Best practices for Controllers in a VMware environ...

theblackknight · ‎03-02-2009

I know DC's can be easily virtualized, but I want to keep on physical DC at each of my sites. I know this has been a best practice, but need to find documentation on it...anyone know where I can find that?

Lightbulb · ‎03-02-2009

Here are Microsoft's thoughts on Virtualizing AD systems.

http://support.microsoft.com/kb/888794

I had not heard the bit about keeping one physical system before.

Try not to convert AD systems if you can help it.

http://kb.vmware.com/kb/1006996

MrBiscuit · ‎03-03-2009

My apologies if this sounds vague, but it's been a long time since I've needed to think in this direction.

I recall that the three main reasons in no particular order were system clock, non-authorative restores and throughput, I can't recall where I've seen a document covering the deep detail on those, but I'm pretty sure it'll help you in your search. Something to keep in mind is the date of the document you reference, as the last time I looked for vendor documentation on this I was running ESX 2.5, and things have obviously changed significantly.

Also remember that whether something is advisable isn't just about whether it's technically doable - your support agreement with Microsoft and VMware affects the level of support you can expect and what you would want to deploy in your environment. Complexity = downtime and all that.

azn2kew · ‎03-03-2009

Here is the Best Proven practice for virtualizing AD with VMware.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA

msemon1 · ‎03-04-2009

We keep 2 domain controllers as physical just for comfort (paranoid) reasons. On these we also run DNS to make sure we have name resolution outside of VMware. All new DC's are virtual. Have seen no problems with this. The only suggestion I keep reading is not to P2V your domain controllers into new environment or at least your first one. I think it is better to create a virtual DC and replicate from physical and transfer you FSMO roles if you plan to host your FSMO roles on virtual DC.

Mike

Roanry · ‎03-04-2009

I see no reason why you couldn't virtualize 100% of your AD environment. If you have a sound architecture VI3 env. with HA, DRS and storage best practices implemented then it should work.

More and more we are migrating applications like AD over to VM because after running Capacity Planner the numbers keep coming back that they are so underutilized it only make sense to do so.

Unless your application has "hardware" aware specific API calls to the underlying physical system then you should at least try. At most try to P2V your AD servers and just disconnect the network via the ILO/DRAC/RSA and if the VM doesn't work for some reason just power off the VM and reconnect the network on the physical.

Ken_Cline · ‎03-04-2009

I see no reason why you couldn't virtualize 100% of your AD environment.

The biggest thing is to make sure that you have core infrastructure services available OUTSIDE of your VI environment. The most important of these is DNS, but basically, any infrastructure service upon which your VI depends (i.e. if you are using PAM for AD-integrated authentication, etc.). In most cases, having these types of services internal to your VI is not a problem - but you have to plan for a total VI outage (such as would happen in the event of a total datacenter outage due to power failure). If you don't have these core services available outside your VI, then you may have problems restoring your VI to operation.

Nothing wrong with having a standalone ESXi or VMware Server system hosting these services, though!

Ken Cline

VMware vExpert 2009

VMware Communities User Moderator

Ken Cline VMware vExpert 2009 VMware Communities User Moderator Blogging at: http://KensVirtualReality.wordpress.com/

khughes · ‎03-04-2009

I agree with Ken the biggest thing to have outside of your environment is DNS, which VMware relies heavily on. When my boss was moving some power cables early in the morning in our switch rack he triggered an isolation response on all of our hosts causing them to all to shutdown. Since our DC's are also our DNS server, which are all virtualized it made it a pain to bring everything back up. We have since added DNS to a physical server outside our VI environment. I wouldn't say you need a physical DC but it might be nice to have a secondary outside if something should fail. I would strongly suggest keeping a physical server that runs DNS outsite though.

Kyle

-- Kyle "RParker wrote: I guess I was wrong, everything CAN be virtualized "

All

Best practices for Controllers in a VMware environment