Partager via

DC: Virtualized and External NTP servers

  • Article

The following two discussion points arose today again for what feels the 100 time:

Why Don't you recommend Virtualized DCs?

Why Can't we point our domain DC to our network NTP servers – why should we set it to an external time server?

Virtualization first.

1. Performance.

2. Support (3rd party)

3. The possibility of a USN Rollback due to the guest machine being set to the time (date) of the host and the host undergoing a in accurate time change (BIOS update/reset or accidental change).

4. There is also the possibility of a the loss of backups of AD by those thinking that snapshots of DC in a virtualized environment is an appropriate method for doing so. Again making a snapshot will capture the USN of the DC that is previous to the USN of DC as now know to other DCs in the Domain. This is why a supported backup method (NTBackup is the easiest) is required.

NTP next.

Again USN is the reason – what happens if the NTP server gets reset due to a firmware update or accidental change? You’ll be in the same boat. It’s not to say that external time server’s can have this happened – but most well know internet time servers have very tight controls and fail safes placed on them.

Again you can do both – just be conscience of the fact that you may need to know how to do an Authoritative Restore of your Domain

Links:

How to detect and recover from a USN rollback in Windows 2000 Server https://support.microsoft.com/?id=885875

How to detect and recover from a USN rollback in Windows Server 2003 https://support.microsoft.com/?id=875495

Performing an Authoritative Restore of Active Directory Objects https://technet2.microsoft.com/windowsserver/en/library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx?mfr=true

How to restore deleted user accounts and their group memberships in Active Directory https://support.microsoft.com/kb/840001

The effects on trusts and computer accounts when you authoritatively restore Active Directory https://support.microsoft.com/kb/216243

After you restore deleted objects by performing an authoritative restoration on a Windows Server 2003-based domain controller, the linked attributes of some objects are not replicated to the other domain controllers https://support.microsoft.com/kb/937855

How to configure an authoritative time server in Windows Server 2003 https://support.microsoft.com/kb/816042

Microsoft Virtual Server support policy https://support.microsoft.com/kb/897613

Windows Server System software not supported within a Microsoft Virtual Server environment https://support.microsoft.com/kb/897614

Support policy for Microsoft software running in non-Microsoft hardware virtualization software https://support.microsoft.com/kb/897615/

 

Running Domain Controllers within Virtual Server 2005

https://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en

Considerations when hosting Active Directory domain controller in virtual hosting environments

https://support.microsoft.com/kb/888794/en-us

Comments

  • Anonymous
    January 01, 2003
    Hi, thanks for clarification and that you are more discussing about 3rd party virtualization solutions. Well, in Austria mid-sized business have at all only 10 servers and maybe 2 or 3 of them are virtualized. In that manner, if using Virtual Server or Hyper-V there should be no problem in virtualizing DCs, that's what I meant. But I'm sure we are talking from the same basis... Peter Forster, MVP Virtual Machine, Austria

  • Anonymous
    January 01, 2003
    Hi Peter, Yes I should have added that link and other KB (added above now) on virtualized DCs. If we are discussing virtualized DC in Windows Virtualization software (VS2k5, HyperV) then yes there is support.  If its 3rd party virtualization software (which is by far more common today – and what I was referring to – sorry I should have made that clear) then the KB list our support position. Performance is always a concern of mine (both physical and virtual) - only monitoring and historical analysis will save you there....Unless the solution is completely over sized in the first place.   Most virtualization implementations do not add monitoring to the requirements.  So the solution starts off great with the 8-10 virtual machines running fine, then somewhere around the year and a half mark, 20-30 virtual machines later, everything is slow, people are complaining and everyone is wondering how this could have happened.  This can obviously happen in the physical server world, but usually the cascading of resource pressures is exhibited on shared (SAN/NAS/network) resources in a more obvious fashion. rs

  • Anonymous
    January 01, 2003
    Hi, I don't completely understand the problem you are discussing. Virtualized DCs are supported since 2004 in Virtual Server. There is also a guide how to do that:http://www.microsoft.com/downloads/details.aspx?familyid=64db845d-f7a3-4209-8ed2-e261a117fc6b&displaylang=en So support should not be the problem because it is supported. Performance? Yes, on very large networks, but in mid-sized business I don't see any problem here. Peter Forster MVP Virtual Machine Austria