AD DS: This domain controller should comply with the recommended best practices guidelines because it is running on a VM

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Warning

Category

Configuration

Issue

The AD DS server role on this domain controller is installed on a virtual machine (VM).

Hyper-V™ is a hypervisor-based server technology that is optimized to provide virtualization of operating systems. With Hyper-V, you can install a Windows Server domain controller as a VM alongside other application servers on a single physical Windows Server 2008 or Windows Server 2008 R2 server. This can drastically reduce the number of physical computers in a datacenter, which in turn can reduce management and energy costs.

Impact

If a domain controller that is running on a VM does not comply with the recommended best practices guidelines, the Active Directory environment is at risk of experiencing various security and replication problems.

Resolution

Make sure that this domain controller complies with the best practices guidelines that are described below to avoid performance issues and replication and security failures in the Active Directory environment.

The following are practices that you should follow when you deploy domain controllers on VMs. For more information about running domain controllers in Hyper-V and for special considerations for time synchronization and storage, see Running Domain Controllers in Hyper-V (https://go.microsoft.com/fwlink/?LinkID=139651).

Deployment considerations:

  • Do not implement differencing-disk virtual hard disks (VHDs) on a VM that you are configuring as a domain controller. This makes it too easy to revert to a previous version, and it can potentially lead to update sequence number (USN) rollback and replication failures. Using differencing disks also decreases performance. For more information about USN rollback, see Appendix A: Virtualized Domain Controllers and Replication Issues (https://go.microsoft.com/fwlink/?LinkId=148266).

    For more information about VHD types, see New Virtual Hard Disk Wizard (https://go.microsoft.com/fwlink/?LinkID=137279).

  • Do not clone the installation of an operating system without using Sysprep.exe because the security identifier (SID) of the computer will not be updated. For more information about running the System Preparation tool (Sysprep), see "Using virtual hard disks" in Ways to deploy an operating system to a virtual machine (https://go.microsoft.com/fwlink/?LinkId=137100).

  • Do not use copies of a VHD file that represents an already deployed domain controller to deploy additional domain controllers. This can potentially lead to a USN rollback and replication errors.

Operational considerations:

  • Do not pause, stop, or store the saved state of a domain controller in a VM for time periods longer than the tombstone lifetime of the forest and then resume from the paused or saved state. This can lead to problems with lingering objects in your environment. To learn how to determine the tombstone lifetime for your forest, see Determine the Tombstone Lifetime for the Forest (https://go.microsoft.com/fwlink/?LinkId=137177).

  • Do not copy or clone VHDs.

  • Do not take or use a snapshot of a virtual domain controller.

  • Do not use the Export feature on a VM that is running a domain controller.

  • Do not restore a domain controller or attempt to roll back the contents of an Active Directory database by any means other than using a supported backup. For more information, see Backup and Restore Considerations for Virtualized Domain Controllers (https://go.microsoft.com/fwlink/?LinkId=148267).

Additional references

For more information about running domain controllers in Hyper-V, see Running Domain Controllers in Hyper-V (https://go.microsoft.com/fwlink/?LinkID=139651).