virtualize domain contollers
Experts,
I am virtualizing a small environment. Currently I have 2 domain controllers (DC01, DC02) Win 2008 R2 Standard 32-bit.
Unfortunately I have never virtualized a DC, also don't have much experience building them, or transferring FSMO roles ect...
On 1 of my 2 DELL virtual servers I built a virtual Vcenter 5.1 Server, and a virtual Veeam B&R Server. (I only have an ESXi 5.1 standard license, the cheapest one "$500", no vmotion ect...)
Is there anyway I can just live migrate, cold migrate or do anything automatically so that I don't risk the chance of messing up my DC's?
Also, Is there a way for me to migrate DC02 first during working hours with out it screwing up DC01 which would still be physical so I can test everything before virtualizing both and then being deep under water? I have read a few places that sometimes there are issues just using vmconverter on DC's?
Can somebody break it down for me step by step like (P2V DC's for dummies) and how they would approach it?
All in all we will end up with 2 virtual servers running about 12 servers total, like I said very small. We have a junky old md3000i SAN which is useless for 5.1. and we only use windows ISCSI connections to it for SQL database storage.
Thank you very much!
I am virtualizing a small environment. Currently I have 2 domain controllers (DC01, DC02) Win 2008 R2 Standard 32-bit.
Unfortunately I have never virtualized a DC, also don't have much experience building them, or transferring FSMO roles ect...
On 1 of my 2 DELL virtual servers I built a virtual Vcenter 5.1 Server, and a virtual Veeam B&R Server. (I only have an ESXi 5.1 standard license, the cheapest one "$500", no vmotion ect...)
Is there anyway I can just live migrate, cold migrate or do anything automatically so that I don't risk the chance of messing up my DC's?
Also, Is there a way for me to migrate DC02 first during working hours with out it screwing up DC01 which would still be physical so I can test everything before virtualizing both and then being deep under water? I have read a few places that sometimes there are issues just using vmconverter on DC's?
Can somebody break it down for me step by step like (P2V DC's for dummies) and how they would approach it?
All in all we will end up with 2 virtual servers running about 12 servers total, like I said very small. We have a junky old md3000i SAN which is useless for 5.1. and we only use windows ISCSI connections to it for SQL database storage.
Thank you very much!
You could P2V but for a DC I'd just stand up a new VM and install as a new (3rd) DC, then demote DC02.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here's the Converter User's Guide:
https://www.vmware.com/pdf/convsa_43_guide.pdf
It honestly can be followed pretty well, but let us know if you have further questions.
Troubleshooting Converter: http://kb.vmware.com/kb/1016330
Best Practices for Converter: http://kb.vmware.com/kb/1004588
~coolsport00
https://www.vmware.com/pdf/convsa_43_guide.pdf
It honestly can be followed pretty well, but let us know if you have further questions.
Troubleshooting Converter: http://kb.vmware.com/kb/1016330
Best Practices for Converter: http://kb.vmware.com/kb/1004588
~coolsport00
Is there anyway I can just live migrate, cold migrate or do anything automatically so that I don't risk the chance of messing up my DC's?
- NO. Build new VMs, and transfer the roles.
http://www.petri.co.il/transferring_fsmo_roles.htm
see my EE Article for Hints and Tips
HOW TO: P2V, V2V for FREE - VMware vCenter Converter Standalone 5.0
HOW TO: Improve the transfer rate of a Physical to Virtual (P2V), Virtual to Virtual Conversion (V2V) using VMware vCenter Converter Standalone 5.0
But the recommended approach, is to create a new VM, promote to DC, and transfer the FSMO roles! and then retire the old servers.
ASKER
Coolsport,
Are I already installed vmconverter standalone 5.0.1. Are you saying I would have a better chance at uninstalling this and installing 4.0 i it's place and then converting live?
Are I already installed vmconverter standalone 5.0.1. Are you saying I would have a better chance at uninstalling this and installing 4.0 i it's place and then converting live?
Converting Live is NOT SUPPORTED, and you could end up with replication errors.
It's quicker to create new VMs, than P2V!
see here on EE!
replication issue with 2 DC's after P2v
It's quicker to create new VMs, than P2V!
see here on EE!
replication issue with 2 DC's after P2v
No...you can use 5.0...there's just sometimes errors that arise that seem to get resolved by using the previous (4.3, not 4.0) version :) And sometimes that's vice versa (needing to use newere as opposed to older version).
You can do 'live' P2V with either. The option you choose in the beginning of converting is "Powered-on Machine".
~coolsport00
You can do 'live' P2V with either. The option you choose in the beginning of converting is "Powered-on Machine".
~coolsport00
@hanccocka - i've never heard anything about "not being supported" to convert a DC. Now, I don't disagree with you that one should build a new VM and promote (I stated that above), but converting works fine.
BTW @RyanHenry - VMware also has a KB on P2V'ing DCs: http://kb.vmware.com/kb/1006996
~coolsport00
BTW @RyanHenry - VMware also has a KB on P2V'ing DCs: http://kb.vmware.com/kb/1006996
~coolsport00
ASKER
Hanccoocka,
If I build a new VM say vDC02, then would I transfer the roles from DC02 1st to test? And when I do transfer these roles what happens to the physical DC02? Does it stop working? I am afraid I will mess up transferring the roles and then it will replicate to my DC01 and then the whole active directory will be screwed up. I looked at the Petri article but it looks very complex to me?
If I build a new VM say vDC02, then would I transfer the roles from DC02 1st to test? And when I do transfer these roles what happens to the physical DC02? Does it stop working? I am afraid I will mess up transferring the roles and then it will replicate to my DC01 and then the whole active directory will be screwed up. I looked at the Petri article but it looks very complex to me?
@RyanHenry - when you transfer roles, AD replicates that modified info to every DC so each DC knows where those roles now reside. It doesn't matter if DC is physical or virtual. AD doesn't know the difference :) Not all DCs have a FSMO role assigned to it. As such, your orig DC doesn't cease to be a DC & thus will not cease to function...should still be fine.
~coolsport00
~coolsport00
ASKER
Guys,
Ok, so all in all I should do this correctly buy building new VM's and transferring roles? Now when I do this, you are all saying that there should be no issues when the new vm DC replicates to the 2 other virtual DC's.
I am confused though because should I migrate the roles from DC02 to vDC02 1st or am I supposed to migrate DC01 to vDC01? Isn't then A primary domain controller? right now mine is DC01.
SO should I transfer the roles from DC02 1st?
Sorry guys this is my 1st time and I am very nervous playing with DC's and I would like to do this now while I am at work since there are no change polices here except don't bring the network down!
Ok, so all in all I should do this correctly buy building new VM's and transferring roles? Now when I do this, you are all saying that there should be no issues when the new vm DC replicates to the 2 other virtual DC's.
I am confused though because should I migrate the roles from DC02 to vDC02 1st or am I supposed to migrate DC01 to vDC01? Isn't then A primary domain controller? right now mine is DC01.
SO should I transfer the roles from DC02 1st?
Sorry guys this is my 1st time and I am very nervous playing with DC's and I would like to do this now while I am at work since there are no change polices here except don't bring the network down!
Correct.
Just:
1. build new VM
2. update it & install things as needed (A/V, etc.)
3. promote it to a DC
4. migrate whatever FSMO roles you want on this new VM
5. demote 1st physical DC to member server (non-DC)
6. build 2nd new VM
7. see #2 above
8. see #3 above
9. migrate remaining FSMO roles to it that you want, if any (if you have all roles on 1 DC and you decide to keep it that way, then this step is not needed if you transferred roles to 1st new VM)
10. demote 2nd physical DC to member server (non-DC)
11. if there are any other 'services' (DNS, DHCP, printing, etc.) on the other physical servers you want on the new VMs, transfer those over (beyond the scope of this post, but not difficult to do though)
12. shut down the physical servers when confident everything you want is now on the new VMs
Regards,
~coolsport00
Just:
1. build new VM
2. update it & install things as needed (A/V, etc.)
3. promote it to a DC
4. migrate whatever FSMO roles you want on this new VM
5. demote 1st physical DC to member server (non-DC)
6. build 2nd new VM
7. see #2 above
8. see #3 above
9. migrate remaining FSMO roles to it that you want, if any (if you have all roles on 1 DC and you decide to keep it that way, then this step is not needed if you transferred roles to 1st new VM)
10. demote 2nd physical DC to member server (non-DC)
11. if there are any other 'services' (DNS, DHCP, printing, etc.) on the other physical servers you want on the new VMs, transfer those over (beyond the scope of this post, but not difficult to do though)
12. shut down the physical servers when confident everything you want is now on the new VMs
Regards,
~coolsport00
ASKER
Yes, DNS, DHCP, and Printing are all on the domain controllers. See I am not sure which roles to move to which server, and it looks like you are saying I should demote my primary DC 1st, so that's scary because if I do that during the day then everyone will lose connection.
Also, How do I make sure DNS and, DHCP, and Printing still work?
This sounds like a lot could go wrong. does converter keep your DNS, DHCP and printing on the converted DC?
Also, How do I make sure DNS and, DHCP, and Printing still work?
This sounds like a lot could go wrong. does converter keep your DNS, DHCP and printing on the converted DC?
@coolsport00 "not being supported" - Call Microsoft and ask them!
Keep your DC's simple.
DHCP, DNS, Active Directory.
Create a new Server for your printer server.
As for things going wrong, you need to plan it, and research it, just like with a P2V, things can go wrong if you do it HOT!
with virtual DC's you also need to be careful, about Time Sync, and make sure this is disabled in VMware Tools, and also NEVER, NEVER revert a VMware Snapshot!
The DS team has a good blog entry on it here: (also look for part 2)
http://blogs.technet.com/b/askds/archive/2010/06/10/how-to-virtualize-active-directory-domain-controllers-part-1.aspx
Be careful of time sync issues on your DC's. If your host gets busy your vm clocks can run slow. Some hypervisor's have tools that allow you to sync with your vm host. NTP and Windows Time Services work well but if drift becomes too large they will quit working. This is only usually an issue on heavily loaded hosts.
DHCP, DNS, Active Directory.
Create a new Server for your printer server.
As for things going wrong, you need to plan it, and research it, just like with a P2V, things can go wrong if you do it HOT!
with virtual DC's you also need to be careful, about Time Sync, and make sure this is disabled in VMware Tools, and also NEVER, NEVER revert a VMware Snapshot!
The DS team has a good blog entry on it here: (also look for part 2)
http://blogs.technet.com/b/askds/archive/2010/06/10/how-to-virtualize-active-directory-domain-controllers-part-1.aspx
Be careful of time sync issues on your DC's. If your host gets busy your vm clocks can run slow. Some hypervisor's have tools that allow you to sync with your vm host. NTP and Windows Time Services work well but if drift becomes too large they will quit working. This is only usually an issue on heavily loaded hosts.
ASKER
Guys,
If I try to create a new vm, depromote dc, then repromote new vDC will I have to rebuild DNS, and DHCP, and print server?
If I try to create a new vm, depromote dc, then repromote new vDC will I have to rebuild DNS, and DHCP, and print server?
you will need to transfer the DHCP service to one of these new servers. But that can be done at a later date, after you have two new DC's running, then transfer DHCP, and Transfer Printer Services.
once you have created a new DC, by promoting a server to a DC, you also install the DNS service.
once you have created a new DC, by promoting a server to a DC, you also install the DNS service.
@hanccocka - thought you were talking about VMware. :) Although..I've not heard/seen anything about doing a P2V not being supported by MS either. Regardless....
ASKER
coolsport00,
When your P2V DC's were successful running vmconverter, did you immediately shut down your physical Pri DC and run off of that? Was your Secondary DC up physically as well, and did you then immediately P2V that one and shut the physical down?
Or is their some way to cold copy and virtualize it?
I'm asking because I am thinking that you didn't want any changes to have happened or replicate. Also, did DNS, DHCP, and print server work still?
If this is correct couldn't one try this out and if there are errors, then just shut down the 2 vm DC's and just turn the Physicals back on, or would that not work?
Thanks again as I am unsure of myself as if I can rebuild DC's, transfer FSMO roles, DHCP, and DNS. I tried running dc promo on my Sec DC02, and it errored saying that an active directory certificate portion must be removed first. Just things like this that I am not used to are happening, and have no support contracts, hence the reason I signed up here!
Thanks everyone for all your efforts...
When your P2V DC's were successful running vmconverter, did you immediately shut down your physical Pri DC and run off of that? Was your Secondary DC up physically as well, and did you then immediately P2V that one and shut the physical down?
Or is their some way to cold copy and virtualize it?
I'm asking because I am thinking that you didn't want any changes to have happened or replicate. Also, did DNS, DHCP, and print server work still?
If this is correct couldn't one try this out and if there are errors, then just shut down the 2 vm DC's and just turn the Physicals back on, or would that not work?
Thanks again as I am unsure of myself as if I can rebuild DC's, transfer FSMO roles, DHCP, and DNS. I tried running dc promo on my Sec DC02, and it errored saying that an active directory certificate portion must be removed first. Just things like this that I am not used to are happening, and have no support contracts, hence the reason I signed up here!
Thanks everyone for all your efforts...
the only way to P2V your DC cold is to power it off.
and use a product called coldclone.iso, which has now been discontinued, and was only available to enterprise VMware customers, you booted the DC from a cdrom, and converted it cold.
you could build your own coldclone cdrom to try, P2V cold, ie DCs off is the safest way, if you are going the p2v route!
and use a product called coldclone.iso, which has now been discontinued, and was only available to enterprise VMware customers, you booted the DC from a cdrom, and converted it cold.
you could build your own coldclone cdrom to try, P2V cold, ie DCs off is the safest way, if you are going the p2v route!
ASKER
So it would be ok to try the P2V and see if there are any errors, and if so I can just turn my physical DC's back on and they will correct their self?
If I can't get this coldclone to work, does vmconverter within Vcenter still see the physical machine if I have it shut down but still on the network and virtualize it?
If I can't get this coldclone to work, does vmconverter within Vcenter still see the physical machine if I have it shut down but still on the network and virtualize it?
turning off your physical DCs and back on will not cause any issues. but....
P2V physical, turn them off, start virtuals, turn them off if fail, and turn back on physicals, will have issues..
you can certainly try a hot live conversion, and if you see errors just turn the virtual off, but be warned, live workstations, user accounts, servers, communicating with your new virtual servers, will get confused, when you turn on your old physical DCs, because the clients will think they gone back in time, and you may end up with trust relationship issues with accounts and servers etc
you can only clone live with Converter, eg a powered on server
not that Im recommending this.....
but the only way forward would be to turn OFF all computers
stop all services including dhcp, shutdown the other DC
p2v hot. dc1
power up dc2, shutdown dc1
stop all services,
p2v hot dc2
this reduces, avoids any replication errors if possible
P2V physical, turn them off, start virtuals, turn them off if fail, and turn back on physicals, will have issues..
you can certainly try a hot live conversion, and if you see errors just turn the virtual off, but be warned, live workstations, user accounts, servers, communicating with your new virtual servers, will get confused, when you turn on your old physical DCs, because the clients will think they gone back in time, and you may end up with trust relationship issues with accounts and servers etc
you can only clone live with Converter, eg a powered on server
not that Im recommending this.....
but the only way forward would be to turn OFF all computers
stop all services including dhcp, shutdown the other DC
p2v hot. dc1
power up dc2, shutdown dc1
stop all services,
p2v hot dc2
this reduces, avoids any replication errors if possible
ASKER
Thank you very much for understanding my situation and why I think I am only capable of doing it this way.
Since I have Vcenter Server installed and it wants you to convert everything through it, Would you recommend that I use Veeam quick migration or converter through Vcenter?
When you say stop all services, you mean basically application, programs, and dns, dhcp? Anything specific that you know causes issues?
Thanks so much and I understand you are just rying to give me the best info on "my" decision!
Since I have Vcenter Server installed and it wants you to convert everything through it, Would you recommend that I use Veeam quick migration or converter through Vcenter?
When you say stop all services, you mean basically application, programs, and dns, dhcp? Anything specific that you know causes issues?
Thanks so much and I understand you are just rying to give me the best info on "my" decision!
as many services as possible, stop, and set to manual
and when you bring up the virtual version, start and setbto auto
Veeam only works with virtual servers.
Converter is the only application available or moz.
and when you bring up the virtual version, start and setbto auto
Veeam only works with virtual servers.
Converter is the only application available or moz.
ASKER
OK got it... Thank you and hopefully I will report back with success!
ASKER
One last thing, I am behind on MS patching, do you recommend patching the server first before migrating?
I would always recommend you keep upto date with your Security Updates.
ASKER
ok, thx again!
Sorry for the delay...I was away for a bit. To answer your question @RyanHenry, as it so happens, some of my DCs are at branch locations and as such run print services & DHCP as well. What I did (and am doing again because I'm replacing the Hosts these DC VMs reside on) is V2V while powered on using Converter and towards the end I modified the Sync options to sync changes during the operation. Once complete, I powered down the source (that can be done automatically by Converter as well), then power on the new VM.
Best of luck on your task! :)
~coolsport00
Best of luck on your task! :)
~coolsport00
ASKER
Oh, my DC servers are still physical, so I guess you have a different situation or did you start out running converter P2V?
Yes, I started with P2V; regardless if physical or virtual, could still run into same issues. To this point, I've been ok. I think there may have been a replication issue I had to resolve, but it was easy (like had to chg a file name or add a file or something like that in a folder on the DC). In monitoring replication after the conversion, I check tthe Event Logs to make sure all is well.
~coolsport00
~coolsport00
ASKER
Will do, thank you...
ASKER
guys,
When I virtualize my physical DC "DC01" and it asks me for the name of the new virtual server, Can I call it vDC01 ? Or will that mess up AD and Replication. The plan was if it worked then I would virtualize DC02 and change that to vDC02.
But I have to keep the same IP addresses.
Will this cause problems or should I just keep the same name and shut down physical before turning on new virtual?
Thanks!
When I virtualize my physical DC "DC01" and it asks me for the name of the new virtual server, Can I call it vDC01 ? Or will that mess up AD and Replication. The plan was if it worked then I would virtualize DC02 and change that to vDC02.
But I have to keep the same IP addresses.
Will this cause problems or should I just keep the same name and shut down physical before turning on new virtual?
Thanks!
the name is just a friendly name for use in the vSphere Inventory.
ASKER
so DNS won't change the name to vDC01 or anything like that?
the inventory name has no connection with the netbios or hostname in the OS, but most sites use the same!
ASKER
So you recommend I just migrate it, and then after it's completed just change the friendly name in vCenter? Sorry I don't know what you mean by sites use the same? sry
As @hanccocka mentions, the VM name is separate from the "host" name of the server or guest OS within the VM. For consistency purposes you should name the VM the same as the physical server...i.e. name the VM the same name as you're going to make the 'hostname' of the Windows guest.
~coolsport00
~coolsport00
usually, when vmware admins create VMs, the name in the inventory matches the OS machine name.
ASKER
I thought that was what you meant. People over here have it in their head that everything is going to start with a "v" but that's not simple if your converting P2V. Because we created a few new Virtual SQL servers we named them vsql ect.. but they were new so easy.
Thanks guys!
Thanks guys!
yes, Ive seen that naming convention!
personally, we prefer not to highlight servers are virtual!
users jumped to conclusions about performance!
all users should be concerned with is their service!
personally, we prefer not to highlight servers are virtual!
users jumped to conclusions about performance!
all users should be concerned with is their service!
ASKER
Great Point!
ASKER
hanccocka,
When I stop all services I should stop active directory services as well before the migration correct?
When I stop all services I should stop active directory services as well before the migration correct?
now that depends, on what else you have running on your network!
if you nertwork is quiet, and the other DC is OFF, and you have no clients workstations ON.
Just convert "as is"
if you nertwork is quiet, and the other DC is OFF, and you have no clients workstations ON.
Just convert "as is"
I actually just did a V2V of one of mine last night. At the end of the Converter wizard you have the options to change some "Advanced Option" sync settings. One thing I did that I like is modfied this setting:
"Synchronize changes that occur to the source during cloning"
For me, I also wanted my 'source' to be powered down upon completion so no more AD changes had a chance to get replicated to it.
All worked great!
~coolsport00
"Synchronize changes that occur to the source during cloning"
For me, I also wanted my 'source' to be powered down upon completion so no more AD changes had a chance to get replicated to it.
All worked great!
~coolsport00
ASKER
I WILL TAKE BOTH OF YOUR ADVICE, AND KEEP MY FINGERS CROSSED!!!
ASKER
My plan is to shut down all the other pc's and servers, I will shut down DC02 as well, so I can P2V PRI DC01 first, then should I let new vDC01 come up and login and see if my vCenter Server can still connect.
Then should I turn vDC01 off and migrate DC02, let new vDC02 come up with both physicals off, and then turn all servers and Pc's on to verify it's working?
Are these correct steps. Should vDC01 never be up at the same time as physical DC02?
Just want to have this completely figured out and covered?
Thanks
Then should I turn vDC01 off and migrate DC02, let new vDC02 come up with both physicals off, and then turn all servers and Pc's on to verify it's working?
Are these correct steps. Should vDC01 never be up at the same time as physical DC02?
Just want to have this completely figured out and covered?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As @hanccocka mentions - power down the orig phys box. Also, check the Event Logs (Replication, Directory Service, Application, & System) on the new VM to make sure AD functions normally.
~coolsport00
~coolsport00
ASKER
That's what I was confused about I didn't know if virtual could exist with the physical between DC's.
Ok, so the way you have described, if I see replication errors, can't print, and all of the others, I would turn off vDC01 and then DC02 would just be my Primary basically, or would DC02 be screwed up still even before virtualizing?
I guess I'm asking if that would be the backup plan?
Ok, so the way you have described, if I see replication errors, can't print, and all of the others, I would turn off vDC01 and then DC02 would just be my Primary basically, or would DC02 be screwed up still even before virtualizing?
I guess I'm asking if that would be the backup plan?
ASKER
I also have redo backup live, and I was planning on cloning both Physical DC's 1st. That's what I have done in the past when 1 drive on are mirror array went our on the DC . That way I could delete both virtual DC's and then restore the physicals back to previous state? Or would that still have REP issues ect... ??
unfortunately this is the danger!
the other way, is to complete the P2Vs, at the same time....
e.g. do vDC01 and vDC02, and then isolate them in the virtual environment, and check them on a private network, if you see no replication errors, turn off physicals, and connect virtuals to main LAN
the other way, is to complete the P2Vs, at the same time....
e.g. do vDC01 and vDC02, and then isolate them in the virtual environment, and check them on a private network, if you see no replication errors, turn off physicals, and connect virtuals to main LAN
ASKER
we only have one LAN. Not sure how I could isolate them really?
This place is small only about 15 users, 2 printers, and about 12 servers after virtualization.
Shoot I forgot to ask this??? I have already been migrating a few other servers into the virtual environment. I was waiting to do the DC's last. Is that ok or am I going to have more issues now? There's no issues currently.
This place is small only about 15 users, 2 printers, and about 12 servers after virtualization.
Shoot I forgot to ask this??? I have already been migrating a few other servers into the virtual environment. I was waiting to do the DC's last. Is that ok or am I going to have more issues now? There's no issues currently.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
any instructions on this for ESXi 5.1? So this would not even touch my current network then? I like this idea.
otherwise new Question, otherwise this Question, will be 100 questions in one single question!