Running Domain Controllers in Hyper-V

Microsoft has created an article on TechNet that describes the pros and cons regarding running DC’s on Hyper-V. It is pretty god and it covers almost all important stuff. Many of these issues also affects running on other virtualization platforms in the same way.

The basics is:

  • Do not implement differencing disk virtual hard disks (VHDs) on a virtual machine that you are configuring as a domain controller. This makes it too easy to revert to a previous version, and it also decreases performance. For more information about VHD types, see New Virtual Hard Disk Wizard (http://go.microsoft.com/fwlink/?LinkID=137279).
  • Do not clone the installation of an operating system without using Sysprep.exe because the security identifier (SID) of the computer will not be updated. For more information about running the System Preparation tool (Sysprep), see "Using virtual hard disks" in Ways to deploy an operating system to a virtual machine (http://go.microsoft.com/fwlink/?LinkId=137100).
  • To help prevent a potential update sequence number (USN) rollback situation, do not use copies of a VHD file that represents an already deployed domain controller to deploy additional domain controllers. The next three items in this list are also recommended to help avoid potential USN rollback. For more information about USN rollback, see Appendix A: Virtualized Domain Controllers and Replication Issues.
  • Do not use the Hyper-V Export feature to export a virtual machine that is running a domain controller.
  • Running Sysprep on a domain controller damages the AD DS installation. Use Sysprep before you install the AD DS role to produce a unique security identifier (SID) for that installation. (Does it? :-))

  • To prevent issues with Active Directory replication, ensure that only one instance (physical or virtual) of a given domain controller exists on a given network at any point in time.

  • You can disable host time synchronization in the virtual machine settings in the Integration Services section of the Hyper-V Manager by clearing the Time Synchronization check box.

  • Guest storage. Store the Active Directory database file (Ntds.dit), log files, and SYSVOL files on a separate virtual disk from the operating system files. Integration Components must be installed so that synthetic drivers can be used for Integrated Drive Electronics (IDE) instead of emulation. Virtual SCSI and IDE disks perform at the same speed when they use synthetic drivers.
  • Host storage of VHD files. Recommendations: Host storage recommendations address storage of VHD files. For maximum performance, do not store VHD files on a disk that is used frequently by other services or applications, such as the system disk on which the host Windows operating system is installed. Store each VHD file on a separate partition from the host operating system and any other VHD files. The ideal configuration is to store each VHD file on a separate physical drive.
  • Fixed VHD versus pass-through disks. There are many ways to configure storage for virtual machines. When VHD files are used, fixed-size VHDs are more efficient than dynamic VHDs because the memory for fixed-size VHDs is allocated when they are created. Pass-through disks, which virtual machines can use to access a physical storage media, are even more optimized for performance. Pass-through disks are essentially physical disks or logical unit numbers (LUNs) that are attached to a virtual machine. Pass-through disks do not support the snapshot feature. Therefore, pass-through disks are the preferred hard disk configuration, because the use of snapshots with domain controllers is not recommended.
  • Do not pause, stop, or store the saved state of a domain controller in a virtual machine for time periods longer than the tombstone lifetime of the forest and then resume from the paused or saved state. Doing this can interfere with replication. To learn how to determine the tombstone lifetime for the forest, see Determine the Tombstone Lifetime for the Forest (http://go.microsoft.com/fwlink/?LinkId=137177).
  • Do not copy or clone virtual hard disks (VHDs).
  • Do not take or use a Snapshot of a virtual domain controller.
  • Do not use a differencing disk VHD on a virtual machine that is configured as a domain controller. This makes reverting to a previous version too easy, and it also decreases performance.
  • Do not use the Export feature on a virtual machine that is running a domain controller.
  • Do not restore a domain controller or attempt to roll back the contents of an Active Directory database by any means other than using a supported backup. For more information, see Backup and Restore Considerations for Virtualized Domain Controllers.
  • Do not copy or clone VHD files of domain controllers instead of performing regular backups. If he VHD file is copied or cloned, it becomes stale. Then, if the VHD is started in normal mode, there might be a divergence of replication data in the forest. You should perform proper backup operations that are supported by Active Directory Domain Services (AD DS), such as using the Windows Server Backup feature.
  • Do not use the Snapshot feature as a backup to restore a virtual machine that was configured as a domain controller. Problems will occur with replication when you revert the virtual machine to an earlier state. For more information, see Appendix A: Virtualized Domain Controllers and Replication Issues. Although using a snapshot to restore a read-only domain controller (RODC) will not cause replication issues, this method of restoration is still not recommended.


    So after reading and understanding all this I hope you all understand why I don’t run many of my DC’s virtualized…

    The full article can be found here…

    Mikael Nystrom – TrueSec
    MCT, MVP Windows Server – Setup/Deployment

  • Categories: Uncategorized

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    This site uses Akismet to reduce spam. Learn how your comment data is processed.