Virtualizing Active Directory Domain Controllers: General Best Practices
Both VMware and Microsoft have been providing virtualization services for a number of years. For VMware, it's been more than a decade now, while Microsoft entered into server virtualization relatively recently.
An IT environment consists of a number of physical IT components, including servers hosting Active Directory services. Active Directory domain controllers are the critical servers needed to run the IT operation smoothly. As part of the virtualization roadmap, an organization has to ensure that every physical IT resource is in the process of being virtualized to reduce the cost. This also includes virtualizing physical domain controllers.
The Active Directory domain controllers not only helps in smoothing IT operations, they are also a key component for providing authentication and authorization services. In today's production environment, almost all network applications now use Active Directory as the authentication provider. There are a number of things we must consider before these critical services are virtualized.
This is where a general "best practices" reference comes in handy, explaining the best practice items in terms of what you should do and what you should not when virtualizing Active Directory domain controllers on either VMware or Hyper-V:
Disable Time Synchronization
Active Directory domain controller has a built-in mechanism to deal with the time synchronization with the help of the Windows Time Service. Virtualization platforms also provide time service for Virtual Machines (VMs), but it is recommended to disable the Time Synchronization on each Virtual domain controller and let Active Directory manage the time synchronization between Virtual domain controllers.
Do Not Take Snapshots
The Snapshot feature is designed for development and testing purpose. Snapshots are taken to revert back to the configuration that was taken as part of the snapshot process. Snapshot requires that a Virtual Machine is put into a saved state before the snapshot files are created.
- In the first place, putting a virtual domain controller into a saved state as part of snapshot process causes minimal downtime, which can have a significant impact if the differencing disk file grows too large.
- Secondly, we would never want to revert to a previous configuration for a virtual domain controller specifically. If you do so, this may result in inconsistent copies of the Active Directory database on that domain controller.
Note: Microsoft Hyper-V addresses downtime issues with snapshot by introducing a new Live Snapshot Merge feature in Windows Server 2012.
Disable Disk Caching on Domain Controllers
For the "Disable the Disk Write Caching on the Policies Tab of all Disk Drives in virtual domain controller" setting, it is recommended to configure this setting for all the services which use Extensible Engine Storage (ESE) technology to avoid any data loss.
Disabling Disk caching ensures that data is actually written to the disk instead of keeping the data in volatile memory, which may be lost during a power failure or if the Host server crashes.
Do Not Pause
Pausing a virtual domain controller is not recommended, especially if the virtual domain controller is paused for an extended period of time beyond the Active Directory tombstone timeframe. Pausing can cause the Virtual domain controllers to get out of sync and can introduce lingering objects in the Active Directory environment.
Lingering objects occur when deleted objects are not replicated to all Active Directory domain controllers within the period set for Active Directory tombstone timeframe, which is 80 or 160 days depending on the operating system in use.
Always Configure Fixed Hard or Pass-Through Disks for Virtual Domain Controllers
It is recommended to configure Fixed or Pass-through Disk type for storing domain controller's database (NTDS.DIT) and log files so that domain controllers operate more efficiently. Implementing one of the other types of disks (e.g. differencing disk virtual hard disks) will reduce the performance of virtual domain controllers.
Note: Pass-Through disk type is a feature of Microsoft Hyper-V and can be compared with a Raw disk as termed in the VMware Virtualization platform.
Do Not Clone The Domain Controller Virtual Machine
Most of the virtualization vendors provide the option for cloning the virtual machines for rapid deployment. It is highly recommended to avoid cloning a domain controller installation, though, unless you are using Windows Server 2012, which provides its own cloning feature. Otherwise, if you need to do so, we would recommend using the SysPrep.exe tool, which prepares the operating system by removing the duplicate Security Identifiers (SID).
Read more on "Server Virtualization Spotlight" »