore Mode,  run ntdsutil and follow the steps for an authoritative restore? Would it coomunicate properly with the second DC?

I just completed the initial training for vSphere 4.1, install, configure, and manage. I found it to be excellent.

Any information or recommendations that you could provide would be appreciated.

Best Regards,

Question by:mbudman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 57

Accepted Solution

Mike Kline earned 1000 total points
ID: 34154868
1.   Yes, do not restore from images, it is not a valid form of recovery and you can run into issues USN roll back issues.  Either system state or have multiple DCs and if one goes down you just wipe it and build a new one and promote

3.  Yes build from scratch

4.  The steps are the same for an auth restore but don't use an image

Some other things.  

Look at this question I was a part of.  We debated a lot of this there and I don't want to type it all again   http://www.experts-exchange.com/Software/VMWare/Q_26571188.html

Dean Wells from the Microsoft AD team just gave a great presentation at Tech Ed Europe last week on cloning and virutalization   http://www.msteched.com/2010/Europe/SIA320


LVL 24

Expert Comment

by:Luciano Patrão
ID: 34155177

Well last moth I needed to restore 2 DCs from a costumer. Using Veeam Backup and Replication.

The backup was 3 days old, and I restore both DCs with no issues. This was the only two DCs in the AD.

The only problem with this restore with 3 days old, was that if some workstations have added to the domain, needed to be removed, and added again. Or any user that may change the password between that 3 days of the backup.

Besides this I have seen no issues with the restore.

LVL 24

Assisted Solution

by:Luciano Patrão
Luciano Patrão earned 1000 total points
ID: 34155239

Here is some good articles about Virtualizing Active Directory



There is s very good book about this(I have boughed and is very good and with very good examples for AD, Exchange, SQL, SharePoint, etc.), "Virtualizing Microsoft Tier 1 Applications with VMware vSphere 4"


Author Closing Comment

ID: 34293179
Thank you for the information. The comments and advice are excellent.



Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
August and September have been big months for VMware—from VMworld last month to our new Course of the Month in VMware Professional - Data Center Virtualization. We reached out to Andrew Hancock, resident VMware vExpert, to have a more in-depth discu…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question