Virtualize Domain Controllers – should I or not?
This question I’ve heard countless times. Training, conferences, e-mails and customers always hear the question “because I can’t virtualize Domain Controller?”
This week in a major customer who attend as Dell consultant, some sites don’t allow logon, Office Communicator no longer worked and other problems. Therefore, I think this theme is well-suited to the growth of virtualized environments.
Update: Windows 2012 is resolved questions about NTP and now support Virtual DC. But logon in Hyper-V Server already a problem if you not have physical server.
Let’s start with the fact that concrete: Nobody said that cannot be virtualized, and yes there are factors to consider. And this is what I write.
Can I virtualize all my Domain Controllers?
May, but have serious security problems and undermine the replica if your Domain Controller for Windows 2003.
There are some points to consider when thinking about virtualizing all servers that can be queried http://support.microsoft.com/kb/888794/en-us when in you still use DCs to Windows 2000 or Windows 2003.
There is nothing that we recommend have the FSMOs using physical server, but we will also shortly.
Why Virtualize all Domain Controller compromises the security?
In this case we have two options, the first to leave the Hyper-V security using SAM (local) or join him in the field of VM and the two can bring problems.
The first option is a security system, not based on Kerberos and easy to break.
The second is the risk of having a fall of VMs or shutdown for maintenance, or power Server Hyper-V does not accept logon and display the message “No Domain Controllers for Authentication”.
Because it is not recommended to virtualize FSMOs using?
Because the FSMOs using play important roles in the structure, typically is the Global Catalog and also the NTP Server.
If the FSMOs using virtualized server can stay with synchronization problems, delayed replication, etc.
If it is in a VM and this is off by a certain time the risk of being with USN problems is greater still.
And the worst moment is if the Hyper-V host lose the clock and delay time, generating serious inconsistencias in AD.
This discussion is old, since the beginning of the Hyper-V and may be accompanied in http://blogs.technet.com/b/robse/archive/2008/06/16/dc-virtualized-and-external-ntp-servers.aspx
What’s the problem with the NTP Server?
NTP Server has the function to be the time Synchronizer in matters. The principle is backed by the PDC Emulator.
Physical machine keeps clock by querying the RTC (Real Time Clock) in the BIOS that is based on Crystal and after that the OS is using logical algorithms to keep watch.
The problem in VMs is that this algorithm may be compromised due to load as it is physical and suffer interferencia as weight set for operations, i.e. will delay or advance.
To avoid this Hyper-V makes synchronization using the Integrations Features, and ai desincronizações occur, and users cannot log in, aplications give error, etc.
Oh we have a problem, in the document “Running Domain Controllers in Hyper-V (http://www.microsoft.com/download/en/details.aspx?id=20164) says to turn off this feature of the DCs.
On the other hand the blog am virtualization (http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx) says not to do so.
The problem is very well covered by Ben Armstrong and is real. A machine physically keeps the clock when disconnected (RTC), but not virtual, so if all DCs are virtual and this option is disabled in a Flash they will return with the time you were disconnected, and who will update them?
My Final Recommendation
Follow the practices of document “Running Domain Controllers in Hyper-V”, but always has a physical server than the HYPER-V HOST.
Configure all machines, including Hyper-V hosts to synchronize with this physically using Net Time/setsntp: <servidor> and so will have no problem with the clock, since the host itself will synchronize with the best-equipped and consequently the VMs with him.
Is it ai, I hope I have helped and no more can I send feedback or email.