Is domain controller virtualization really a good idea?

Server virtualization has received increased attention from IT managers who see it as a way to stretch their already thin budgets. Getting one machine to act like and do the work of two or more machines is a really powerful tactic and one that is gaining popularity for application servers. With virtualization software supporting 64-bit platforms and soon to be supporting IA-64 Itanium microprocessors, the limits may be expanding -- and that's good news for IT managers.

In general, virtual application servers are working quite nicely, but many IT managers are also exploring the idea of virtualizing domain controllers (DCs). That enthusiasm, however, leaves the administrator with several unanswered questions: Is it really a good idea to virtualize domain controllers? What are the ramifications? Does Microsoft support it?

Microsoft's view of domain controller virtualization

Microsoft has published a white paper, Running Domain Controllers in Virtual Server 2005, as well as KB article 888794, entitled "Considerations when hosting Active Directory domain controllers in virtual hosting environments" to address this issue. We can deduce that it is indeed possible to host DCs on virtual machines merely by the fact that these documents provide "How to" guidelines for accomplishing the task.

However, there are some very specific guidelines for virtual DCs. Some important points include:

Ramifications of domain controller virtualization

In evaluating the feasibility of virtualizing any server role, it is important to note that the main resources used on a busy DC are RAM and Disk, which are also the two things that virtualization isn't the greatest for sharing. Remember that the RAM of the physical machine is divided up between the host and the virtual machines, so physical RAM becomes a very critical resource. T...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Server Virtualization and Microsoft Hyper-V Citrix Essentials adds support for Windows Server 2008 R2 Availability in the virtualized Windows server Converting Citrix XenServer source machines to Hyper-V format Hardware considerations for Windows server virtualization Converting VMware ESX machines to Hyper-V format Connecting Hyper-V hosts to iSCSI targets in Windows Scaling Windows server resources for virtualization VMM 2008 R2 hits RTM, denied at VMworld When to use VM backups versus snapshots in Hyper-V Migrating virtual machines from Microsoft Virtual Server to Hyper-V Microsoft Active Directory Design and Administration Utilizing Active Directory snapshots in Windows Server 2008 Active Directory tops the list of hot Windows Server 2008 R2 features Creating Windows taskpad views for Active Directory management When to add new domains to your Windows environment Forcing the removal of a Windows Server 2008 domain controller Performing a staged installation of an RODC in Windows Server 2008 Using Active Directory to manage Macs in a Windows environment Scripting domain controller installations: A must for Server Core Taming the LSASS.exe process for Active Directory performance and security Top 5 Active Directory tips of 2008 Windows Server Monitoring and Management BitLocker in R2 provides data protection for semi-protected servers Perfmon made easy with PAL utility Converting Citrix XenServer source machines to Hyper-V format Balancing Windows security with reasonable password policies Windows AppLocker in R2: Turning conventional security wisdom on its head Top 10 things you don't know about Windows Server 2008 R2 BranchCache makes branch offices feel like home When to use VM backups versus snapshots in Hyper-V Installing Server Core for Windows 2008 the easy way Migrating virtual machines from Microsoft Virtual Server to Hyper-V

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Microsoft Hyper-V version 1.0  (SearchWindowsServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

o be sure, disk space is a big issue, especially if you make backups by saving snapshots of the virtual machines. CPU resources on DCs are usually a non-issue, yet they are the primary reason given to justify virtualizing servers.

I personally only know of a few companies that actually implement virtual DCs in production. For example, there is one large global corporation with an Active Directory architecture that is only virtualizing "Lag Site" DCs (See my tech target article Preventing Active Directory disaster: The replication LAG site). This company does not virtualize all DCs because of possible I/O bottlenecks. Another issue is security. In a virtual server, since the domain controller is basically a file, it could get saved and later mistakenly booted from that file, having the effect of an out-of-date DC coming back online and injecting lingering objects in the AD. Of course, that file can be compromised, mistakenly deleted or even copied to steal data.

What about support?

Another issue to keep in mind is supportability. Does Microsoft support virtualization of DCs if you call for it? The answer is … it depends. According to Microsoft KB article 897615, Microsoft will support DCs loaded on its Virtual Server product. However, if you use EMC Corp.'s VMware product (which I prefer), then the level of support will vary.

Here are some other points to remember, according to KB 897615:

In other words, if you aren't using Virtual Server, then all bets are off. Thus, when deciding whether to virtualize your domain controllers, you must determine if you are prepared to live with this support condition. Are you really willing to reproduce a critical error that is stopping replication and affecting application of Group Policy on a separate machine rather than the one it is failing on? This will obviously take time just to set up and you may never be able to repro the problem, which may or may not be the fault of the virtualization software.

Best practices for virtualizing DCs

To summarize a few best practices for virtualizing DCs:

Any domain controller virtualization design should come with a great deal of analysis and testing. While there are not a lot of case studies out there to prove or disprove many of the points made here, it should be sufficient to convince any IT manager or administrator that virtualization of DCs is possible and supported. Your mileage may vary: Implement it in very limited, non-critical roles, and go from there.

Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.