Solved

Virtualizing the DC

Posted on 2013-11-19
8
164 Views
Last Modified: 2014-05-27
I was wondering if I can get some feedback in regards to Virtualizing the Domain Controller.

I was told by some that Virtualizing ALL the DC's is not a good idea and that its best practice to have one PHYSICAL Domain Controller available just incase. Some say that virtualizing a DC and not have any PHYSICAL Domain Controller is not an issue as long as there is fault tolerance and the virtual hard drive file is accessible.

Any insight would be greatly welcomed.
0
Comment
Question by:Geekah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 120
ID: 39659802
We do not have any physical Domain Controllers any more, and most of our clients no longer have any physical domain controllers.

Some clients, do like to prefer to be able to "touch and stroke" their DCs.

see here also

http://blogs.technet.com/b/askds/archive/2010/06/10/how-to-virtualize-active-directory-domain-controllers-part-1.aspx

What you must not do, if you use snapshots, for patch management, is rollback or Revert a DC using snapshots, but we think this is common sense, but Virtual Admins seem to forget this!
0
 
LVL 26

Accepted Solution

by:
pony10us earned 500 total points
ID: 39659846
This is an ongoing point of contention within the IT community. There are points that suggest that either option is better than the other.

Personally, I prefer to keep one ADDC as a physical server just in case the VM host that houses any other ADDC's goes down. Others will say that to combat that you should keep multiple ADDC's on separate VM servers. Also, if the ADDC is located in the same physical location as the VM Host and there is a disaster (fire/flood/etc) then if it was a virtual and you had a backup it would be quicker to recover.

There are some that say it is a security risk to have an ADDC virtualized at all. Someone could get a copy of the VM and then have all the time they want to Brute Force attack it.

Again, it really comes down to your doing a full risk assessment and deciding on which risks are more acceptable and proceeding down that path.

Good luck and I'm sure there will be more informative responses to your inquiry.

You may also want to look at this:  http://www.techrepublic.com/blog/the-enterprise-cloud/considerations-for-virtualizing-all-active-directory-domain-controllers/

Some very good information in the comments at the end.
0
 
LVL 55

Expert Comment

by:andyalder
ID: 39660111
Had a client who setup their iSCSI and NFS targets using DNS rather than IP addresses, then they virtualized all their DCs which were also their only DNS servers. Oh what fun that was to get started again after a power-cut.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39660314
Bottom line is you need to plan this.

First, what virtualization platform are you using?  VMWare or Hyper-V or something else?

If Hyper-V, are the Hyper-V servers joined to the domain?  If so, even though in 2012 you're supposed to be able to remove all physical DCs, I'd still prefer a physical.

Otherwise, you can be all virtual... PROVIDED you do things intelligently to accommodate that decision (see andyalder's comment).

You also have to plan security appropriately.  pony10us suggested an attacker could copy a VM... true... but if you use virtualization at all (and even if you don't), if a hacker can gain access to the network and a domain admin account, they could create a VM DC copy of a physical DC so I don't think that's a valid individual concern - that's more of a plan your security concern... what could someone do...
0
 
LVL 120
ID: 39660329
as an aside, we are seeing more and more larger clients, move DNS away from Windoze now, so DNS and AD are not tied!

So AD can still start because it has a depedancy on good working DNS! (e.g. DNS and AD are no the same server!) e.g. Infoxblox to name one product! Strange because one upon a time, Sun Solaris provided DNS, and then migrated to Novell - Microsoft, and now back again!
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39660364
The DC running DNS has never been a requirement.  It's been a STRONG suggestion as AD required dynamic DNS and in most environments you don't have a huge mix of systems.  The most important thing is that WHATEVER server(s) run DNS, they need to be able to store and return to the clients upon request, service records about where AD resources are located.

In most environments, having the DC(s) as your DNS server(s) is still the most logical thing and for most people here, they shouldn't even consider NOT having DNS hosted by the DC (in my opinion).
0
 
LVL 55

Expert Comment

by:andyalder
ID: 39661018
>as an aside, we are seeing more and more larger clients, move DNS away from Windoze now, so DNS and AD are not tied!

It was more a generic warning against migrating a core service that virtualization relies on to a virtual platform rather than a poke at Windows. If they had virtualized all their Linux based DNS servers the same problem would have occurred - they virtualized something that virtualization relied on.
0
 

Author Closing Comment

by:Geekah
ID: 40093884
thanks everyone
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your vDisk VHD file gets deleted from the image store accidentally or on purpose, you won't be able to remove the vDisk from the PVS console. There is a known workaround that is solid.
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question