Should I create a virtual domain controller?

We are implementing a disaster recovery protocol for my company in case of tornado, fire, flood, or any other catastrophic event. We are a small company.

I have two physical domain controllers. One is primary and other is backup. I was wondering if it was a good idea to create a third.  However I wanted to make it a virtual domain controller.

My thoughts are that if there was ever a fire or flood and all my physical machines were destroyed I could be up and running quicker because all of our production servers are virtual.

I would just need to  get a new virtual host, delay start all of the other physical machines, promote a new physical domain controller from the virtual one, get some workstations and we could be up and running in 24 hours at a temporary location.

The virtual machines are backed up weekly and kept off site. Is this possible or would my network be screwed up given the loss of the physical domain controllers?

Or would it be better to just do active directory backups regularly and do a restore on the new servers?

I'm looking for the cleanest easiest option. Everything is 2008 servers R2 standard and enterprise editions.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
Best option here to have another site with one more DC. In case of disaster, seize the FSMO role on another site DC and you are back to business.

However, if that cannot be done. best way is to take regular system state backup and in case of any disaster do a full authoritative AD restore.

DC clone is good for testing however not recommended for DR scenario, as DC data updates very frequently.
Carol ChisholmCommented:
I would definitely create a virtual domain controller and back it up every night if you can.
Your strategy is fine and it greatly speeds up disaster recovery (tested).
The caveat is you must have a FRESH version of your DC, or you have to restore a recent AD backup over the DC.
If you have two physical DCs you can probably afford to export the virtual one every night.
Keep the machine really clean so it is small.
And check the backups regularly.
Mike KlineCommented:
If you were running 2012 there are some virtualization safeguards and cloning capabilities that can help get multiple DCs up and running faster.

If you had a major incident getting one DC up probably would take about the same time.

Would all the infrastructure be in the same location.   If you had one box offsite that would be the biggest insurance for a major outage/disaster flood scenario.


Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

AmitIT ArchitectCommented:
The biggest issue with cloned dc i have seen is USN issue. So cloning DC is not a great solution.
Mike KlineCommented:
For cloning I was talking about Windows 2012 specifically...there are safeguards against USN rollbacks now.


AmitIT ArchitectCommented:
Thanks Mike, I was referring to 2008.
Will SzymkowskiSenior Solution ArchitectCommented:
DC cloning is a new feature which is incorporated with server 2012. You need to be using Hyper-V and requires your PDC holder to be running server 2012 for this to work.

More info here..

As long as you have more then 2 DC's per Site you have site resiliancy. I typically like to keep my DC's physical but there is no reason why you cannot have a Virtual DC.

Carol ChisholmCommented:
I think you are thinking of doing an export of your Virtual Domain Controller, and using it for disaster recovery. You probably don't have  another site.
If you have a small site you don't have many changes in users and groups so a one-week old AD is just fine for you.
It would allow you to rebuild your Exchange server, keep the permissions on your file and SharePoint servers.
This works just fine if you are a small organisations,  and is a very good basis for a disaster recovery of a small fairly stable AD.
Remember you need an current admin password with each backup.

And don't test on a network that is connected to your production server by a VPN.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MEATBALLHEROAuthor Commented:
We can't do anything with 2012 server yet. We are stuck using 2008 for budget reasons.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.