- Recommends x64 architecture
- Use 1 vCPU – improves CPU scheduling flexibility
- Use 4gb RAM – allows caching of most of the database – increase as needed for larger environments
- Use replmon.exe to check, validate and initiate the KCC
- Perform pre/post checks for best practices with “Best Practices Analyzer for Active Directory Domain Services” http://technet.microsoft.com/en-us/library/dd391875(WS.10).aspx
- Control clock drift
- VMs can easily (and fairly rapidly) drift
- Use NTP and not VMware Tools for time sync
- Change the PDC Emulator:
- HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type = change from NT5DS to NTP
- HKLM\System\CurrentControlSet\Services\W32Time\Parameters\NtpServer = change from time.windows.com,0x1 to a stratum 1 source like tock.usno.navy.mil,0x1
- HKLM\System\CurrentControlSet\Services\W32Time\Config\AnnounceFlags = change the REG_DWORD value from 10 to 5
- restart the w32time service (net stop w32time && net start w32time)
- force a time sync (w32tm /resync /rediscover)
- One clever option in VMware documentation was to set a group policy under ‘Domain Controllers’ that sets Computer configuration\Windows Settings\Administrative Templates\Windows Time Service and then use a WMI filter for PDC only:
- Add namespace root\CIMv2
- Add query (Select * from Win32_ComputerSystem where DomainRole = 5)
- Roles are 0 = standalone, 1 = Member workstation, 2 = Standalone Server, 3 = Member Server, 4 = Backup domain controller, 5 = Primary domain controller
- Link your created WMI filter to your configured group policy object (gpo)
- Will only apply to Domain controller holding the PDC emulator FSMO role
- Will automatically move to wherever the PDC emulator role is
- Continue to backup the server using standard tools
- Do not snapshot domain controllers
- Per http://support.microsoft.com/kb/888794: Active Directory does not support other methods to roll back the contents of Active Directory. In particular, Active Directory does not support any method that restores a snapshot of the operating system or the volume the operating system resides on. This kind of method causes an update sequence number (USN) rollback. When a USN rollback occurs, the replication partners of the incorrectly restored domain controller may have inconsistent objects in their Active Directory databases. In this situation, you cannot make these objects consistent.
- Use clean builds and dcpromo process – do not use P2V
Documentation exists from VMware on the topic http://www.vmware.com/files/pdf/Virtualizing_Windows_Active_Directory.pdf. Several of these steps are also reinforced by Microsoft in the document titled “Considerations when hosting Active Directory domain controller in virtual hosting environments” available here: http://support.microsoft.com/kb/888794
Microsoft and VMware have a relationship through the Server Virtualization Validation Program (SVVP) which basically states that either vendor will work with the other to address issues. As part of the troubleshooting efforts either vendor may request that the issue be created on physical hardware.
“Support policy for Microsoft software running in non-Microsoft hardware virtualization software” available here: http://support.microsoft.com/kb/897615/
“Customer Support Options for Microsoft Products Running within VMware Virtual Machines” available here: http://www.vmware.com/support/policies/ms_support_statement.html