VMware Cloud Community
rharthur
Contributor
Contributor
Jump to solution

Should all Domain Controllers reside in the VMWare environment

I was curious if in the VMWare community there is anyone who can give their opinion about location of Domain Controllers. I had 2 DCs before introducing VMWare and pulling Servers into it. I created 2 new DCs in VMWare, and then demoted the 2 external ones so that only there are only virtual DCs. This seemed to work fine, but I had to power down the equipment running the VMWare, and when it booted up, the storage device which the ESX hosts accessed kicked an error because it could not find a DC.

Do most people remove all external DCs and go with just VMWare virtual DCs, or it is best to always keep one external DC up and running? Any opinion is welcome.

Thanks.

Reply
0 Kudos
1 Solution

Accepted Solutions
steven_tolson
Enthusiast
Enthusiast
Jump to solution

I would always advise to keep the DC hosting the PDC Emulator FSMO role out of your virtual environment. Time is critical on most servers but especially on the PDC which is top of your Windows time synch infrastructure.

We also keep one DC in each data centre on a physical platform, that way if we ever have a power down when we power up we can bring the physical DC up first and very quickly.

Hope this helps.

Regards,

Steve

View solution in original post

Reply
0 Kudos
5 Replies
azn2kew
Champion
Champion
Jump to solution

VMware has great best practice guide how to virtualize domain controllers, but if you have existing DC, I would suggest you to create a new virtual machines and then promote to DC instead of using P2V conversion. Even though it would work but not a standard best practices since you will have unsysnc changes when you've P2V'ed. I would virtualize all domain controllers except you need one physical domain controller running in case all your virtual environment are destroyed. You can download thi best practice guide on vmworld.com site and all you have to make sure is that timesync is configure with VMware Tools or registry hacks! Timesync is very critical with any domain controllers to prevent from drifting.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

VMware vExpert 2009

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
rharthur
Contributor
Contributor
Jump to solution

Thanks for that information. I actually created the 2 new DCs in the virtual environment from scratch and did not import any existing since I was told this was the best way. Your information on keeping one DC external to VM is how I'm feeling in general, so I will likely go that way as well.

Reply
0 Kudos
DLeid
Expert
Expert
Jump to solution

We have 21 regional offices with the New York office as a hub for the others. In the New York office we use three physical domain controllers. In the regional offices we use virtual domain controllers. The regional offices point to themselves as primaries and point to NY as secondaries. If any ESX server has problems the NY DC's are available.

If you find this or any other information helpful or correct, please consider awarding points.

If you find this or any other information helpful or correct, please consider awarding points.
steven_tolson
Enthusiast
Enthusiast
Jump to solution

I would always advise to keep the DC hosting the PDC Emulator FSMO role out of your virtual environment. Time is critical on most servers but especially on the PDC which is top of your Windows time synch infrastructure.

We also keep one DC in each data centre on a physical platform, that way if we ever have a power down when we power up we can bring the physical DC up first and very quickly.

Hope this helps.

Regards,

Steve

Reply
0 Kudos
Spad
Enthusiast
Enthusiast
Jump to solution

Same here, we have a physical DC at each of our datacentres and then any other DCs either locally or at branch sites are VMs - none of them get their time from the hardware clock on the VM hosts, however, it's all from internal and ultimately external NTP sources.

Reply
0 Kudos