Server 2003 Virtual Machines

eaglerod
eaglerod used Ask the Experts™
on
Is it wise to be setting up each server feature on 1 single server(Active Directory, DNS, Web etc) on a seperate virtual machine in the same server? What kind of problems security wise can this cause?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010

Commented:
You can combine some server 'features' (roles), but for a DC, it should be minimal and non-obtrusive. For example, I wouldn't have much anything else on a DC besids maybe DNS. Your web server can be solely that. Part of it is due to to security implications, but for DCs is more about potential of disrupting your domain, as well as opening 'holes' for the outside to see your internal structure (if combining DC with Web server).

Regards,
~coolsport00
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
It depends, you need to be careful, of what we call server sprawl, creating virtual servers, for the sake of virtual servers.

Active Directory and DNS are usually services that are integrated together, that you would use on one server.

Web Server, you would want to install Web Services on a seperate Member server, to prevent any security issues accessing your Domain Controller, so I would recommend a Web Server has it's own server as well in the examples you give.

We have the  same security issues in virtual machines we have in physical so ensure you have firewalls enabled on the servers, regulalry patch servers with security updates. Try not to use the servers interactively, to browse the Internet, use good Anti-Virus, and have a Security Policy in place to reduce malaware, virus, trojan attacks.

Commented:
This is perhaps a "philosophical" question to some extent, but it's also dependent on your environment. The bigger the environment, the more sense it makes to divide functions between many servers. Using small foot virtual servers, it's also more economical to accommodate for redundancy. AD and DNS go on the same server, Exchange and SQL on a member server, File servers and DFS servers can be separated for scalability, other application and print servers can be separated. It's hard to answer your question wisely without knowing the details. If you have a small environment you definitely don't want to make things more complicated than necessary, and you can safely get away with one or two servers. However you decide to build it, I do recommend using virtual servers and invest in a good VM backup product.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Top Expert 2010

Commented:
Also, keep in mind some things when considering virtualizing DCs, from a technical standpoint. VMware & MS both have KBs that discuss things to consider:

VMware KB:
http://kb.vmware.com/kb/1006996

Microsoft KB:
http://support.microsoft.com/kb/888794

Regards,
~coolsport00

Author

Commented:
I have been asked to check out this server that has 6 virtual servers in it all running a different feature of server 2003 standard edition.  They are running over 100 users.  I have my own feelings on what they should do but wanted a group of opinions as to get a birds eye view of the situation. I don't feel its such a good idea to have all of that on one server.
Top Expert 2010

Commented:
You are correct...you shouldn't have it all on 1 VM. At minimum 2, maybe 3 depending on what other apps/services will be run/needed.

~coolsport00

Commented:
Now that you've revealed your environment, no, it's not a good idea to run 6 VMs on one physical server for such a small environment, with the sole purpose of providing standard Win 2003 type services. For 100 users, I'd run max two and divide the services between the two or even mirror them,. Just make sure they're on a snapshot type backup that's continuously running. You're not mentioning Exchange, but if that's involved the recommendation would be different.
Top Expert 2010
Commented:
If the host is running 6 VMs, it can handle it (if it's a halfway decent host it should run 30-40 VMs). If you have 1 VM per 'feature', that isn't good use of resources, meaning RAM, Disk, as well as OS licensing. You can combine things. And, as mentioned above, for only 100 users, you just don't need all of them...maybe. If you have Exchange, that should be on a separate VM; a web server should be its own VM; you can combine DNS/AD and maybe even DHCP, but if you have a print server, I would combine DHCP with print and only DNS/AD to separate things a bit.

Let me also say this is response to "be_free"s comment - snapshots are NOT a backup solution...of any kind, so do not use them as such. (see VMware's KB on snap best practices: http://kb.vmware.com/kb/1025279) But, if this company has a purchased version of ESXi (or ESX), in which vCenter is involved, you can implement some kind of VM b/u solution (Veeam, Quest, VDR, etc.)

Hope that helps.

Regards,
~coolsport00
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Commented:
I agree with my fellow Expert coolsport00, on the issue with Snapshots.

A snap shot is a way to preserve a point in time when the VM was running OK before making changes. A snapshot is NOT a way to get a static copy of a VM before making changes.  When you take a snapshot of a VM what happens is that a delta file gets created and the original VMDK file gets converted to a Read-Only file.  There is an active link between the original VMDK file and the new delta file.  Anything that gets written to the VM actually gets written to the delta file.   The correct way to use a snapshot is when you want to make some change to a VM like adding a new app or a patch; something that might damage the guest OS. After you apply the patch or make the change and it’s stable, you should really go into snapshot manager and delete the snapshot which will commit the changes to the original VM, delete the snap, and make the VMDK file RW. The official stance is that you really shouldn’t have more than one snap at a time and that you should not leave them out there for long periods of time. Adding more snaps and leaving them there a long time degrades the performance of the VM.  If the patch or whatever goes badly or for some reason you need to get back to the original unmodified VM, that’s possible as well.  

Have a look at a good backup solution.

Here are some ideas...

If you have a licensed version of ESX/ESXi, (paid for license) you could purchase the following third party applications to perform backups. If you do not have a licensed version of ESX/ESXi, your options are limited, because a non-licensed (paid for) version does not give access to the licensed APIs for third party products to function. You will there for need at least a Standard license for ESX/ESXi for the following products listed 1-3.

1. Veeam Backup and Replication - very popular, won many awards at VMworld 2010

download trial here - http://www.veeam.com/vmware-esx-backup.html

2. Quest vizioncore Vranger Pro - the first VM backup product with a good pedigree.

download trial here - http://vizioncore.com/product/vRangerPro

3. PHD Virtual Backup - very fast backup technology, using virtual applicance.

Download trial here - http://www.phdvirtual.com/phd-vb-51-vmware-vsphere


4. VMware Data Recovery - supports dedupe, integrated with vCenter - maybe included with your current VMware License (available in vSphere Enterprise Plus, Advanced, and Essentials Plus Editions. VMware Data Recovery can also be purchased a la carte with vSphere Standard Edition.)

http://www.vmware.com/products/data-recovery/overview.html


Free (download) alternatives for backing up VMs

5. ghettoVCB

http://communities.vmware.com/docs/DOC-8760 ((Will work on FREE ESXi, no licensed required.)

(can be performed whilst the virtual machine is live or powered on)

6. ghettoVCBg2  

http://communities.vmware.com/docs/DOC-9843 (needs licensed version of ESX/ESXi)

(can be performed whilst the virtual machine is live or powered on)


7. Scripts and NFS backup

http://communities.vmware.com/message/1029047 (Will work on FREE ESXi, no licensed required.)
(can be performed whilst the virtual machine is live or powered on)

8. VMware Converter Standalone 4.3

http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vcenter_converter_standalone/4_0

VMware vCenter Converter Standalone 4.x Documentation

http://www.vmware.com/support/pubs/converter_pubs.html

VMware vCenter Converter Standalone 4.3 User Guide

http://www.vmware.com/pdf/convsa_43_guide.pdf

With VMware Converter you can convert and copy a Virtual Machine to another datastore, this advantage is you can do this whilst the virtual machine is Online or Powered-Up.

9. Veeam FastSCP (http://www.veeam.com/vmware-esxi-fastscp.html)

Fast Virtual Machine / File Transfer. Faster than WinSCP and other SCP-based tools as it uses full network capacity. The Veeam FastSCP engine also features traffic compression and empty block removal for best file copy performance.

You can use FastSCP to connect to the ESX/ESXi server, and download the entire virtual machine folder/directory to the current workstation or server, where yov've connected from. You must ensure that the virtual machines are powered off to complete this operation.

10. Datastore browser

The datastore browser is included in the vSphere GUI Client, and enables you access to the datastore, virtual machines are stored on. You can simple use the cut and paste, or download/upload options to backup and restore virtual machines. Again to copy a virtual machine, the virtual machine must be powered off.

Restoring with options 9 and 10, above, you must add the Virtual Machine manually to the inventory, by selecting the vmx file in the datastore browser, right click on the *.vmx file, and select "Add to Inventory".

Commented:
We're moving away from what the OP asked about, but since it's been mentioned more than once, I need to clarify on the issue of "snapshots". I did not say use VMware snapshots instead of backups. I did not reference VMware's built-in snapshot procedure at all -- which other posters rightfully want to point out that it's not a backup solution -- and I full agree. But as far as a snapshot function in itself goes, it's certainly used and integrated in many products targeting both the physical and virtual backup market.What I recommended in passing was to use a "snapshot type backup" which admittedly may have been a vague term. Since the topic isn't backups I choose not to elaborate. Specifically, I thought about VMX Trilead VM Explorer. Their FAQ is here which in part explains how their backups work using "snapshot technology": http://www.trilead.com/FAQ/. There is also a YouTube video here: http://youtu.be/6jWCP8ZP7SQ

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial