Virtual Windows Server 2019 Domain Configuration Recommendations

1.  We have a small network with 25 computers, SQL 2014 Server, File Server, and includes two replicating DCs.  Moving from on prem Exchange 2010 server to O365 hosted mailboxes.  Will (1) Processor be sufficient for the DC or go ahead and allot (2) processors.  The Hyper-V host has (2) Intel Xeon Gold 5217 CPU @ 3.00GHz.

I always allocate two CPUs for all VMs.  I've had too many experiences over 25 years where one process goes crazy and eats CPU bringing the system to a crawl.  By assigning two, you minimize the odds of that happening.  MOST processes are still single threaded and the odds of having two go nuts at the same time are pretty low.  This leaves cycles for you to login, manage the server, and otherwise resolve the issue.

2.  I reserved 4095MB of RAM for the DC, I would think that should be sufficient and recommended.  I did not enable Dynamic Memory since I do not believe its needed or an issue.

I set my DCs to 512 MB Minimum, 4096 Maximum, and 2048 to startup.  Now if the DCs do anything more than file services and typical DC functions (AD, DHCP, DNS), I might change that, but if it's just a DC or JUST a DC/File Server, that's what I use.  Why give it more RAM than it needs?  I find most DC VMs hang around 1200 MB of RAM used.

3.  Virtual Hard Disk: Fixed or Dynamic.  I prefer assigning the default fixed size 127Gbs.  I have read articles (Altaro Article diplayed below) that Dynamically expanding disks are preferred.

With fixed, you never have to worry about running out of space as the otherwise Dynamic disk grows.  But other than that, the benefits are releatively small.  Dynamic offers more benefits in my opinion, so I would do that.  And starting a c: drive at 127 is typically what I do.  Data drives can be bigger, but even for them, I will typically use a low-ish number as I can always expand the disks.  One thing I would recommend, to prevent unexpected VHD growth, once you have the OS installed, shrink the C: VHD's PARTITION to 20-30 GB over the used space.  The VHD itself still has a max size of 127 and you can always expand the partition in disk management.  I have one client who is tight on space and initially setting up Dynamic VHDs for the OS, I found them often growing well beyond their actual used space. Frankly, I'm not sure why.  But by shrinking the partition (so it has room for immediate growth, but not too much room), it prevented the unexpected/unexplained growth.

4.  I left Secure Boot enabled, I presume that should be left alone.

Definitely on a Gen2 VM running Server 2019.

5.  NTP:  As per the below Altaro article, they suggest disabling Time Synchronization on the VM configured as a DC.  However, one of the comments on this article, a person stated he left Time Sync enabled on all VMs, and configured the Hyper-V host to get its time from an Internet NTP server.  Going this route makes more sense, or not.

I prefer to disable sync and let the VM handle it.  

6.  I normally setup all VM's Automatic Start Action to "Always start this virtual machine automatically", and have not encountered any issues.  So I presume using this setting should not be any issue.

I prefer to leave the setting at "Restart if previously running" - reason being that you might decide to retire a server.  Or have to shut one down and NOT want it to come up again.  ALWAYS restart thwarts that effort.  Restart if previously running should be sufficient.  I would also stagger startup and think about what needs to come up first.  (Depending on how many VMs you use.  At one place, I have the DC start first, wait 2 minutes, start the exchange server, wait 5 minutes, start the database server, wait 3 minutes, start the web server, wait 2 minutes start the RDS server, etc.  But you have to do the math... start delay on the second server is 120 seconds.  On the third it's 2+5 minutes (420 seconds), on the third it's 2+5+3 minutes (600 seconds), etc. By doing this, I ensure that all the services the other servers need come up before those servers do.  The web server relies on the database server, so why start the web server before the database server is running?  Exchange relies on the DC, why start it before the DC is running.  If you have a fast disk subsystem, you can "batch" them - maybe start Exchange and SQL at the same time, but they both should wait on the DC since that's all important.

7.  I normally setup all VM's Automatic Stop Action to "Shut down the guest operating system", and have not encountered any issues using this option.  I presume using this setting should not be any issue.

Shouldn't be any significant issue, but WHY?  What sense does this make.  Saving the state would allow for FASTER shutdowns.   When you force Windows to stop systems on multiple VMs your shutdown will take longer.  When Windows can just save the state - in essence, hibernate them - it goes a lot faster to shutdown - AND to come back online.  (You can shorten the delays above then).

I'd suggest reading my article on Virtual vs. Physical - the first part argues to go virtual, but the second part offers suggestions on optimizing the Hyper-V configuration.
https://www.experts-exchange.com/articles/27799/Virtual-or-Physical.html

I think Lee answered most all of your questions however I would like to add that if you install desktop experience 2019 instead of Core you will need additional memory.
Considering your domain is small and the request level will be low with the number of accounts the Minimums may be fine for you.
There is also a note in the MS guide about getting an error if your using the minimum amount

The Ram requirements are about half way down this article and includes the note:  
https://docs.microsoft.com/en-us/windows-server/get-started-19/sys-reqs-19

1: A DC VM should have two vCPUs assigned to it. If there is a runaway process that leaves CPU resources available to log on and kill it.

2: Dynamic Memory is something we don't normally use. A DC can be set up with 2GB vRAM and run without issue.

3: This one depends. We set up two VHDX files (specifics in my documents below). 95GB for OS that is fixed and depending on the size of the second VHDX fixed or dynamic. For the data store we do dynamic.

4: Yes.

5: Time sync should be disabled for all domain joined virtual machines on the host. This is how we set things up in a virtualized environment.

6: Yes. We stagger their start to make sure the DC is the first to boot. I suggest setting all VMs to Shutdown as opposed to Save as well.

7: A/A :)

I have two very thorough EE articles on all things Hyper-V:

Some Hyper-V Hardware and Software Best Practices
Practical Hyper-V Performance Expectations

Some PowerShell Guides:
PowerShell Guide - Standalone Hyper-V Server
PowerShell Guide - New VM PowerShell
PowerShell Guide - New-VM Template: Single VHDX File
PowerShell Guide - New-VM Template: Dual VHDX Files


Here are some focused articles:
Slipstream Updates Using DISM and OSCDImg

Protecting a Backup Repository from Malware and Ransomware

Disaster Preparedness: KVM/IP + USB Flash = Recovery. Here’s a Guide

I have not heard any responses to the following question.

Questions About Installing the Windows Server 2019 Hyper-V host:

1.  For recovery purposes is it best to leave the host in a Work Group or Domain joined.  I am thinking there could be problems booting the Hyper-V host if/when the Primary and replicating DC are not available.

1: I suggest reading my articles. That being said, we do _not_ join standalone hosts to the guest's domain. Ever. That's just looking for trouble (we've encountered hosts being encrypted by ransomware where they were domain joined).

Always make sure that all local admin passwords are different across the board. Don't use the same UN/Pwd for all servers.

Also, make sure SMBv1 is removed from all servers. Windows Server 2019 does this out of the box but all earlier versions do not.

Remove-WindowsFeature FS-SMB1 -Restart

Select allOpen in new window

By default all work group computers are joined/enrolled onto a Public Network, so I would say they need to be joined to a Private Network.  Or this really does not matter.

Microsoft recommends that a DC always be set to full shutdown, and to not go into a saved state.

Can you provide documentation?  I've never seen nor heard this from anyone at Microsoft.

Once the network is set up on the host team and there is no TCP/IP on the virtual switch team (exclusive), the subnet can be set to Private.

I am getting ready to go on vacation, and when I return I will finish configuring the VM as a DC.  I will respond once I return, and continue setting it up.  In the meantime, thank you for your responses/feedback thus far.

Before I move forward, I need to reference Hyper-V Hosts joined to a workgroup or a local AD domain.  

I am referencing Kevinhsieh's statement:  "A domain joined host can boot VMs even if it can't connect to a domain controller."

What do you guys do for the most part as far as joining a AD domain or leaving it in a workgroup?

We leave standalone hosts in workgroup mode. Access to the host is limited by IP and credentials.

We've seen hosts encrypted by guest ransomware infections because the host was on the guest's domain.