Win2k3 Domain Controller - Virtulaized?

[Wolf-R1]

Just as the thread title suggests I am considering putting a Windows 2003 Server into a virtual machine environment on a Windows 2008 Server Hyper-V system. The hardware that will be used is currently a dual Opteron 248 with 2GB RAM that will be upgraded to dual Opteron 285s and a minimum of 4GB RAM. It's also currently running mirrored 73GB 15k RPM SCSI drives which I would like to replace with larger drives, budget dependent of course. Note that this will not be running any of the master domain roles and will be relegated to a data center where there is a W2k Server running as a domain controller mostly for VPN authentication, DNS, and email forwarding.

Anyone have any experience with a virtualized domain controller? Is this a good idea? It will be sharing hardware resources with a virtual W2k3 server that will be acting as a backup to a current application server.

 

[tigger1612]

Only thing I would ask is why not just run it on the bare metal. I'm not sure if your just trying to pinch everything you can out of the hardware but running a windows os as a guest to another windows os certainly won't produce the most efficient DC. There wouldn't be an issue as you asked but it seems sort of redundant unless your trying to get many machines out of one physical box.

 

[QHalo]

We had 7 domain controllers and managed to run 1 in a VM. The rest were bare metal. I believe there was a heated debate on the VMware forums about doing this in VMware and most said the same thing. Do not run a FSMO role holder in VMware, or your NTP. Considering you're asking about Hyper-V and its an MS Server function, maybe. I found a little something for you to glance over. I know I mentioned VMware, but that was our virtualization hypervisor.

http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1227204,00.html

 

[brom42]

My general way of setting things up is to have 1 domain controller on its own box and the 2 others are virtualized. From my experience, this has been the best combination. We run most of our services on some beefy VMware boxes and the DCs that are virtualized run much better than the ones that aren't. They have almost no errors or alerts in the log files and respond faster. The DC on the bare metal, not so much. Just had to rebuild it because it basically went rogue.

Then again ours wasn't a budget build either. We spent $40,000 on 2 VM boxes and a SAN to host everything, so it tends to blow everything else out of the water. Each box is dual quad core Xenons with 32gb of RAM, and is connected to a 6TB SAN over iSCSI. drool..

 

[jratzo]

Each box is dual quad core Xenons with 32gb of RAM, and is connected to a 6TB SAN over iSCSI. drool..

I'd love to get my hands on something like that.

 

[Vette5885]

We're currently running 2 DC's on bare metal, but are looking to add a virtual one for DR purposes. Its good to see some of these real world results. Makes me feel better about some of our design decisions at work.

 

[nessus]

With virtual DCs, make sure you have very tight security controls. The nightmare scenario is having sombody copy the VM for a DR drill onto some sort of unecrypted portable media, then losing that media. At that point your entire security database is compromised, and the logical topology for your entire network is in the wrong hands, assuming your sites and services layout for your AD is properly maintained.

My corporation doesn't allow DCs for anything other than resource domains to be virtualized. I personally thinks that takes it a bit too far.

As long as the same handling rules for sensitive data backed up to tape are followed for VMs being used for DR drills that are outside the data center, having a VM to use for DR drills makes life enough simpler that the limited additional risk is mitigated.

There is no data security without sufficient physical security.

 

[Wolf-R1]

Yes I'm juggling the concept due to budget constraints and thank you for all your responses. I don't think I could ever bring myself to put the FSMO roles onto a virtualized system. Not in the current iterations of virtualization. Maybe several years down the road but not now.

Furthermore virtualizing a remote DC now would allow me to upgrade the existing W2k DC to W2k3 and potentially upgrade the hardware as well.

Thanks for all the responses and info. I appreciate the help.