Before you begin the process of turning your domain controllers into virtual machines, there are several things you should consider. First, you should be aware of the advantages and disadvantages of turning your domain controllers into virtual machines. You should also be aware of the hardware requirements for setting up a Hyper-V server. Both of these subjects are discussed in the following sections of this topic.
If you do decide to create virtual domain controllers, see the later sections of this topic for information about selecting the appropriate type of configuration for your Hyper-V servers and virtual machines. Security and performance decisions are also discussed.
Considering domain controller virtualization
Before you turn domain controllers into virtual machines, carefully consider the advantages and disadvantages of doing this. With Hyper-V, the difference between physical machines and virtual machines is decreasing. However, there are still important factors that can help you determine whether a domain controller should be virtualized.
Advantages of domain controller virtualization
Virtualized domain controllers can have the following advantages:
-
Consolidation. You can consolidate multiple domain controllers with other application servers onto comparatively fewer servers with Hyper-V. If you have multiple domain controllers in a hub site serving a small domain that has a presence in one or more other sites, you do not have to deploy multiple physical domain controllers to provide for bridgehead servers and redundancy support.
-
Testing. Because testing environments rarely require high-performance domain controllers, you can set up a test configuration that represents your production environment using much less hardware than was required before virtualization technology was available. You can represent dozens of domain controllers on a few physical computers that have the same Active Directory configuration (including domains and sites) as your production domain controllers. You can test complex changes, such as schema changes or large-scale Active Directory site or replication changes, before you make these changes in your production environment.
-
Deployment. The hardware environment that Hyper-V emulates remains unchanged throughout the life of a virtual machine, regardless of the underlying native hardware to which you might transfer the virtual machine. Therefore, you can vary server hardware in a preproduction environment to build and test the images even though the intended production server may be significantly different.
-
Performance. If you follow all the performance recommendations in the topics in this guide, you can expect a decrease in performance of only 2 percent to 12 percent on a single domain controller that is running in a virtual machine under heavy load compared to one domain controller that is running on native hardware with the same specifications.
Disadvantages of domain controller virtualization
This guide contains important information about the risks of running domain controller virtual machines in a production environment. Virtual hard disk (VHD) files can be easily used and—potentially—easily misused, which is why it is important to manage them carefully when you deploy them in a production environment. When you consider whether to run domain controllers in virtual machines, remember that mishandling VHD image files can result in forest-wide corruption. Mishandling a VHD file could be as easy as starting an older copy of a VHD file or copying a VHD file to a different place on the network and running multiple copies at the same time.
Virtualized domain controllers can have the following disadvantages:
-
Administration. In a production environment, data corruption that affects the entire forest can result from deliberate or inadvertent misuse of VHD files. In most cases, improper restore conditions are detected by the operating system and replication is stopped. However, this cannot guarantee the protection of data under all circumstances. To protect your forest against the effects of improperly restoring a domain controller that is running in a virtual machine, make sure that all the administrators in your organization review the information in Appendix A: Virtualized Domain Controllers and Replication Issues.
-
Security and handling of image files. Anyone who handles VHD files or has other access to VHD files must be highly trusted in the organization and a member of trusted security groups in the forest. Any user who has the ability to copy a VHD file effectively owns the forest and its data. An attacker or unauthorized administrator could use a copied virtual machine file to compromise passwords or corrupt the forest. Also, unlike the theft of a physical computer, theft of a VHD file is more likely to go undetected. Therefore, you should secure the VHD files for the host operating system and the guest operating system with the same physical restrictions and software restrictions that you use to secure a physical domain controller. These restrictions include controlling access to the files and auditing file access as discussed in “Security considerations” later in this topic.
Hyper-V requirements
To install and use the Hyper-V role, you must have the following:
-
An x64 processor. Hyper-V is available in x64-based versions of Windows Server 2008—specifically, the x64-based versions of Windows Server 2008 Standard, Windows Server 2008 Enterprise, and Windows Server 2008 Datacenter.
-
Hardware-assisted virtualization. This feature is available in processors that include a virtualization option, specifically, Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V).
-
Hardware Data Execution Protection (DEP). Hardware DEP must be available and enabled. Specifically, you must enable Intel XD bit (execute disable bit) or AMD NX bit (no execute bit).
Planning to keep some physical domain controllers
You should retain one or two physical domain controllers per domain in your Active Directory infrastructure. An issue that is specific to virtualization software or the hardware on which it runs can interrupt services on every domain controller in the domain, or even in the forest. If possible, diversify the hardware that you use to host domain controllers so that a single hardware issue cannot interrupt your Active Directory services.
Security considerations
The host computer on which virtual domain controllers are running must be managed as carefully as a writeable domain controller, even if that computer is only a domain-joined or workgroup computer. This is an important security consideration. A mismanaged host is vulnerable to an elevation-of-privilege attack, which occurs when a malicious user gains access and system privileges that were not authorized or legitimately assigned. A malicious user can use this type of attack to compromise all the virtual machines, domains, and forests that this computer hosts.
Be sure to keep the following security considerations in mind when you are planning to virtualize domain controllers:
-
The local administrator of a computer that hosts virtual, writeable domain controllers should be considered equivalent in credentials to the default domain administrator of all the domains and forests that those domain controllers belong to.
-
The recommended configuration to avoid security and performance issues is a host running a Server Core installation of Windows Server 2008, with no applications other than Hyper-V. This configuration limits the number of applications and services that are installed on the server, which should result in increased performance and fewer applications and services that could be maliciously exploited to attack the computer or network. The effect of this type of configuration is known as a reduced attack surface. In a branch office or other locations that cannot be satisfactorily secured, a read-only domain controller (RODC) is recommended. If a separate management network exists, we recommend that the host be connected only to the management network.
For information about RODCs, see Read-Only Domain Controller Planning and Deployment Guide (http://go.microsoft.com/fwlink/?LinkID=135993).
For more information about securing domain controllers, see Best Practice Guide for Securing Active Directory Installations (http://go.microsoft.com/fwlink/?LinkID=28521).
Security boundaries
Using virtual machines makes it possible to have many different configurations of domain controllers. Careful consideration must be given to the way that virtual machines affect boundaries and trusts in your Active Directory topology. Possible configurations for an Active Directory domain controller and host (Hyper-V server) and its guest computers (virtual machines running on the Hyper-V server) are described in the following table.
|
Machine
|
Configuration 1
|
Configuration 2
|
Configuration 3
|
|
Host
|
Workgroup or member computer
|
Domain controller
|
Domain controller
|
|
Guest
|
Domain controller
|
Workgroup or member computer
|
Domain controller
|
.gif)
Configuration 1 is the recommended configuration of domain controllers when you use Hyper-V. In this configuration, the following items must be taken into consideration:
-
The administrator on the host computer has the same access as a domain administrator on the writable domain controller guests and must be treated as such. In the case of an RODC guest, the administrator of the host computer has the same access as a local administrator on the guest RODC.
-
A domain controller in a virtual machine has administrative rights on the host if the host is joined to the same domain. There is an opportunity for a malicious user to compromise all virtual machines if the malicious user first gains access to Virtual Machine 1. This is known as an attack vector. If there are domain controllers for multiple domains or forests, these domains should have centralized administration in which the administrator of one domain is trusted on all domains.
-
The opportunity for attack from Virtual Machine 1 exists even if Virtual Machine 1 is installed as an RODC. Although an administrator of an RODC does not explicitly have domain administrator rights, the RODC can be used to send policies to the host computer. These policies might include startup scripts. If this operation is successful, the host computer can be compromised, and it can then be used to compromise the other virtual machines on the host computer.
In Configuration 2, the host computer is a domain controller with the Hyper-V role enabled. However, if Active Directory Domain Services (AD DS) is configured to use constrained delegation, Service Principle Names (SPNs) will not be automatically created for virtual machines (that is, for non-domain-controller virtual machines. Therefore, these SPNs must be created manually. To add SPNs for the constrained delegation, complete the following procedure.
On the domain controller that is running Hyper-V and for which you want to configure constrained delegation, perform the following procedure.
To create SPNs manually
-
Open an elevated Command Prompt window. To open an elevated Command Prompt window, click Start. In Start Search, type Command Prompt. In the Start menu, right-click Command Prompt, and then click Run as administrator.
-
At the command prompt, type the following commands, and then press ENTER:
SETSPN -A Microsoft Virtual Console Service/<NetBIOS name> <NetBIOS name>
SETSPN -A Microsoft Virtual Console Service/<FQDN> <NetBIOS name>
In these SETSPN commands, type the NetBIOS computer name of the domain controller (for example, SERVER1) for <NetBIOS name>. For <FQDN> type the fully qualified domain name (FQDN) of the domain controller (for example, server1.corp.contoso.com).
.gif) Note |
|
As a result of the way that Setspn.exe processes information, you must type the NetBIOS name twice, separated by a space, where indicated. |
For more information about constrained delegation, see Kerberos Protocol Transition and Constrained Delegation (http://go.microsoft.com/fwlink/?LinkId=137041).
In configuration 3, both host and guests are domain controllers. This configuration does not raise any security issues as long as all domain controllers are from the same forest. In this case, a user who is logged on to the Hyper-V server (host) should be considered to have default domain-administrator-level permissions in the domains of the virtual domain controllers (guests).
Security of VHD files
A VHD file of a virtual domain controller is equivalent to the physical hard drive of a physical domain controller. As such, it should be protected with the same amount of care that goes into securing the hard drive of a physical domain controller. Make sure that only reliable and trusted administrators are allowed access to the domain controller’s VHD files.
RODCs
One benefit of RODCs is the ability to place them at locations where physical security cannot be guaranteed, such as at branch offices. In this case, more effort must be made to mitigate the effects of an attack. You can use Windows® BitLocker™ Drive Encryption to protect VHD files from being compromised on the host through theft of the physical disk.
For more information about BitLocker in Hyper-V, see Windows Server 2008 Hyper-V and BitLocker Drive Encryption (http://go.microsoft.com/fwlink/?LinkID=123534).
Performance
With the new microkernel 64-bit architecture, there are significant increases in Hyper-V performance from previous virtualization platforms. For best host performance, the host should be a Server Core installation of Windows Server 2008, and it should not have server roles other than Hyper-V installed.
Performance of virtual machines depends specifically on the workload. To guarantee satisfactory Active Directory performance, test specific topologies. Assess the current workload over a period of time with a tool such as the Reliability and Performance Monitor (Perfmon.msc) or the Microsoft Assessment and Planning (MAP) toolkit (http://go.microsoft.com/fwlink/?LinkId=137077). The MAP tool can also be valuable if you want to take an inventory of all of the servers and server roles that currently exist in your network.
To get a general idea of the performance of virtualized domain controllers, the following performance tests were carried out with the Active Directory Performance Testing Tool (ADTest.exe)(http://go.microsoft.com/fwlink/?LinkId=137088).
Lightweight Directory Access Protocol (LDAP) tests were run on a physical domain controller with ADTest.exe and then on a virtual machine that was hosted on a server that was identical to the physical domain controller. Only one logical processor was used for the physical computer, and only one virtual processor was used for the virtual machine to easily reach 100-percent CPU utilization. In the following table, the letter and number in parenthesis after each test indicate the specific test in ADTest.exe. As this data shows, virtualized domain controller performance was 88 to 98 percent of the physical domain controller performance.
|
Measurement
|
Test
|
Physical
|
Virtual
|
Delta
|
|
Searches/sec
|
Search for common name in base scope (L1)
|
11508
|
10276
|
89.29%
|
|
Searches/sec
|
Search for a set of attributes in base scope (L2)
|
10123
|
9005
|
88.96%
|
|
Searches/sec
|
Search for all attributes in base scope (L3)
|
1284
|
1242
|
96.73%
|
|
Searches/sec
|
Search for common name in subtree scope (L6)
|
8613
|
7904
|
91.77%
|
|
Successful binds/sec
|
Perform fast binds (B1)
|
1438
|
1374
|
95.55%
|
|
Successful binds/sec
|
Perform simple binds (B2)
|
611
|
550
|
90.02%
|
|
Successful binds/sec
|
Use NTLM to perform binds (B5)
|
1068
|
1056
|
98.88%
|
|
Writes/sec
|
Write multiple attributes (W2)
|
6467
|
5885
|
91.00%
|
To ensure satisfactory performance, integration components (IC) were installed to allow the guest operating system to use “enlightenments,” or hypervisor-aware synthetic drivers. During the installation process, it may be necessary to use emulated Integrated Drive Electronics (IDE) or network interface card (NIC) drivers. In production environments, you should replace these emulated drivers with synthetic drivers to increase performance.
When you monitor performance of virtual machines with Reliability and Performance Manager (Perfmon.msc), within the virtual machine the CPU information will not be entirely accurate as a result of the way the virtual CPU is scheduled on the physical processor. When you want to obtain CPU information for a virtual machine that is running on a Hyper-V server, use the Hyper-V Hypervisor Logical Processor counters in the host partition.
For more information about performance tuning of both AD DS and Hyper-V, see Performance Tuning Guidelines for Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=137276).
Also, do not plan to use a differencing disk VHD on a virtual machine that is configured as a domain controller because the differencing disk VHD can reduce performance. To learn more about Hyper-V disk types, including differencing disks, see New Virtual Hard Disk Wizard (http://go.microsoft.com/fwlink/?LinkId=137279).
Operations master roles
Domain controllers that hold most operations master (also known as flexible single master operations or FSMO) roles do not have significantly more load than other domain controllers. Therefore, they do not need special consideration for virtualization. Bridgehead servers do not need special consideration in terms of performance.
The one exception is the primary domain controller (PDC) emulator operations master role, which in general has higher processor load than other operations master roles. As a result, you may decide to use a physical computer to host the PDC emulator role to improve performance.
Global catalog servers and Exchange
Domain controllers that are configured as global catalog servers, which typically provide directory services for servers running Microsoft Exchange Server, may experience performance loads that are greater than the other domain controllers in your network. For example, when Exchange servers expand distribution lists, they can place a significant load on the domain controllers that provide global catalog services. For performance reasons, consider using physical servers instead of virtual machines for those global catalog servers that provide directory services to Exchange servers.