[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now



Posted on 2010-11-17
Medium Priority
Last Modified: 2012-05-10

I recently reviewed the VMware  video file , “Best Practices for virtualizing Active directory”, presented by Chris Skinner of VMware  at  VMworld in February 2009. It is remarkable presentation and extremely informative.

Since this presentation was made, ESXi has changed and the products that work with it are also different.
I have some  questions concerning virtualizing Domain Controllers and in particular backups (for recovery and / or Disaster recovery).

I run a small environment for 70 users and there are 7 Physical Servers (Windows 2003 Server is the O/S):

2 x domain controllers
1 file server
1 Firewall server (ISA 2006)
1 Front End Exchange Server (Exchange 2003)
1 Backend Exchange server (Exchange 2003)
1 application servers (Blackberry Enterprise Server, which has SQL installed)

I would like to virtualize all servers (I have done so in a test environment) using ESXi 4.1 along with the license for vSphere Essentials Plus (which is perfect for our environment), using two ESxi servers connected to a SAN and employing HA. My goal would be to virtualize all servers. do not want to keep (if it is recommended) any of the current servers. I would implement 2 ESXi servers connected to a SAN.
In my test Virtual environment, for the ESXi server ,  in terms of backup, I would like to use Symantec Backup Exec 2010, with all the necessary agents – SQL, Exchange, Active directory, and the VMware agent (which interfaces with the VCB for backup) as I am using this software to currently backup my physical machines (and it seems to work well).
Regarding the ESXi server and VM Server image backups,  I spoke with my technical contact at Symantec concerning the VMware agent. He explained that this agent will allow full backups of each server image as well as differential backups as long as the appropriate agents are installed (which I have installed). It can also perform granular restore (i.e. restore  individual files). I would schedule a full backup once per week and a differential backup for the remaining 6 days.

In the presentation, Mr. Skinner explains Disaster Recovery best practices for Domain controllers and identiifes several issues to be aware of. If I understand correctly, it is mentioned not to recover from a backup copy of an old virtual disk.  

In my environment,  if I need to restore a DC, and if I do not have to go to offsite storage, then I would (in theory) be able to restore to an image that is no more than 24 hours old. So I have the following questions:

1. Is it necessary to perform system state backups if I have a complete virtual image of the DC backed up?

2. Would there be issues of update sequence number and issues when referencing USN (or USN out of sync)?

3. For non-authoritative Restore of a DC, would it not be sufficient to use the DC image that is 24 hours old?  Would it still replicate with the other DC (I have two DC’s, and only had to restore 1) ? Would it be better just to build a server from scratch , and then DCPromo it since I have one good DC?

4. If I had to perform an Authoritative restore of the DC, could I not restore the VM of the DC, boot into Directory Services Restore Mode,  run ntdsutil and follow the steps for an authoritative restore? Would it coomunicate properly with the second DC?

I just completed the initial training for vSphere 4.1, install, configure, and manage. I found it to be excellent.

Any information or recommendations that you could provide would be appreciated.

Best Regards,

Question by:mbudman
  • 2
LVL 57

Accepted Solution

Mike Kline earned 1000 total points
ID: 34154868
1.   Yes, do not restore from images, it is not a valid form of recovery and you can run into issues USN roll back issues.  Either system state or have multiple DCs and if one goes down you just wipe it and build a new one and promote

3.  Yes build from scratch

4.  The steps are the same for an auth restore but don't use an image

Some other things.  

Look at this question I was a part of.  We debated a lot of this there and I don't want to type it all again   http://www.experts-exchange.com/Software/VMWare/Q_26571188.html

Dean Wells from the Microsoft AD team just gave a great presentation at Tech Ed Europe last week on cloning and virutalization   http://www.msteched.com/2010/Europe/SIA320


LVL 24

Expert Comment

by:Luciano Patrão
ID: 34155177

Well last moth I needed to restore 2 DCs from a costumer. Using Veeam Backup and Replication.

The backup was 3 days old, and I restore both DCs with no issues. This was the only two DCs in the AD.

The only problem with this restore with 3 days old, was that if some workstations have added to the domain, needed to be removed, and added again. Or any user that may change the password between that 3 days of the backup.

Besides this I have seen no issues with the restore.

LVL 24

Assisted Solution

by:Luciano Patrão
Luciano Patrão earned 1000 total points
ID: 34155239

Here is some good articles about Virtualizing Active Directory



There is s very good book about this(I have boughed and is very good and with very good examples for AD, Exchange, SQL, SharePoint, etc.), "Virtualizing Microsoft Tier 1 Applications with VMware vSphere 4"


Author Closing Comment

ID: 34293179
Thank you for the information. The comments and advice are excellent.



Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question