Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Server TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Windows
Windows Server
 Deployment Considerations for Virtu...
Deployment Considerations for Virtualized Domain Controllers

Updated: June 15, 2009

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Virtualization

This topic describes some things to consider when you deploy domain controllers on virtual machines. There are several common virtual machine practices that you should avoid when you deploy domain controllers. There are also special considerations for time synchronization and storage. The following sections describe these considerations.

Virtualization deployment practices to avoid

Virtualization platforms, such as Hyper-V, offer a number of convenience features that make managing, maintaining, backing up, and migrating computers easier. However, there are some common deployment practices and features that should not be used for virtual domain controllers. The following list describes the practices to avoid when you deploy domain controllers:

  • Do not implement differencing disk virtual hard disks (VHDs) on a virtual machine that you are configuring as a domain controller. This makes it too easy to revert to a previous version, and it also decreases performance. For more information about VHD types, see New Virtual Hard Disk Wizard (http://go.microsoft.com/fwlink/?LinkID=137279).

  • Do not clone the installation of an operating system without using Sysprep.exe because the security identifier (SID) of the computer will not be updated. For more information about running the System Preparation tool (Sysprep), see "Using virtual hard disks" in Ways to deploy an operating system to a virtual machine (http://go.microsoft.com/fwlink/?LinkId=137100).

  • To help prevent a potential update sequence number (USN) rollback situation, do not use copies of a VHD file that represents an already deployed domain controller to deploy additional domain controllers. The next three items in this list are also recommended to help avoid potential USN rollback. For more information about USN rollback, see Appendix A: Virtualized Domain Controllers and Replication Issues.

  • Do not use the Hyper-V Export feature to export a virtual machine that is running a domain controller.

WarningWarning
Running Sysprep on a domain controller damages the AD DS installation. Use Sysprep before you install the AD DS role to produce a unique security identifier (SID) for that installation.

Physical-to-virtual migration

System Center Virtual Machine Manager (VMM) 2008 provides unified management of physical machines and virtual machines. It also provides the ability to migrate a physical machine to a virtual machine. This process is known as physical-to-virtual machine conversion (P2V conversion). During the P2V conversion process, the new virtual machine and the physical domain controller that is being migrated must not be on at the same time, to avoid a USN rollback situation as described in Appendix A: Virtualized Domain Controllers and Replication Issues.

You should perform P2V conversion using offline mode so that the directory data is consistent when the domain controller is turned back on. The offline mode option is offered and recommended in the Convert Physical Server Wizard. For a description of the difference between online mode and offline mode, see P2V: Converting Physical Computers to Virtual Machines in VMM (http://go.microsoft.com/fwlink/?LinkId=155072). During P2V conversion, the virtual machine should not be connected to the network. The network interface card (NIC) of the virtual machine should be enabled only after the P2V conversion process is complete and verified. At this point, the physical source machine will be off. Do not bring the physical source machine back onto the network again before you reformat the hard disk.

CautionCaution
To prevent issues with Active Directory replication, ensure that only one instance (physical or virtual) of a given domain controller exists on a given network at any point in time.

Using P2V Migration to Create Test Environments

You can use P2V migration through the VMM to create test environments. You can migrate production domain controllers from physical machines to virtual machines to create a test environment without permanently bringing down the production domain controllers. However, the test environment must be on a different network from the production environment if two instances of the same domain controller are to exist. Great care must be taken in the creation of test environments with P2V migration to avoid USN rollbacks that can affect your test and production environments. The following is a method that you can use for creating test environments with P2V.

One in-production domain controller from each domain is migrated to a test virtual machine using P2V according to the guidelines stated in the Physical-to-virtual migration section. The physical production machines and the test virtual machines must be in different networks when they are brought back online. To avoid USN rollbacks in the test environment, all domain controllers that are to be migrated from physical machines to virtual machines must be taken offline. (You can do this by stopping the ntds service or by restarting the computer in Directory Services Restore Mode (DSRM).) After the domain controllers are offline, no new updates should be introduced to the environment. The computers must remain offline during the P2V migration; none of the computers should be brought back online until all the computers have been fully migrated. To learn more about USN rollback, see Appendix A: Virtualized Domain Controllers and Replication Issues.

Subsequent test domain controllers should be promoted as replicas in the test environment.

Time service

For virtual machines that are configured as domain controllers, disable time synchronization with the host through Integration Services. Instead, accept the default Windows Time service (W32time) domain hierarchy time synchronization.

Host time synchronization makes it possible for guest operating systems to synchronize their system clocks with the system clock of the host operating system. Because domain controllers have their own time synchronization mechanism, host time synchronization must be disabled on virtual machines that are configured as domain controllers. If domain controllers synchronize time from their own source and also synchronize time from the host, the domain controller time can change frequently. Because many domain controller tasks are tied to the system time, a jump in the system time could cause lingering objects to be left in the directory and replication to be stopped.

You can disable host time synchronization in the virtual machine settings in the Integration Services section of the Hyper-V Manager by clearing the Time Synchronization check box.

For information about installing and using Integration Services, see the Hyper-V Getting Started Guide (http://go.microsoft.com/fwlink/?LinkId=137146).

Storage

To optimize the performance of the domain controller virtual machine, use the following recommendations for storing operating system, Active Directory, and VHD files:

  • Guest storage. Store the Active Directory database file (Ntds.dit), log files, and SYSVOL files on a separate virtual disk from the operating system files. Integration Components must be installed so that synthetic drivers can be used for Integrated Drive Electronics (IDE) instead of emulation. Virtual SCSI and IDE disks perform at the same speed when they use synthetic drivers.

  • Host storage of VHD files. Recommendations: Host storage recommendations address storage of VHD files. For maximum performance, do not store VHD files on a disk that is used frequently by other services or applications, such as the system disk on which the host Windows operating system is installed. Store each VHD file on a separate partition from the host operating system and any other VHD files. The ideal configuration is to store each VHD file on a separate physical drive.

  • Fixed VHD versus pass-through disks. There are many ways to configure storage for virtual machines. When VHD files are used, fixed-size VHDs are more efficient than dynamic VHDs because the memory for fixed-size VHDs is allocated when they are created. Pass-through disks, which virtual machines can use to access physical storage media, are even more optimized for performance. Pass-through disks are essentially physical disks or logical unit numbers (LUNs) that are attached to a virtual machine. Pass-through disks do not support the snapshot feature. Therefore, pass-through disks are the preferred hard disk configuration, because the use of snapshots with domain controllers is not recommended.

To reduce the chance of corruption of Active Directory data, use SCSI controllers or disable write caching on ATA/IDE drives:

  • Use SCSI physical drives (as opposed to IDE/ATA drives) on Hyper-V servers that host virtual domain controllers. If you cannot use SCSI drives, ensure that write caching is disabled on the ATA/IDE drives that host virtual domain controllers. For more information, see Event ID 1539 – Database Integrity (http://go.microsoft.com/fwlink/?LinkId=162419).

  • Use virtual SCSI controllers for any virtual machine that runs as a domain controller. If you cannot use virtual SCSI controllers, ensure that write caching is disabled on the virtual IDE drives of virtual machines that run as domain controllers. You can see the type of disk controllers that are installed in the Virtual Machine Manager Settings dialog box. For more information, see Configuring Virtual Machines (http://go.microsoft.com/fwlink/?LinkID=129912).

See Also

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Do not export a domain controller?      Aric Bernard ... Kurt Hudson   |   Edit   |   Show History

Why not? Does this mean that a Hyper-V virtualized domain controller cannot be run within the context of a Hyper-V failover cluster?

[tfl - 12 06 09] Hi - and thanks for your post.You should post questions like this to the Technet Forums at http://forums.microsoft.com/technet or the MS Newsgroups at

http://www.microsoft.com/communities/newsgroups/en-us/. You are much more likely get a quick response using the forums than through the Community Content. For specific help about:
Exchange : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.exchange%2C&
SQL Server : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.sqlserver%2C&
Windows : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows%2C&
Windows Server : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows.server%2C&
Virtual Server : http://groups.google.com/group/microsoft.public.virtualserver/topics?lnk
Full Public : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public%2Co

Response from Kurt Hudson: No, that is not what is meant by not using the export feature. The export feature is used for migrating virtual machines from one server to another. This could also be used to essentially create a copy of the VM. This can lead to duplicates and USN rollback. A cluster is a different story. A cluster is supposed to include different machines (different security identifers and Active Directory database identifiers). There are some important issues to consider if you are planning to cluster domain controllers, which are discussed in article 281662 in the Microsoft Knowledge base (http://support.microsoft.com/default.aspx/kb/281662). /KurtHudson








Forums related to the subjects covered here      Kurt L Hudson   |   Edit   |   Show History
If you have technical questions related to the subjects covered in this document, you can pose your questions at the Microsoft forums. The two Microsoft forums related to the subject material covered in this document are:



http://social.technet.microsoft.com/Forums/en-US/winserverDS

http://social.technet.microsoft.com/Forums/en-US/winserverhyperv
Tags What's this?: Add a tag
Flag as ContentBug
Note on Time Services      Justin.King   |   Edit   |   Show History
Because ofthe nature of CPU thread splicing/sharing I dont feel relying on a service within the child partition/guest provides the best solution or most accurate time rseults and would recomend contrary to this tehcnet article. With a hypervisor host properly setup, using integration tools would provide much more accurate time with alot less drift overall, and would only require minor modification to the Domain Controller in order to function properly.

For those currious, the root problem is that the w32time service AND the Integration Tools attemptign to fix the clock on the child partition at the same time can cause abnormal swings in time in excess of 5 minutes which will break Kerberos and thus replciation/authentication for the DC and general annoyances all around. However, DCs (along with other roles out there like cluster services) require the w32time service to be running.

The better fix is to modify HKLM/System/CurrentCOntrolSet/Service/W32Time/Parameters/Type and change it from "NT5DS" to "NoSync" so that the time server still participates as a valid time source but doesn't attempt to actually synchronize time, trusting it's clock and thus the Integration Tools. Then you simply modify your Hypervisor to use a reliable source and not Domain Time (to prevent a possible time-lookup loop).

Doing it this way is only slightly more involved than clearing a checkbox in integration services but puts an RTC back into the equasion and thus creates MUCH more reliable time less succeptible to drift due to over-subscribing your CPUs on the host.

At the minimum this should be listed as an option IMO.

Tags What's this?: Add a tag
Flag as ContentBug
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker