The Domain Controller Dilemma

Often I have people ask me about the Domain Controller dilemma.  The basic problem is this: if you decide to virtualize all of your servers, how do you handle the domain controllers which control the domain used by your Hyper-V servers?  There are a couple of options that you can consider here:

  1. Keep the root domain controller on physical hardware

    By keeping the root domain controller on separate physical hardware you can avoid any potential for problems.  However you also miss out on the benefits of virtualization for your domain controller (better hardware utilization, hardware mobility, easier backup, etc...).

  2. Keep the Hyper-V servers out of the domain

    In small deployments you can consider just leaving the Hyper-V servers as part of a workgroup and then running all domain controllers inside virtual machines.  This approach has two problems.  First, you lose the security advantages of running in a domain environment and second, it is hard to have multiple administrators in such an environment (as local user accounts need to be created on each Hyper-V server).  Also, you cannot use all the functionality of SCVMM in such an environment.

  3. Establish a separate (physical) domain for Hyper-V servers

    This approach is a compromise between the first two approaches.  Here you virtualize your primary domain controller environment, but setup a secondary (smaller) domain environment for your Hyper-V servers using a physical server.  The advantage to this approach is that you get all the benefits of having your Hyper-V servers in a domain - but your primary domain environment benefits from being virtualized.  The problem with this approach is that you still have an underutilized server sitting around in your server room / data center.

  4. Run the domain controller on top of Hyper-V anyway

    The last option is to just stick the domain controllers in virtual machines and then join the parent Hyper-V environment to the domain in question.  Now, while this sounds like a problematic environment it can be done with some careful planning.  Here are the following steps to take / things to consider:

    1. You should configure the domain controller virtual machines to always start when the parent starts - whether they were running before or not (this is configurable in the virtual machine settings).
    2. If you have other virtual machines configured to start automatically you may want to configure them to have a delayed start time (say by a minute or two) to allow the domain controllers to start up quickly.
    3. You should configure the domain controller virtual machines to shutdown (and not save state) if the physical computer is shutdown.
    4. You should ensure that you have a way of managing the Hyper-V environment if the domain controller fails to start.  This means keeping note of the local administrator account / password and testing that you can use it (either locally or remotely) to access the Hyper-V management console.

So there you have it.  I actually use option 4 for the (albeit small) domain environment that I run in my house and have had no issues.  A couple of extra points to make here:

  • Points 1-3 of option 4 should apply to *any* time that you virtualize a domain controller - even if it is not being used by the parent partition in question.
  • You should never use saved state / snapshots with domain controllers - as this can be catastrophic.

Cheers,
Ben

Comments

  • Anonymous
    November 24, 2008
    Ben Great timing for this article! I am just virtualizing my environment and am just about to do the DC's. I had the plan of using Option 4 as well. Thanks for clarifying things.

  • Anonymous
    November 24, 2008
    Which comes first, chicken or egg?

  • Anonymous
    November 24, 2008
    Hi How will this work in a DR scenario when switching to your 2nd datacenter? Im an ESX guy and when switching to our 2nd datacenter, I first have to have access to the host to be able to rescan the replica LUNs that were previously connected with source LUNs from datacenter1. So setting the domain controllers to boot when starting the host won't work, because normally the host has no VMs yet until I rescan the LUNs. Luckily on ESX I can just login to the host, rescan and start the VMs. Wouldn't it be better if Hyper-V could be managed more domain independent like ESX? And have SCVMM do the domain thingy, like Virtual Center does? I'm also searching for papers on how to perform Disaster Recovery for a Hyper-V environment. Would you have good links for me? Gabrie

  • Anonymous
    November 25, 2008
    Why is this important? I'm just curios why one can't keep one tiny server as a physical DC? for example a 2008 read only DC server? Call me old fashion but I would feel uneasy without at least one physical DC.

  • Anonymous
    November 25, 2008
    We virtualize our domain controllers using the same process as outlined in #4.  I have done this for years now with no ill effect.  I would make two additional suggestions:

  1.  ALWAYS have more than one domain controller.
  2. Disable time synchronization for the domain controllers.  They are supposed to be the source of time in the domain, and you don't want them to take the time from their host, which then takes the time from the domain controller. Shan
  • Anonymous
    November 25, 2008
    I use option #4 also, but I spread the primary and secondary DCs across two physical machines. It is a shame to think about how much empty CPU cycles and wasted HD space exists out there in the world doing nothing by AD controlling. I still occasionally run into issues with startup order + SQL Server + Exchange services, but it is a relatively small price to pay for the added flexibility.

  • Anonymous
    November 25, 2008
    You don't mention the possibility of having the domain controller role running in the host OS.  Is there a reason why this isn't a sensible option?

  • Anonymous
    November 25, 2008
    I am curious about what Harry posted as well?  What are the repercussions of just putting the domain controller role on the host OS along with Hyper-V?

  • Anonymous
    November 25, 2008
    Gabrie - In a DR situation you would have to configure multiple DCs if you were using physical computers.  If you are using virtual machines they can fail over automatically.  As for using a model like ESX - I am much happier having a trusted model for authenticating our servers than not :-) Patrick - As I mention this is certainly a valid option that some people choose. Shan McArthur - Good points, thanks for making them. Harry Johnston - This is possible but I do not know of many people who do this. It would certainly work but a general best practice is to install one server role per OS. Cheers, Ben

  • Anonymous
    November 26, 2008
    Thanks great article (as always). Could You please explain why you say: "You should never use saved state / snapshots with domain controllers - as this can be catastrophic". Is this only valid for domains with more than one domain controller? What about single DC domains, e.g. SBS? Thanks!

  • Anonymous
    November 26, 2008
    In a single domain controller scenario, in this case a 64-bit laptop host with W2K8 with Hyper-v role and a virtual domain controller, with the host joined to the virtual domain I have used the save feature on the virtual dc to save start up times without any problems so far. Of course with multiple domain controllers this would be unwise because of replication issues if one or more would be kept in saved state for any length of time or if the FSMO DC were saved. So for a mobile virtual lab with one DC it might work, but that is about it.

  • Anonymous
    November 26, 2008
    If I have a DC set up as a guest on a failover cluster, should i also change the offline action to Shut Down, or can i leave this as Save State?

  • Anonymous
    November 30, 2008
    Hey Ben - thanks for writing this up - it's a really interesting analysis of the available options. Just one quick question: <blockquote>"If you have other virtual machines configured to start automatically you may want to configure them to have a delayed start time (say by a minute or two) to allow the domain controllers to start up quickly."</blockquote> How can I do this?  And, can I also set dependencies between other VMs (i.e. VM1 relies on VM2) - I'm assuming I can do it all in SCVMM but is it possible for plain old Hyper-V? Thanks, Mark

  • Anonymous
    December 01, 2008
    One more question on installing the DC on the Host OS.  Here is my scenario:  I have three physical servers, two that are running Server 2008 Hyper V and one that I am going to install my Domain Server on just like you suggested in #1.  What I want to do is use each of my Hyper V servers as backup Domain Controllers in case something happens to my main system.  Is this workable?    

  • Anonymous
    December 01, 2008
    Jevgenij - Theoretically this should be okay, but I would not recommend it as it is contrary to our testing / guidance. Tony - That would be a good idea. Mark Wilson - Under virtual machine settings, go to the automatic start action.  Here you can specify a startup delay in seconds.  In order to do dynamic dependancies you would need to script the startup of the virtual machine. modell@mccconstruction.com - I would recommend running the backup domain controllers in virtual machines, rather than in the parent partitions. Cheers, Ben

  • Anonymous
    December 02, 2008
    So as I understand your option 4, when the physical server boots up and runs through it's usual windows startup process, it's actually part of a domain where the DC is a virtual machine on the physical server itself? Since some windows server startup processes (depending on the server roles installed) involve setting up a secure channel with the DC, they could timeout if the virtual DC hasn't started yet. This wouldn't be a problem if a second virtual DC, running on seperate physical hardware, is available at the time. But what do you do about spreading the FSMO roles between DC's? And how do you ensure that if the virtual DC fails, it fails over to another instance?

  • Anonymous
    December 02, 2008
    http://support.microsoft.com/kb/888794 has more information about running domain controllers in a virtual hosting environment.

  • Anonymous
    December 04, 2008
    This is very interesting, but I'm still wondering why I shouldn't just run the DC on the host OS and save myself a server license? I'm planning on having 2 Hyper V servers and was just thinking of making them both DC's. Could you give me some insight why this wouldn't be recomended or what problems I might encounter! Thanks

  • Anonymous
    December 21, 2008
    iantownsend It doesn't save you a license. In server standard, you don't get a guest license if you are also running services on the host. Likewise in Enterprise, you have four guests only if you are not running host services.

  • Anonymous
    December 22, 2008
    Hi There, Great Artical. Small Question:- Should an Additional Domain Controller be talking to an other Additional Domain Controller? If Yes, WHY? There is already a Primary Controller available. and Should all Additional DC be a Global Cataloge Server? If the ADC are in Different Site? Kind Regards, Thanks in Advance...

  • Anonymous
    June 14, 2010
    The comment has been removed

  • Anonymous
    November 30, 2010
    For option 4 you should also change the time server hierarchy so that the Hyper-V parents obtain their time from upstream NTP servers and not the domain hierarchy. The virtualised domain controllers should then use the Hyper-V hosts as their upstream NTP servers, along with disabling time sync in the domain controller's VM settings. Alternatively the time service configuration can be left alone in the domain controller VMs and the time sync enabled for the VMs.

  • Anonymous
    March 30, 2011
    I think you miss one. 5. Using the Hyper-V host as Domain Controller?

  • Anonymous
    June 10, 2011
    I am having the following problem. We have our Primary AD server hosted AD server offsite, with our backup AD server locally being replicated from the hosted primary. We had a company virtualize our physical backup AD server. We are having some problems adding PC's to the domain. Have to do it manually, sometimes several atttempts. Also a few IP conflict issues, nothing major. Should we promote the virtualized server and then demote back? There seems to be identification issues.

  • Anonymous
    October 27, 2012
    Hello All, Point 4 is perfect , but was just hoping if any one could elaborate one section d of point 4. I have tried in my lab , i have a Hyper V CORE server running few virtual machines including a DC (only DC) . Now for some reason DC VM fails to start. In this scenario , i wont be able to manage my Hyper V. RSAT tools or Server Manager will throw a error saying "RPC Server unavailable" . Thats pretty much obvious , considering the DC is down. But then how do i manage my Core machine hyper v from a different server ? yeah i do use powershell script to start the DC , in case its turned off , but is there any other way ? Why is Core server so dependent on the DC , that it wont let me even connect remotely to manager my hyper v

  • Anonymous
    November 29, 2012
    Nice post Ben, very helpful. Can you please suggest the best practice in following scenario on Server 2012 HyperV 2 Host Servers are with 8 Core Cpu,, 128 GB RAM, 4x 1GB Port and 4 x10G Ports with VNXE SAN. Need to configure 4 VMs on each server with Replice and live migration.   We are planning domain controller on Virtual Machines (DC1 and DC2) on each host with exchange 2010 .  Plz advise 1 Do we keep a third DC on physical host? it will need additional license in that case. ?

  1. If we not Join the Host Server on Domain then how live migration and replica will work ? Any other advise you may have Thanks Nitin
  • Anonymous
    April 16, 2013
    did your server type is datacenter or enterprices?

  • Anonymous
    May 28, 2013
    Hi Ben, It's a great article/tips. I was planning to install Solarwinds on Windows 2008 R2 Std - 64bit domain controller (physical server) however solarwinds strongly recommends not to install this software (Solarwinds NPM for network device monitoring) on a DC hence thought of configuring Hyper-V on a DC and install 2008 R2 Std edition as a virtual machine and then install Solarwinds software. Is this recommended? or will there be any security flaws? Any suggestion or idea on this would be highly appreciated.

  • Anonymous
    March 17, 2014
    I am experimenting with option 4 on Server 2012 R2 but it seems that the Hyper-V Host fails to join the domain sometimes - maybe times out because the DC VM (the only VM) has not started yet or maybe decides to fall back to local cached credentials? So the firewall settings show me that the computer is connected to a public network instead of the domain network. Remote desktop is also impossible for this reason. If I deactivate and reactivate the connection it recognizes the domain network fine but this must be done manually.

  • Anonymous
    May 13, 2014
    Any update to these recommendations since Hyper-V 2012 R2 has come out?

  • Anonymous
    December 18, 2014
    Hi, I'm getting varying responses to the question of virtualizing a DC under WS2012 R2.  I've been told by MS not to do it.  Having said that, I have it working under WS2012.  I'm setting up a new physical location and want to install WS2012 R2, with virtualized DC's.  Is this supported by Microsoft?