Tactical Advice

5 Tips for Virtualizing Microsoft Active Directory

Follow this advice to run domain controllers in virtual machines without putting your Active Directory at risk.
5 Tips for Virtualizing Microsoft Active Directory

Not all server workloads are suitable candidates for virtualization. But with some careful planning and understanding of the technical implications, Microsoft Active Directory domain controllers (DCs) can be virtualized to reduce costs.

1. Start with Good Planning

There’s little point in adding extra domain controllers to Active Directory if they are all virtualized on the same host server. For the sake of fault tolerance, make sure that your DCs are not all sharing the same disk spindle, network card, host virtualization server and uninterruptable power supply (UPS).

Many organizations feel more comfortable keeping at least one physical DC in each domain, usually the server holding the Primary Domain Controller (PDC) emulator role, although it’s not a requirement. If you choose to virtualize DCs, make sure that physical resources on the host virtualization server are sufficient for handling the expected load. DCs running the PDC emulator role and global catalog servers supporting Exchange are usually the most heavily loaded.

To ensure that your DCs start up as quickly as possible if they need to be rebooted, configure the virtual network adapter’s primary DNS server to point to a DNS server that’s running on a physical device different from the host virtualization server. The host server’s network adapter should also be set to use an off-box DNS server.

2. Set Up a Domain Controller in a Virtual Machine

You can use the standard DCPROMO method for promoting a server to a domain controller running in a VM. If the VM is intended to replace a DC running on physical hardware, make sure that the physical DC has been demoted and that full AD replication has occurred before running DCPROMO in the VM. Then you can use the machine name from the demoted physical DC in the VM.

Most hardware virtualization systems include physical to virtual (P2V) migration tools; while there are some free options, the only supported tool for Hyper-V comes with System Center Virtual Machine Manager (SCVMM). The P2V tool has two conversion modes: With online conversion, the source and target servers run at the same time during the conversion process; with the offline mode, the source machine is shut down before restoration is finished on the target device. Offline mode is the only supported method for migrating DCs and is recommended to avoid USN rollback in Active Directory. (See “Backup,” below, for more information on USN rollback.)

3. Synchronize the Time on All Participating Domain Members

The Kerberos protocol is used for authentication in Active Directory, and Kerberos tickets are issued to security principals with a time stamp and short lifespan to prevent brute force attacks against the directory. For successful authentication, the clocks on all participating domain members, including domain controllers, must be synchronized. The domain controller hosting the PDC emulator role sits at the top of a hierarchy that provides time synchronization services throughout the domain.

By default, Hyper-V VMs have their time synchronized with the clock on the host server. To replicate the VM configuration as closely as possible to the physical world, it’s important when configuring VMs for domain controllers and member servers to turn off time sync with the host server and leave ADs time synchronization service to do its job.

To disable time synchronization on VMs in Hyper-V, open Hyper-V Manager from Administrative Tools on the Start menu, right-click the required VM in the central pane and select Settings from the menu. In the Settings dialog, expand Management in the left pane, and select Integration Services. In the right pane, uncheck Time synchronization (Figure 1) and click OK.

Disabling time synchronization in Hyper-V

4. Stick to Backup Best Practices

While it may be tempting to use the snapshot feature in Hyper-V for backup purposes, you must adhere to best practices from the physical world and take daily System State backups from at least two DCs in each domain. Rolling back a DC using the Hyper-V snapshot functionality results in inconsistences in the AD database caused by Update Sequence Number (USN) rollback, where DCs think they have an up-to-date copy of AD and replication fails without reporting any errors. Starting in Windows Server 2003 SP1, USN rollback can be detected and AD replication automatically stopped, though you shouldn’t rely on this mechanism.

5. Be Selective When Using Virtualized Features

There are some handy things you can do with a VM that aren’t possible in the physical world — and some you should avoid. As mentioned, snapshots shouldn’t be used on VMs hosting domain controllers. Another feature best avoided is the pause functionality; if you must use it, make sure it’s only for a short period. Again, you’ll run into replication and database inconsistency issues if DCs are paused for a long time.

To get your domain controllers up and running as fast as possible if the virtual host must be rebooted, configure VMs running DCs to start up at the same time as the host server. You can configure other VMs not running domain controllers on the same virtual host with a delayed start-up time to ensure your DCs get priority and are started in time. This should ensure that the rest of the dependent infrastructure doesn’t fail.

Finally, the default Shutdown action in Hyper-V can save the VM state when the host server shuts down. For domain controllers, this setting should be changed to Shut down the guest operating system. To change the shutdown setting for a VM, open Hyper-V Manager from Administrative Tools on the Start menu, right click the required VM in the central pane and select Settings from the menu. In the Settings dialog, expand Management in the left pane and select Automatic Stop Action. Then change the configuration on the right as shown in Figure 2.

Configuring a VM to shut down the guest OS when the host server shuts down

Sign up for our e-newsletter

About the Author

Russell Smith

Russell Smith

Microsoft Technology Best Practices

Russell is a technology consultant and trainer specializing in management and security of Microsoft server and client technologies. A Microsoft Certified Systems Engineer with more than 10 years of experience, Russell’s projects have included everything from deploying Small Business Server to developing security practices on large-scale United Kingdom government IT projects. Russell is also author of Least Privilege Security for Windows 7, Vista and XP published by Packt.

Security

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
Tools to Maintain Mobile Sec... |
Far-flung devices pose serious challenges, but a variety of technologies can help protect...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...
XP-iration Date: Today Is th... |
It’s officially lights out for Windows XP as an operating system. Here’s how the world is...