Virtualizing a Windows Active Directory Domain Infrastructure

I’ve been thinking about virtualization of production domain controllers.  I have several virtualized DCs in a lab environment and even a very small production/standalone forest (less than 200 users) that only uses a single DC.  I’ve read a bunch of articles and outlined my findings below.  Please feel free to comment if you have any additional experience with this subject — I’m especially interested in large/multi-domain forest implementations.

  • Recommends x64 architecture
  • Use 1 vCPU – improves CPU scheduling flexibility
  • Use 4gb RAM – allows caching of most of the database – increase as needed for larger environments
  • Use replmon.exe to check, validate and initiate the KCC
  • Perform pre/post checks for best practices with “Best Practices Analyzer for Active Directory Domain Services”
  • Control clock drift
    • VMs can easily (and fairly rapidly) drift
    • Use NTP and not VMware Tools for time sync
    • Change the PDC Emulator:
      • HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type = change from NT5DS to NTP
      • HKLM\System\CurrentControlSet\Services\W32Time\Parameters\NtpServer = change from,0x1 to a stratum 1 source like,0x1
      • HKLM\System\CurrentControlSet\Services\W32Time\Config\AnnounceFlags = change the REG_DWORD value from 10 to 5
      • restart the w32time service (net stop w32time && net start w32time)
      • force a time sync (w32tm /resync /rediscover)
    • One clever option in VMware documentation was to set a group policy under ‘Domain Controllers’ that sets Computer configuration\Windows Settings\Administrative Templates\Windows Time Service and then use a WMI filter for PDC only:
      • Add namespace root\CIMv2
      • Add query (Select * from Win32_ComputerSystem where DomainRole = 5)
        • Roles are 0 = standalone, 1 = Member workstation, 2 = Standalone Server, 3 = Member Server, 4 = Backup domain controller, 5 = Primary domain controller
      • Link your created WMI filter to your configured group policy object (gpo)
        • Will only apply to Domain controller holding the PDC emulator FSMO role
        • Will automatically move to wherever the PDC emulator role is
  • Continue to backup the server using standard tools
  • Do not snapshot domain controllers
    • Per Active Directory does not support other methods to roll back the contents of Active Directory. In particular, Active Directory does not support any method that restores a snapshot of the operating system or the volume the operating system resides on. This kind of method causes an update sequence number (USN) rollback. When a USN rollback occurs, the replication partners of the incorrectly restored domain controller may have inconsistent objects in their Active Directory databases. In this situation, you cannot make these objects consistent.
  • Use clean builds and dcpromo process – do not use P2V

Documentation exists from VMware on the topic  Several of these steps are also reinforced by Microsoft in the document titled “Considerations when hosting Active Directory domain controller in virtual hosting environments” available here:

Microsoft and VMware have a relationship through the Server Virtualization Validation Program (SVVP) which basically states that either vendor will work with the other to address issues.  As part of the troubleshooting efforts either vendor may request that the issue be created on physical hardware.

“Support policy for Microsoft software running in non-Microsoft hardware virtualization software” available here:

“Customer Support Options for Microsoft Products Running within VMware Virtual Machines” available here:

This entry was posted in Virtualization. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *