Home > Microsoft, Virtualization > Virtualizing ALL Domain Controllers in a Cluster environment. Would you recommend?

Virtualizing ALL Domain Controllers in a Cluster environment. Would you recommend?

Would I recommend virtualizing All domain controllers on a Hyper-V Cluster?

My answer is : yes and NO.

1. Yes, for an home/test/demo deployment

2. Yes, for a multi-site cluster/single forest deployment, running multiples domain controllers

3. BIG NO, if it is an production environment running in one unique site and I will explain the reasons for that:

Root Domain Controller running on a Physical Hardware

Due the implementation of clustered Hyper-V, it is not recommended to virtualise all domain controllers. In case of connection lost to the Failover Cluster, it will fail to start as it cannot locate AD account for Cluster Hyper V Host. Microsoft Failover Cluster relies on Active Directory for authentication/authorization and it is a pre-requisite to setup failover cluster. That’s a serious matter and Microsoft released a very long articles about that.

References:

–          “Always have at least one DC that is on physical hardware so that failover clusters and other infrastructure can start.”   http://support.microsoft.com/kb/888794

             (Article ID: 888794 – Last Review: December 29, 2011 – Revision: 13.0)

–          Avoid creating single points of failure: Maintain physical domain controllers in each of your domains. This mitigates the risk of a virtualization platform malfunction that affects all host systems that use that platform.

             http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx
             (Updated: April 11, 2011)
Note :  Although it is possible to minimize the risk by having the DC running as a standalone VM, on any Cluster Hyper V, Microsoft does not recommend to run standalone VM on a cluster Hyper V

How about you. What is your thoughts on this?

Recommended articles:  http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/11/24/the-domain-controller-dilemma.aspx

http://www.ms4u.info/2011/05/why-you-should-not-running-domain.html

http://msincic.wordpress.com/2011/06/09/virtualize-domain-controllers-should-i-or-not/

http://support.microsoft.com/kb/888794

http://technet.microsoft.com/en-us/library/dd348476(v=WS.10).aspx

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006996

  1. kaczenski
    April 19, 2012 at 19:20

    There’s at least one more reason to NOT virtualize all DCs: The domain time server should run on hardware to avoid time sync issues. Normally its the PDCe FSMO role holder.

    I always recommend to keep one DC physical per domain. At least!

    Bye, Nils

  2. May 2, 2012 at 20:12

    My recommendation would be to have at least one non-clustered Hyper-V server and host at least one DC on that server. You can also put other non-critical servers on that non-clustered host (WSUS, Backup, archive etc)

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: