Virtualising Windows Domain controllers?

[Five_Star]

What are the recommended setups when virtualising Windows Domain controllers?

In a small setup with 2x physical servers both with virtualised clients will this work?


Server 1 physical (host) DC
-- Server 2 virtual (client) DC
-- Server 3

Server 4 physical (host) DC
-- Server 5 virtual (client) DC
-- Server 6

The idea being that either of the physical machines can fail / off for maintenance and the other one can carry on validating requests. The virtual client DC machines are there purely to hold a backup of AD global catalogue.

 

[edscdk]

the idea of having 2 dc's pretty much so one can validate requests if the other is off... and so you have a live backup of the AD

you will end spending a lot of mony for two DC's once you have added shared storage?

however virtual is nice if you want to upgrade the server at a later date I have to admit being free from hardware is nice...

 

[zetec452]

Not sure why you'd want four DC's out of six servers, two should be plenty in most suitations (depending on users). Generally having a DC and virtualization role on one server would not be recommended.

- How many users do you have?
- What are you using for virtualization?

 

[Hellsmk2]

Two virtual DC's is all you need. No reason not to.

 

[Five_Star]

I left out the fact the client already has a SAN, they are wanting to do hot failover using Hyper-V for all virtual clients.

My diagram is also not 100% there are actually 4x virtual clients per physical box

I've read about the circular dependency you can get by joining the physical machine to a virtual domain so thought it best to have a DC on both a virtual and physical machine per hardware box.

I guess my choices are really DC on each of the physical machines, with virtual machines as domain members
or
One virtual DC on each hardware stack with the physical machines left in a workgroup (they will be core installs anyway, just to host the Hyper-V role)

 

[iaind]

Seems like a badly designed overcomplicated configuration. Assuming these are standalone hyper-v boxes, you're achieving nothing by adding the virtual ones.

If they are SAN connected, quick migration enabled hosts, the physical ones serve no purpose.

 

[Five_Star]

Yeah, I would say its overcomplicated, I guess they are worried about having a situation where no DC is available for client requests. Its made my head hurt reading the technet forums on all the different configurations this afternoon hence asking here for a sensible answer

Seeing as we have a SAN to play with I'll test this tomorrow morning to show them how we can simplify it.

 

[iaind]

If you just have the physical host as a dc, or one virtual dc per host, you can still loose a physical server. You add no benefit with having both

 

[Five_Star]

Can I offer them a figure for the computing power wasted if they choose to run these unnecessary DCs? 5%, 10%, 15% overhead?

Just so I've got some plus points to use in the meeting when I suggest they are dropped as waste of hardware resources.

 

[zetec452]

Can you have a hyper-v host as a domain controller?

 

[iaind]

Can you have a hyper-v host as a domain controller?

Yes

 

[NathanE]

What do people do about having a HyperV host being a member of a domain for which the domain is a VM on that host?

The HyperV will boot up and not be able to reach the domain because the VM for it hasn't started yet...

I hate circular dependencies like this.

Currently, I've not joined our VM hosts to the domain. Until I have a decent solution.

 

[iaind]

That's why youd have multiple DCs across your hosts.

You get a similar sort of circular dependency with vmware with you virtualise vcenter and DCs, it takes some careful planing to ensure everything comes up in the right order

 

[NathanE]

Use ESXi *cough*

sorry couldn't resist.

What does that solve? HyperV isn't the issue here.

 

[NathanE]

That's why youd have multiple DCs across your hosts.

You get a similar sort of circular dependency with vmware with you virtualise vcenter and DCs, it takes some careful planing to ensure everything comes up in the right order

We were going to run a DC VM on a few of the hosts. But it still doesn't totally solve the issue. There is a still a possibility of the hosts booting up all at the same time (say after some planned maintenance) and not being able to contact a DC.

 

[zetec452]

Yes

Awesome, so you can screw your domain and vm's on it in one foul swoop.

 

[iaind]

What does that solve? HyperV isn't the issue here.

Because you dont need to join an ESXi host to the domain to manage or secure it. So HyperV is kind if the issue, as it's windows based.

We were going to run a DC VM on a few of the hosts. But it still doesn't totally solve the issue. There is a still a possibility of the hosts booting up all at the same time (say after some planned maintenance) and not being able to contact a DC.

Could the planned maintenance not be planned so the hosts reboot at different times?

Awesome, so you can screw your domain and vm's on it in one foul swoop.

Indeed, although you have to do something pretty spectacular for that to happen! It's probably not best practice, but let's be honest - what is with Microsoft?

Best solution is a non windows based hypervisor, a virtual dc and a physical DC

 

[Over Clocker]

Host servers should NOT be a DC
Host servers should NOT be a member of the domain.

Host server should have a static IP and not be a member server. Therefore host can boot up without any problems at all, and then boot the virtual DC.

No need to use ESXi here, Hyper-V is not the issue, the planned implementation is.

 

[Sp00n]

As OC says, why would you want/need a host to be a member of a domain?.

 

[Nikumba]

We have our primary DC virtulised with VMWare, and then our secondary DC as a physical host, that way should the VM system fail in anyway, we are still able to handle auth requests

Kimbie