…going around telling companies that virtualizing DCs is perfectly safe and there are no concerns without having even the slightest bit of information about the delivery model and environment in question.
Morons.
If you are talking to someone from one of those two companies and really any consulting company and they say something like virtualizing DCs is perfectly safe before actually diving in and checking with the delivery team and validating that they are comfortable with idea of it and the extra troubleshooting that is likely required when you have issues (like performance issues) and looking at the environment and how it is working and configured as a whole just haul off and blast them square in the mouth because they really shouldn’t be opening their mouth without having a full understanding of the environment in question.
It is very easy to be able to find enough info to say no, this isn’t a good idea; it is much tougher to be sure you can say yes to an environment. Most consultants don’t look at it that way because they don’t have to support it, they say go do it and then they go off to the next company to give them bad advice.
Oh and another thing, the new VMGENID capability of Windows Server 2012 AD and HV is __NOT__ USN Rollback Protection. It just helps reduce the possible spread of stupid ways in which you can encounter it. It is not, nor was it designed to be, a comprehensive end all be all there is no way to cause a problem solution. Maybe it will get there someday but we are not there yet. If you were the type of individual that was bright enough to figure out how to virtualize your DCs but stupid enough to click on the SNAPSHOT buttons then hurray, you are now sort of protected. Otherwise, not much change here folks.
IMO, my overall thoughts I tell people when they ask is that we are not much safer now with the VMGENID capability than we were before assuming you would have been following proper processes and procedures with your virtualized DCs in the first place… In other words, if you determined it wasn’t safe for you to do it under Windows 2000, 2003, 2008, 2008R2 I don’t see enough difference in the products to make it safe now. And keep in mind, someone telling you you are going to be perfectly safe needs to be right all the time, someone telling you it could screw up only needs to be right once. If you don’t have absolutely awesome disaster recovery processes for AD that are regularly tested, you are in no position to consider putting your AD in a position of further risk.
joe
P.S. You can tell them that I said it needed to be done and if they want to bitch they can contact me.
P.P.S. I think you can virtualize DCs, but if you are thinking, this is how I can save a ton of money, perhaps you should be reviewing your purposes. I am not a strong proponent of removing redundancy, introducing insecurity, and making an environment more complex on the idea that I might save a little money when the system we are talking about is AD and companies that don’t have a proper functioning AD may cease to exist.
P.P.P.S. Yes I have seen and heard of DCs, Domains, and even forests wiped out due to problems with virtualized DCs. Just because you may not have heard of it, doesn’t mean it doesn’t happen. Most people and companies aren’t all that quick to share info about security breaches and identity system failures.
Bravo dude. Every bit of that post. This is going to be a big issue this year with people thinking they get free Domain Controllers with the new Windows 2012 DataCenter Edition Licensing model.
BTW, are there any tools for comparing domain controllers to see if they are really in sync with each other and haven’t had rollback issues that slipped through the various “nets”?
On twitter you mention data corruption, but don’t mention any tools to look for it. What tools should be used?
Sysadmin: Yes, I agree. The new licensing model will force virtualization of Windows in places where previously people thought it out a bit more.
I am not aware of any DC compare tools from MSFT and haven’t thought about it myself really. I guess you could use my GCChk tool (http://www.joeware.net/freetools/tools/gcchk/index.htm) to give it a shot. I should look closer at that as I think it is going to become more important. It was initially written to try and help find lingering objects a little faster and in situations where the MSFT methods didn’t work.
There are several different types of possible corruption from corruption down in the DIT that causes weird issues (like MAPI and LDAP returning different results) up to data corruption up in the top levels of the directory that simply impact applications and AD has no issue with the data and doesn’t respond differently based on the data – say like putting in a fake value for a homeMDB value which could possibly crash Exchange. There is nothing that I am aware of that MSFT has to perform a corruption check at any level. Probably the “best” tool currently for the lowest level stuff is promoting a new DC (not an IFM, but a real promo) because it checks a lot of the data. That being said, I have seen incidents where bad info at the database level still replicated and in fact the only fix was to wipe the DCs involved. In one of them, thankfully the corruption was in the GC partition so a whole domain wasn’t lost because the corruption pre-dated the TSL so none of the backups would have been able to fix it either. That issue had been in place for a long time before someone noticed something breaking in Exchange in an unusual way.
I had another issue that I eventually ended up having to hack the replication and server objects to force replication. Something (I never got to an RCA) had occurred within a virtual DC that caused it to split the replication topology for an environment and had we just dumped the DCs that had been cut off we would have lost months of changes that had occurred on the segregated DCs and likely have impacted an entire region of the world to the point that most every machine would have required a rejoin and every user would have had to have gotten a password reset and the password somehow relayed to them (without email).
Even, i’m not a big fan of Virtualization, but due to growing pressure for reducing the cost for Infra, most of the clients ignores the security standpoint while adopting to virtualize anything/everything. There is misconception among VMGENID among masses that if it supports VMGENID, you can go ahead & virtualize DC. A consultant who wants to sell their services commits anything to the client & later when the deal is signed, the consultant disappears. The guy remains is admin who can’t find himself in the position to state the harm(due to virtuailzing dc w/o proper understanding) vs reduction.