The Domain Controller Dilemma

The Domain Controller Dilemma

  • Comments 30

Often I have people ask me about the Domain Controller dilemma.  The basic problem is this: if you decide to virtualize all of your servers, how do you handle the domain controllers which control the domain used by your Hyper-V servers?  There are a couple of options that you can consider here:

  1. Keep the root domain controller on physical hardware

    By keeping the root domain controller on separate physical hardware you can avoid any potential for problems.  However you also miss out on the benefits of virtualization for your domain controller (better hardware utilization, hardware mobility, easier backup, etc...).

  2. Keep the Hyper-V servers out of the domain

    In small deployments you can consider just leaving the Hyper-V servers as part of a workgroup and then running all domain controllers inside virtual machines.  This approach has two problems.  First, you lose the security advantages of running in a domain environment and second, it is hard to have multiple administrators in such an environment (as local user accounts need to be created on each Hyper-V server).  Also, you cannot use all the functionality of SCVMM in such an environment.

  3. Establish a separate (physical) domain for Hyper-V servers

    This approach is a compromise between the first two approaches.  Here you virtualize your primary domain controller environment, but setup a secondary (smaller) domain environment for your Hyper-V servers using a physical server.  The advantage to this approach is that you get all the benefits of having your Hyper-V servers in a domain - but your primary domain environment benefits from being virtualized.  The problem with this approach is that you still have an underutilized server sitting around in your server room / data center.

  4. Run the domain controller on top of Hyper-V anyway

    The last option is to just stick the domain controllers in virtual machines and then join the parent Hyper-V environment to the domain in question.  Now, while this sounds like a problematic environment it can be done with some careful planning.  Here are the following steps to take / things to consider:
    1. You should configure the domain controller virtual machines to always start when the parent starts - whether they were running before or not (this is configurable in the virtual machine settings).
    2. If you have other virtual machines configured to start automatically you may want to configure them to have a delayed start time (say by a minute or two) to allow the domain controllers to start up quickly.
    3. You should configure the domain controller virtual machines to shutdown (and not save state) if the physical computer is shutdown.
    4. You should ensure that you have a way of managing the Hyper-V environment if the domain controller fails to start.  This means keeping note of the local administrator account / password and testing that you can use it (either locally or remotely) to access the Hyper-V management console.

So there you have it.  I actually use option 4 for the (albeit small) domain environment that I run in my house and have had no issues.  A couple of extra points to make here:

  • Points 1-3 of option 4 should apply to *any* time that you virtualize a domain controller - even if it is not being used by the parent partition in question.
  • You should never use saved state / snapshots with domain controllers - as this can be catastrophic.

Cheers,
Ben

Leave a Comment
  • Please add 2 and 1 and type the answer here:
  • Post
  • Ben

    Great timing for this article! I am just virtualizing my environment and am just about to do the DC's. I had the plan of using Option 4 as well. Thanks for clarifying things.

  • Which comes first, chicken or egg?

  • Hi

    How will this work in a DR scenario when switching to your 2nd datacenter? Im an ESX guy and when switching to our 2nd datacenter, I first have to have access to the host to be able to rescan the replica LUNs that were previously connected with source LUNs from datacenter1.

    So setting the domain controllers to boot when starting the host won't work, because normally the host has no VMs yet until I rescan the LUNs. Luckily on ESX I can just login to the host, rescan and start the VMs.

    Wouldn't it be better if Hyper-V could be managed more domain independent like ESX? And have SCVMM do the domain thingy, like Virtual Center does?

    I'm also searching for papers on how to perform Disaster Recovery for a Hyper-V environment. Would you have good links for me?

    Gabrie

  • Why is this important? I'm just curios why one can't keep one tiny server as a physical DC? for example a 2008 read only DC server? Call me old fashion but I would feel uneasy without at least one physical DC.

  • We virtualize our domain controllers using the same process as outlined in #4.  I have done this for years now with no ill effect.  I would make two additional suggestions:

    1.  ALWAYS have more than one domain controller.

    2. Disable time synchronization for the domain controllers.  They are supposed to be the source of time in the domain, and you don't want them to take the time from their host, which then takes the time from the domain controller.

    Shan

  • I use option #4 also, but I spread the primary and secondary DCs across two physical machines. It is a shame to think about how much empty CPU cycles and wasted HD space exists out there in the world doing nothing by AD controlling.

    I still occasionally run into issues with startup order + SQL Server + Exchange services, but it is a relatively small price to pay for the added flexibility.

  • You don't mention the possibility of having the domain controller role running in the host OS.  Is there a reason why this isn't a sensible option?

  • I am curious about what Harry posted as well?  What are the repercussions of just putting the domain controller role on the host OS along with Hyper-V?

  • Gabrie -

    In a DR situation you would have to configure multiple DCs if you were using physical computers.  If you are using virtual machines they can fail over automatically.  As for using a model like ESX - I am much happier having a trusted model for authenticating our servers than not :-)

    Patrick -

    As I mention this is certainly a valid option that some people choose.

    Shan McArthur -

    Good points, thanks for making them.

    Harry Johnston -

    This is possible but I do not know of many people who do this. It would certainly work but a general best practice is to install one server role per OS.

    Cheers,

    Ben

  • Thanks great article (as always).

    Could You please explain why you say: "You should never use saved state / snapshots with domain controllers - as this can be catastrophic".

    Is this only valid for domains with more than one domain controller?

    What about single DC domains, e.g. SBS?

    Thanks!

  • In a single domain controller scenario, in this case a 64-bit laptop host with W2K8 with Hyper-v role and a virtual domain controller, with the host joined to the virtual domain I have used the save feature on the virtual dc to save start up times without any problems so far. Of course with multiple domain controllers this would be unwise because of replication issues if one or more would be kept in saved state for any length of time or if the FSMO DC were saved. So for a mobile virtual lab with one DC it might work, but that is about it.

  • If I have a DC set up as a guest on a failover cluster, should i also change the offline action to Shut Down, or can i leave this as Save State?

  • Hey Ben - thanks for writing this up - it's a really interesting analysis of the available options.

    Just one quick question:

    <blockquote>"If you have other virtual machines configured to start automatically you may want to configure them to have a delayed start time (say by a minute or two) to allow the domain controllers to start up quickly."</blockquote>

    How can I do this?  And, can I also set dependencies between other VMs (i.e. VM1 relies on VM2) - I'm assuming I can do it all in SCVMM but is it possible for plain old Hyper-V?

    Thanks, Mark

  • One more question on installing the DC on the Host OS.  Here is my scenario:  I have three physical servers, two that are running Server 2008 Hyper V and one that I am going to install my Domain Server on just like you suggested in #1.  What I want to do is use each of my Hyper V servers as backup Domain Controllers in case something happens to my main system.  Is this workable?    

  • Jevgenij -

    Theoretically this should be okay, but I would not recommend it as it is contrary to our testing / guidance.

    Tony -

    That would be a good idea.

    Mark Wilson -

    Under virtual machine settings, go to the automatic start action.  Here you can specify a startup delay in seconds.  In order to do dynamic dependancies you would need to script the startup of the virtual machine.

    modell@mccconstruction.com -

    I would recommend running the backup domain controllers in virtual machines, rather than in the parent partitions.

    Cheers,

    Ben

Page 1 of 2 (30 items) 12