joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Virtualizing Domain Controllers

by @ 8:37 pm on 11/1/2006. Filed under tech

Gary Olsen wrote a very good, IMO, article on virtualizing domain controllers for SearchWinIT / TechTarget. You can see it here

http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1227204,00.html?track=NL-118&ad=568999&asrc=EM_NLN_693996&uid=320601

He touches on a lot of the points and pitfalls around doing this…

In general, I am not for virtualizing DCs in production except in very specific well defined cases. Those specific cases primarily being lag sites which you know will not receive much if any real use and sometimes I can be convinced that you should do it in WAN sites that are small. I like virtuals in test because you often don’t get much hardware for test and this fits the bill and if it gets really whacked, you start over…

The reasons for not giving a general thumbs up comes down security, the belief that the tech isn’t complete there for it yet[1], and mostly because I don’t think Windows admins in general are really good enough yet. There definitely are exceptions but I am finding more and more that companies are trying to treat AD like a commodity or utility and just tossing any old Windows admins at it and that works fine right up until it breaks; then you are in a massively bad spot. I have seen ADs run by really good people that have had issues, ADs run by folks not truly knowledgeable and focused on AD and using virtualization is, again IMO, a recipe for disaster.

A question I find many folks who otherwise seem relatively knowledgeable about AD seem to have not thought about with virtual DCs is what are the recovery plans for a failed host? A failed guest is easy, clean up AD and redeploy a previous file where the DC wasn’t a DC and promote it or do a systemstate restore. But a failed host…. Every plan I have seen yet IF there was a plan at all[2] was to recover all of the host DASD from tape… WHOOPS. No, that won’t work, the plan should be rebuild (or recover from systemstate backup) every virtual DC on that host… Why? Because it is the same case of if you lost just a guest OS DC… You know why you don’t roll back to a previous file in that case right? The lack of understanding I have encountered in even allegedly well informed people that you also do that for a Host failure is a bit disturbing to me when I run into it because it calls into question if people really understand or are just regurgitating what someone else said. That can be difficult to ascertain in people who believe what they are saying and say it with authority to those who don’t know.

AD is a distributed application with very critical interconnections, you NEVER roll it back unless you have but a single domain controller or ADAM instance. Failure to follow that guidance can lead you down a very evil path of data divergence and you don’t want to go there.

   joe

 

 

[1] As Gary mentions, your big use items on DCs is disk and memory and that isn’t what virtualization is good at sharing.

[2] Why do people think that a normal server can fail but can’t imagine a virtual host failing?

Rating 3.00 out of 5

One Response to “Virtualizing Domain Controllers”

  1. Fred says:

    [2] Why do people think that a normal server can fail but can’t imagine a virtual host failing?

    Em, because it’s virtual? 🙂

    I have to say, this is a great resource you’ve pointed out and I wholeheartedly agree with you that introducing virtualization increases the complexity of things quite a bit, definitely beyond a lot of Windows admins I know.

    Another good post, Joe.

[joeware – never stop exploring… :) is proudly powered by WordPress.]