Geekah
asked on
Virtualizing the DC
I was wondering if I can get some feedback in regards to Virtualizing the Domain Controller.
I was told by some that Virtualizing ALL the DC's is not a good idea and that its best practice to have one PHYSICAL Domain Controller available just incase. Some say that virtualizing a DC and not have any PHYSICAL Domain Controller is not an issue as long as there is fault tolerance and the virtual hard drive file is accessible.
Any insight would be greatly welcomed.
I was told by some that Virtualizing ALL the DC's is not a good idea and that its best practice to have one PHYSICAL Domain Controller available just incase. Some say that virtualizing a DC and not have any PHYSICAL Domain Controller is not an issue as long as there is fault tolerance and the virtual hard drive file is accessible.
Any insight would be greatly welcomed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Had a client who setup their iSCSI and NFS targets using DNS rather than IP addresses, then they virtualized all their DCs which were also their only DNS servers. Oh what fun that was to get started again after a power-cut.
Bottom line is you need to plan this.
First, what virtualization platform are you using? VMWare or Hyper-V or something else?
If Hyper-V, are the Hyper-V servers joined to the domain? If so, even though in 2012 you're supposed to be able to remove all physical DCs, I'd still prefer a physical.
Otherwise, you can be all virtual... PROVIDED you do things intelligently to accommodate that decision (see andyalder's comment).
You also have to plan security appropriately. pony10us suggested an attacker could copy a VM... true... but if you use virtualization at all (and even if you don't), if a hacker can gain access to the network and a domain admin account, they could create a VM DC copy of a physical DC so I don't think that's a valid individual concern - that's more of a plan your security concern... what could someone do...
First, what virtualization platform are you using? VMWare or Hyper-V or something else?
If Hyper-V, are the Hyper-V servers joined to the domain? If so, even though in 2012 you're supposed to be able to remove all physical DCs, I'd still prefer a physical.
Otherwise, you can be all virtual... PROVIDED you do things intelligently to accommodate that decision (see andyalder's comment).
You also have to plan security appropriately. pony10us suggested an attacker could copy a VM... true... but if you use virtualization at all (and even if you don't), if a hacker can gain access to the network and a domain admin account, they could create a VM DC copy of a physical DC so I don't think that's a valid individual concern - that's more of a plan your security concern... what could someone do...
as an aside, we are seeing more and more larger clients, move DNS away from Windoze now, so DNS and AD are not tied!
So AD can still start because it has a depedancy on good working DNS! (e.g. DNS and AD are no the same server!) e.g. Infoxblox to name one product! Strange because one upon a time, Sun Solaris provided DNS, and then migrated to Novell - Microsoft, and now back again!
So AD can still start because it has a depedancy on good working DNS! (e.g. DNS and AD are no the same server!) e.g. Infoxblox to name one product! Strange because one upon a time, Sun Solaris provided DNS, and then migrated to Novell - Microsoft, and now back again!
The DC running DNS has never been a requirement. It's been a STRONG suggestion as AD required dynamic DNS and in most environments you don't have a huge mix of systems. The most important thing is that WHATEVER server(s) run DNS, they need to be able to store and return to the clients upon request, service records about where AD resources are located.
In most environments, having the DC(s) as your DNS server(s) is still the most logical thing and for most people here, they shouldn't even consider NOT having DNS hosted by the DC (in my opinion).
In most environments, having the DC(s) as your DNS server(s) is still the most logical thing and for most people here, they shouldn't even consider NOT having DNS hosted by the DC (in my opinion).
>as an aside, we are seeing more and more larger clients, move DNS away from Windoze now, so DNS and AD are not tied!
It was more a generic warning against migrating a core service that virtualization relies on to a virtual platform rather than a poke at Windows. If they had virtualized all their Linux based DNS servers the same problem would have occurred - they virtualized something that virtualization relied on.
It was more a generic warning against migrating a core service that virtualization relies on to a virtual platform rather than a poke at Windows. If they had virtualized all their Linux based DNS servers the same problem would have occurred - they virtualized something that virtualization relied on.
ASKER
thanks everyone
Some clients, do like to prefer to be able to "touch and stroke" their DCs.
see here also
http://blogs.technet.com/b/askds/archive/2010/06/10/how-to-virtualize-active-directory-domain-controllers-part-1.aspx
What you must not do, if you use snapshots, for patch management, is rollback or Revert a DC using snapshots, but we think this is common sense, but Virtual Admins seem to forget this!