Hyper-V Program Manager
Often I have people ask me about the Domain Controller dilemma. The basic problem is this: if you decide to virtualize all of your servers, how do you handle the domain controllers which control the domain used by your Hyper-V servers? There are a couple of options that you can consider here:
So there you have it. I actually use option 4 for the (albeit small) domain environment that I run in my house and have had no issues. A couple of extra points to make here:
Great timing for this article! I am just virtualizing my environment and am just about to do the DC's. I had the plan of using Option 4 as well. Thanks for clarifying things.
Which comes first, chicken or egg?
How will this work in a DR scenario when switching to your 2nd datacenter? Im an ESX guy and when switching to our 2nd datacenter, I first have to have access to the host to be able to rescan the replica LUNs that were previously connected with source LUNs from datacenter1.
So setting the domain controllers to boot when starting the host won't work, because normally the host has no VMs yet until I rescan the LUNs. Luckily on ESX I can just login to the host, rescan and start the VMs.
Wouldn't it be better if Hyper-V could be managed more domain independent like ESX? And have SCVMM do the domain thingy, like Virtual Center does?
I'm also searching for papers on how to perform Disaster Recovery for a Hyper-V environment. Would you have good links for me?
Why is this important? I'm just curios why one can't keep one tiny server as a physical DC? for example a 2008 read only DC server? Call me old fashion but I would feel uneasy without at least one physical DC.
We virtualize our domain controllers using the same process as outlined in #4. I have done this for years now with no ill effect. I would make two additional suggestions:
1. ALWAYS have more than one domain controller.
2. Disable time synchronization for the domain controllers. They are supposed to be the source of time in the domain, and you don't want them to take the time from their host, which then takes the time from the domain controller.
I use option #4 also, but I spread the primary and secondary DCs across two physical machines. It is a shame to think about how much empty CPU cycles and wasted HD space exists out there in the world doing nothing by AD controlling.
I still occasionally run into issues with startup order + SQL Server + Exchange services, but it is a relatively small price to pay for the added flexibility.
You don't mention the possibility of having the domain controller role running in the host OS. Is there a reason why this isn't a sensible option?
I am curious about what Harry posted as well? What are the repercussions of just putting the domain controller role on the host OS along with Hyper-V?
In a DR situation you would have to configure multiple DCs if you were using physical computers. If you are using virtual machines they can fail over automatically. As for using a model like ESX - I am much happier having a trusted model for authenticating our servers than not :-)
As I mention this is certainly a valid option that some people choose.
Shan McArthur -
Good points, thanks for making them.
Harry Johnston -
This is possible but I do not know of many people who do this. It would certainly work but a general best practice is to install one server role per OS.
Thanks great article (as always).
Could You please explain why you say: "You should never use saved state / snapshots with domain controllers - as this can be catastrophic".
Is this only valid for domains with more than one domain controller?
What about single DC domains, e.g. SBS?
In a single domain controller scenario, in this case a 64-bit laptop host with W2K8 with Hyper-v role and a virtual domain controller, with the host joined to the virtual domain I have used the save feature on the virtual dc to save start up times without any problems so far. Of course with multiple domain controllers this would be unwise because of replication issues if one or more would be kept in saved state for any length of time or if the FSMO DC were saved. So for a mobile virtual lab with one DC it might work, but that is about it.
If I have a DC set up as a guest on a failover cluster, should i also change the offline action to Shut Down, or can i leave this as Save State?
Hey Ben - thanks for writing this up - it's a really interesting analysis of the available options.
Just one quick question:
<blockquote>"If you have other virtual machines configured to start automatically you may want to configure them to have a delayed start time (say by a minute or two) to allow the domain controllers to start up quickly."</blockquote>
How can I do this? And, can I also set dependencies between other VMs (i.e. VM1 relies on VM2) - I'm assuming I can do it all in SCVMM but is it possible for plain old Hyper-V?
One more question on installing the DC on the Host OS. Here is my scenario: I have three physical servers, two that are running Server 2008 Hyper V and one that I am going to install my Domain Server on just like you suggested in #1. What I want to do is use each of my Hyper V servers as backup Domain Controllers in case something happens to my main system. Is this workable?
Theoretically this should be okay, but I would not recommend it as it is contrary to our testing / guidance.
That would be a good idea.
Mark Wilson -
Under virtual machine settings, go to the automatic start action. Here you can specify a startup delay in seconds. In order to do dynamic dependancies you would need to script the startup of the virtual machine.
I would recommend running the backup domain controllers in virtual machines, rather than in the parent partitions.