Virtualizing ALL Domain Controllers in a Cluster environment. Would you recommend?
Would I recommend virtualizing All domain controllers on a Hyper-V Cluster?
My answer is : yes and NO.
1. Yes, for an home/test/demo deployment
2. Yes, for a multi-site cluster/single forest deployment, running multiples domain controllers
3. BIG NO, if it is an production environment running in one unique site and I will explain the reasons for that:
Root Domain Controller running on a Physical Hardware
Due the implementation of clustered Hyper-V, it is not recommended to virtualise all domain controllers. In case of connection lost to the Failover Cluster, it will fail to start as it cannot locate AD account for Cluster Hyper V Host. Microsoft Failover Cluster relies on Active Directory for authentication/authorization and it is a pre-requisite to setup failover cluster. That’s a serious matter and Microsoft released a very long articles about that.
References:
– “Always have at least one DC that is on physical hardware so that failover clusters and other infrastructure can start.” http://support.microsoft.com/kb/888794
(Article ID: 888794 – Last Review: December 29, 2011 – Revision: 13.0)
– Avoid creating single points of failure: Maintain physical domain controllers in each of your domains. This mitigates the risk of a virtualization platform malfunction that affects all host systems that use that platform.
http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx
(Updated: April 11, 2011)
Note : Although it is possible to minimize the risk by having the DC running as a standalone VM, on any Cluster Hyper V, Microsoft does not recommend to run standalone VM on a cluster Hyper V
How about you. What is your thoughts on this?
Recommended articles: http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/11/24/the-domain-controller-dilemma.aspx
http://www.ms4u.info/2011/05/why-you-should-not-running-domain.html
http://msincic.wordpress.com/2011/06/09/virtualize-domain-controllers-should-i-or-not/
http://support.microsoft.com/kb/888794
http://technet.microsoft.com/en-us/library/dd348476(v=WS.10).aspx
There’s at least one more reason to NOT virtualize all DCs: The domain time server should run on hardware to avoid time sync issues. Normally its the PDCe FSMO role holder.
I always recommend to keep one DC physical per domain. At least!
Bye, Nils
My recommendation would be to have at least one non-clustered Hyper-V server and host at least one DC on that server. You can also put other non-critical servers on that non-clustered host (WSUS, Backup, archive etc)