Running Domain Controller on top of Hyper-V and Failover Cluster?
Generally this questions is currently a well discussed topic in my customer scenarios therefore I would like to cover the important points when talking about virtualized DCs and especially when Failover Clustering is involved.
Hyper-V:
Mainly the virtualization of DC roles are generally supported if you had understood the caveats. Generally in production environments you should NOT use “snapshot/save state” features for DCs especially in multi-DC deployment but also in single-DC. Reason even for Single-DC environments is that domain members does update their computer password frequently and which doesn’t match anymore when you apply an previous snapshot (please see KB175468 around machine password). Of course, there are some workarounds but from my perspective none of them apply in production environments.
If you read the below articles and you are aware what exactly to overlook, “Yes you can” use this feature in lab scenarios, like you must snapshot all domain members at the same time or reset computer password after applying an earlier DC snapshot. But GENERALLY YOU SHOULD (NEVER) NOT USE SNAPSHOT/SAVE STATE FUNCTION IN PRODUCTION for DC role(s)!
So when running a domain controller within a Hyper-V virtual machine do NOT use:
1. Save states OR,
2. Virtual machine snapshots
In Hyper-V deployments there are some general “considerations” which need to overlooked when deploying virtualized domain controllers, here are some great articles which covers this in detail and gives also some guidelines:
Running Domain Controllers in Hyper-V
https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx
Things to consider when you host Active Directory domain controllers in virtual hosting environments
https://support.microsoft.com/kb/888794/en-us
Considerations when hosting Active Directory domain controller in virtual hosting environments
https://support.microsoft.com/kb/888794/en-us
The Domain Controller Dilemma
https://blogs.msdn.com/b/virtual_pc_guy/archive/2008/11/24/the-domain-controller-dilemma.aspx
Problems with virtual machines and domain membership
https://blogs.msdn.com/b/virtual_pc_guy/archive/2006/03/28/561508.aspx
Hyper-V and Domain Controllers – Demo Tips and Tricks
https://blogs.msdn.com/b/virtual_pc_guy/archive/2009/11/20/hyper-v-and-domain-controllers-demo-tips-and-tricks.aspx
Effects of machine account replication on a domain
https://support.microsoft.com/kb/175468
Running Domain Controllers within Virtual Server 2005
https://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en
Failover Cluster:
Especially in Failover Cluster environments it is a “best practice” and recommended to have at least 1 physical/virtual DC available which is outside of the cluster environment as cluster service does require DC communication before starting cluster service (VCO/CNO).
Checkout the following blog post from my MVP colleague - Lai Yoong Seng MVP Virtual Machine - which discusses arising issues, when putting your DCs on top of Failover Cluster:
https://www.ms4u.info/2011/05/why-you-should-not-running-domain.html
We call this “Henne und Ei Problem” in German where translation has the same sense “Chicken and Egg Issue”
Windows 2003 MSCS:
Determining Domain Controller Access for Server Clusters (Windows 2003)
https://technet.microsoft.com/en-us/library/cc779512(WS.10).aspx
Active Directory, DNS and Domain Controllers (Windows 2003)
https://technet.microsoft.com/en-us/library/cc775654(WS.10).aspx
Cluster Networking Requirements (Windows 2003)
https://technet.microsoft.com/es-es/library/cc783193(WS.10).aspx
Stay tuned….
Regards
Ramazan