I recently reviewed the VMware  video file , “Best Practices for virtualizing Active directory”, presented by Chris Skinner of VMware  at  VMworld in February 2009. It is remarkable presentation and extremely informative.

Since this presentation was made, ESXi has changed and the products that work with it are also different.
I have some  questions concerning virtualizing Domain Controllers and in particular backups (for recovery and / or Disaster recovery).

I run a small environment for 70 users and there are 7 Physical Servers (Windows 2003 Server is the O/S):

2 x domain controllers
1 file server
1 Firewall server (ISA 2006)
1 Front End Exchange Server (Exchange 2003)
1 Backend Exchange server (Exchange 2003)
1 application servers (Blackberry Enterprise Server, which has SQL installed)

I would like to virtualize all servers (I have done so in a test environment) using ESXi 4.1 along with the license for vSphere Essentials Plus (which is perfect for our environment), using two ESxi servers connected to a SAN and employing HA. My goal would be to virtualize all servers. do not want to keep (if it is recommended) any of the current servers. I would implement 2 ESXi servers connected to a SAN.
In my test Virtual environment, for the ESXi server ,  in terms of backup, I would like to use Symantec Backup Exec 2010, with all the necessary agents – SQL, Exchange, Active directory, and the VMware agent (which interfaces with the VCB for backup) as I am using this software to currently backup my physical machines (and it seems to work well).
Regarding the ESXi server and VM Server image backups,  I spoke with my technical contact at Symantec concerning the VMware agent. He explained that this agent will allow full backups of each server image as well as differential backups as long as the appropriate agents are installed (which I have installed). It can also perform granular restore (i.e. restore  individual files). I would schedule a full backup once per week and a differential backup for the remaining 6 days.

In the presentation, Mr. Skinner explains Disaster Recovery best practices for Domain controllers and identiifes several issues to be aware of. If I understand correctly, it is mentioned not to recover from a backup copy of an old virtual disk.  

In my environment,  if I need to restore a DC, and if I do not have to go to offsite storage, then I would (in theory) be able to restore to an image that is no more than 24 hours old. So I have the following questions:

1. Is it necessary to perform system state backups if I have a complete virtual image of the DC backed up?

2. Would there be issues of update sequence number and issues when referencing USN (or USN out of sync)?

3. For non-authoritative Restore of a DC, would it not be sufficient to use the DC image that is 24 hours old?  Would it still replicate with the other DC (I have two DC’s, and only had to restore 1) ? Would it be better just to build a server from scratch , and then DCPromo it since I have one good DC?

4. If I had to perform an Authoritative restore of the DC, could I not restore the VM of the DC, boot into Directory Services Restore Mode,  run ntdsutil and follow the steps for an authoritative restore? Would it coomunicate properly with the second DC?

I just completed the initial training for vSphere 4.1, install, configure, and manage. I found it to be excellent.

Any information or recommendations that you could provide would be appreciated.

Best Regards,

Who is Participating?

Improve company productivity with a Business Account.Sign Up

Mike KlineConnect With a Mentor Commented:
1.   Yes, do not restore from images, it is not a valid form of recovery and you can run into issues USN roll back issues.  Either system state or have multiple DCs and if one goes down you just wipe it and build a new one and promote

3.  Yes build from scratch

4.  The steps are the same for an auth restore but don't use an image

Some other things.  

Look at this question I was a part of.  We debated a lot of this there and I don't want to type it all again

Dean Wells from the Microsoft AD team just gave a great presentation at Tech Ed Europe last week on cloning and virutalization


Luciano PatrãoICT Senior Infraestructure  Engineer  Commented:

Well last moth I needed to restore 2 DCs from a costumer. Using Veeam Backup and Replication.

The backup was 3 days old, and I restore both DCs with no issues. This was the only two DCs in the AD.

The only problem with this restore with 3 days old, was that if some workstations have added to the domain, needed to be removed, and added again. Or any user that may change the password between that 3 days of the backup.

Besides this I have seen no issues with the restore.

Luciano PatrãoConnect With a Mentor ICT Senior Infraestructure  Engineer  Commented:

Here is some good articles about Virtualizing Active Directory

There is s very good book about this(I have boughed and is very good and with very good examples for AD, Exchange, SQL, SharePoint, etc.), "Virtualizing Microsoft Tier 1 Applications with VMware vSphere 4"

mbudmanAuthor Commented:
Thank you for the information. The comments and advice are excellent.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.