{"id":116,"date":"2010-06-10T09:42:09","date_gmt":"2010-06-10T13:42:09","guid":{"rendered":"http:\/\/enterpriseadmins.org\/blog\/?p=116"},"modified":"2010-06-10T09:42:09","modified_gmt":"2010-06-10T13:42:09","slug":"virtualizing-a-windows-active-directory-domain-infrastructure","status":"publish","type":"post","link":"https:\/\/enterpriseadmins.org\/blog\/virtualization\/virtualizing-a-windows-active-directory-domain-infrastructure\/","title":{"rendered":"Virtualizing a Windows Active Directory Domain Infrastructure"},"content":{"rendered":"<div>I&#8217;ve been thinking about virtualization of production domain controllers. \u00a0I have several virtualized DCs in a lab environment and even a very small production\/standalone forest (less than 200 users) that only uses a single DC. \u00a0I&#8217;ve read a bunch of articles and outlined my findings below. \u00a0Please feel free to comment if you have any additional experience with this subject &#8212; I&#8217;m\u00a0especially\u00a0interested in large\/multi-domain forest implementations.<\/div>\n<p><\/p>\n<ul>\n<li>Recommends x64      architecture<\/li>\n<li>Use 1 vCPU \u2013 improves      CPU scheduling flexibility<\/li>\n<li>Use 4gb RAM \u2013 allows caching      of most of the database \u2013 increase as needed for larger environments<\/li>\n<li>Use replmon.exe to      check, validate and initiate the KCC<\/li>\n<li>Perform pre\/post checks      for best practices with \u201cBest Practices Analyzer for Active Directory      Domain Services\u201d <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/dd391875(WS.10).aspx\">http:\/\/technet.microsoft.com\/en-us\/library\/dd391875(WS.10).aspx<\/a><\/li>\n<li>Control clock drift\n<ul>\n<li>VMs can easily (and       fairly rapidly) drift<\/li>\n<li>Use NTP and not VMware       Tools for time sync<\/li>\n<li>Change the PDC Emulator:\n<ul>\n<li>HKLM\\System\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type = change from NT5DS to NTP<\/li>\n<li>HKLM\\System\\CurrentControlSet\\Services\\W32Time\\Parameters\\NtpServer = change from time.windows.com,0x1 to a stratum 1 source like        tock.usno.navy.mil,0x1<\/li>\n<li>HKLM\\System\\CurrentControlSet\\Services\\W32Time\\Config\\AnnounceFlags = change the REG_DWORD value from 10 to 5<\/li>\n<li>restart the w32time        service (net stop w32time &amp;&amp; net start w32time)<\/li>\n<li>force a time sync        (w32tm \/resync \/rediscover)<\/li>\n<\/ul>\n<\/li>\n<li>One clever option in       VMware documentation was to set a group policy under \u2018Domain Controllers\u2019       that sets Computer configuration\\Windows Settings\\Administrative       Templates\\Windows Time Service and then use a WMI filter for PDC only:\n<ul>\n<li>Add namespace        root\\CIMv2<\/li>\n<li>Add query (Select *        from Win32_ComputerSystem where DomainRole = 5)\n<ul>\n<li>Roles are 0 =         standalone, 1 = Member workstation, 2 = Standalone Server, 3 = Member         Server, 4 = Backup domain controller, 5 = Primary domain controller<\/li>\n<\/ul>\n<\/li>\n<li>Link your created WMI        filter to your configured group policy object (gpo)\n<ul>\n<li>Will only apply to         Domain controller holding the PDC emulator FSMO role<\/li>\n<li>Will automatically         move to wherever the PDC emulator role is<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Continue to backup the      server using standard tools<\/li>\n<li>Do not snapshot domain      controllers\n<ul>\n<li>Per <em><a href=\"http:\/\/support.microsoft.com\/kb\/888794\">http:\/\/support.microsoft.com\/kb\/888794<\/a><\/em>: Active Directory does not support other methods to roll back       the contents of Active Directory. In particular, Active Directory does       not support any method that restores a snapshot of the operating system       or the volume the operating system resides on. This kind of method causes       an update sequence number (USN) rollback. When a USN rollback occurs, the       replication partners of the incorrectly restored domain controller may       have inconsistent objects in their Active Directory databases. In this       situation, you cannot make these objects consistent.<\/li>\n<\/ul>\n<\/li>\n<li>Use clean builds and      dcpromo process \u2013 do not use P2V<\/li>\n<\/ul>\n<p>\nDocumentation exists from VMware on the topic <a href=\"http:\/\/www.vmware.com\/files\/pdf\/Virtualizing_Windows_Active_Directory.pdf\">http:\/\/www.vmware.com\/files\/pdf\/Virtualizing_Windows_Active_Directory.pdf<\/a>.\u00a0 Several of these steps are also reinforced by Microsoft in the document titled \u201cConsiderations when hosting Active Directory domain controller in virtual hosting environments\u201d available here: <a href=\"http:\/\/support.microsoft.com\/kb\/888794\">http:\/\/support.microsoft.com\/kb\/888794<\/a><\/p>\n<p>Microsoft and VMware have a relationship through the Server Virtualization Validation Program (SVVP) which basically states that either vendor will work with the other to address issues.\u00a0 As part of the troubleshooting efforts either vendor may request that the issue be created on physical hardware.<\/p>\n<p>\u201cSupport policy for Microsoft software running in non-Microsoft hardware virtualization software\u201d available here: <a href=\"http:\/\/support.microsoft.com\/kb\/897615\/\">http:\/\/support.microsoft.com\/kb\/897615\/<\/a><\/p>\n<p>\u201cCustomer Support Options for Microsoft Products Running within VMware Virtual Machines\u201d available here: <a href=\"http:\/\/www.vmware.com\/support\/policies\/ms_support_statement.html\">http:\/\/www.vmware.com\/support\/policies\/ms_support_statement.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve been thinking about virtualization of production domain controllers. \u00a0I have several virtualized DCs in a lab environment and even a very small production\/standalone forest (less than 200 users) that only uses a single DC. \u00a0I&#8217;ve read a bunch of &hellip; <a href=\"https:\/\/enterpriseadmins.org\/blog\/virtualization\/virtualizing-a-windows-active-directory-domain-infrastructure\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-116","post","type-post","status-publish","format-standard","hentry","category-virtualization"],"_links":{"self":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/116","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/comments?post=116"}],"version-history":[{"count":11,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/116\/revisions"}],"predecessor-version":[{"id":127,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/116\/revisions\/127"}],"wp:attachment":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/media?parent=116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/categories?post=116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/tags?post=116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}