DCs and virtualization
Okay, this “Can I virtualize my DCs?” topic has been around for a while and since there was another questions in the newsgroups, I thought I’d just throw in my opition and the gotchas on this. I won’t make this a long posting, I’ll just name the issues with a short explaination - you may find conclusions yourself. This list isn’t static. I may add other points to it as they come to mind.
In general: you _can_ of course virtualize your DCs - they run fine like good citizens in your virtualization solution – but you should keep the following in mind:
Backup and Restore
That is a big headache in some environments - even for physical DCs. Keep in mind that you need to backup your DCs regularly - even the virtualized ones. And do not - ever - think that virtualized DC would be fine with snapshots or images or those kind of things. Backup them in a timely fashion. Don’t use your VM-DCs as standby DCs that you turn on and back up occasionally - you could be sorry when you really need them and the database they hold is outdated.
Run supported configurations
Virtualization isn’t *that* old. There may be issues you run into or mistakes you might make. Don’t get yourself running a one-way-road and stick with supported, approved solutions. In this case, stick with a virtualization technology that is supported by Microsoft so that you can get official support when things go awkward. I know Microsoft virtualization products are supported (Virtual PC, Virtual Server, Hyper-V) others may also. Here’s a KB article that explains third-party-virtualization policies (not sure how accurate and updated it is:) http://support.microsoft.com/kb/897615/.
If you want to keep going with a not supported solution, I keep crossing my fingers for you so you don’t get into situations you need those MS support folks.
VM Security
We keep our servers locked up in racks in server rooms and datacenters. Sure enough, your virtualization platforms are locked up somewhere, too — but what is with those web interfaces and consoles you get to manage your stuff? I know Virtual Server 2005 has a web interface to manage your VMs, so does Virtual Machine Manager 2008 and Hyper-V at least brings a Hyper-V console. Can Joe Average log on to those interfaces and switch off your DCs during peak hours? Can they access/create other VMs on the server and turn them on so that you might run into a performance issue on the DC’s box? What about shares and local access to those virtualization solutions? Local access is a bad bad thing you shouldn’t grant anyone. Don’t let anyone get access to the virtual hard disks that are stored physically on the box’s storage volume(s). Your DCs keep the keys to your castle. Copying the virtual hard disks and running away might help attackers run offline attacks against a copy of your AD - that’s like giving away one of your DCs over the weekend - except you might not notice anyone copying the VM off your server if they have access to it.
Performance? Man, it’s a DC!
I know - I often talk to small to medium sized orgs that have trouble getting a second DC for redundancy and fault tolerance. They often argue that buying hardware for a DC isn’t what they consider efficient computing - since DCs don’t seem to need a fat machine for operating - they often run on low resources and don’t use the hardware they run on efficiently. I also know that it is me saying “well, run that DC in a VM and you’re good!” — but keep in mind that every environment is different. Simply putting it into a VM might not be what works for you. Given the context that there’s only one DC anyway, a second DC in a VM that runs sluggish from time to time might be better than having only one. Larger infrastructures might need stronger VMs for their DCs (especially when Exchange is around). So give your VMs enough memory to operate (a good indicator is <size of your ntds.dit = size of the RAM> but at least 4 GBytes). Also, don’t underestimate the value of fast hard disks. If possible, put the virtual hard disks on physical harddisks that aren’t already at 70% load. If you can, get a 64bit VM (Hyper-V, VMWare can do that!) as queries and services run slightly faster on x64 machines than on 32 machines (in general - that is the same for VMs).
Treat it like a real machine!
My last suggestion: treat the DC in your VM just like any physical VM you have. Don’t let it travel without protection. Never let it unmonitored, don’t let anyone access it (the VM, its hard disks, its configuration).
Don’t be the guy that fuc^H^H^Hmesses up the environment just because you didn’t think about virtualiation of DCs and the impacts of it.