…going around telling companies that virtualizing DCs is perfectly safe and there are no concerns without having even the slightest bit of information about the delivery model and environment in question.
If you are talking to someone from one of those two companies and really any consulting company and they say something like virtualizing DCs is perfectly safe before actually diving in and checking with the delivery team and validating that they are comfortable with idea of it and the extra troubleshooting that is likely required when you have issues (like performance issues) and looking at the environment and how it is working and configured as a whole just haul off and blast them square in the mouth because they really shouldn’t be opening their mouth without having a full understanding of the environment in question.
It is very easy to be able to find enough info to say no, this isn’t a good idea; it is much tougher to be sure you can say yes to an environment. Most consultants don’t look at it that way because they don’t have to support it, they say go do it and then they go off to the next company to give them bad advice.
Oh and another thing, the new VMGENID capability of Windows Server 2012 AD and HV is __NOT__ USN Rollback Protection. It just helps reduce the possible spread of stupid ways in which you can encounter it. It is not, nor was it designed to be, a comprehensive end all be all there is no way to cause a problem solution. Maybe it will get there someday but we are not there yet. If you were the type of individual that was bright enough to figure out how to virtualize your DCs but stupid enough to click on the SNAPSHOT buttons then hurray, you are now sort of protected. Otherwise, not much change here folks.
IMO, my overall thoughts I tell people when they ask is that we are not much safer now with the VMGENID capability than we were before assuming you would have been following proper processes and procedures with your virtualized DCs in the first place… In other words, if you determined it wasn’t safe for you to do it under Windows 2000, 2003, 2008, 2008R2 I don’t see enough difference in the products to make it safe now. And keep in mind, someone telling you you are going to be perfectly safe needs to be right all the time, someone telling you it could screw up only needs to be right once. If you don’t have absolutely awesome disaster recovery processes for AD that are regularly tested, you are in no position to consider putting your AD in a position of further risk.
P.S. You can tell them that I said it needed to be done and if they want to bitch they can contact me.
P.P.S. I think you can virtualize DCs, but if you are thinking, this is how I can save a ton of money, perhaps you should be reviewing your purposes. I am not a strong proponent of removing redundancy, introducing insecurity, and making an environment more complex on the idea that I might save a little money when the system we are talking about is AD and companies that don’t have a proper functioning AD may cease to exist.
P.P.P.S. Yes I have seen and heard of DCs, Domains, and even forests wiped out due to problems with virtualized DCs. Just because you may not have heard of it, doesn’t mean it doesn’t happen. Most people and companies aren’t all that quick to share info about security breaches and identity system failures.