Running Domain Controller on top of Hyper-V and Failover Cluster?

  • Article

Generally this questions is currently a well discussed topic in my customer scenarios therefore I would like to cover the important points when talking about virtualized DCs and especially when Failover Clustering is involved.

Hyper-V:

Mainly the virtualization of DC roles are generally supported if you had understood the caveats. Generally in production environments you should NOT use “snapshot/save state” features for DCs especially in multi-DC deployment but also in single-DC. Reason even for Single-DC environments is that domain members does update their computer password frequently and which doesn’t match anymore when you apply an previous snapshot (please see KB175468 around machine password). Of course, there are some workarounds but from my perspective none of them apply in production environments.

If you read the below articles and you are aware what exactly to overlook, “Yes you can” use this feature in lab scenarios, like you must snapshot all domain members at the same time or reset computer password after applying an earlier DC snapshot. But GENERALLY YOU SHOULD (NEVER) NOT USE SNAPSHOT/SAVE STATE FUNCTION IN PRODUCTION for DC role(s)!

So when running a domain controller within a Hyper-V virtual machine do NOT use:

1. Save states OR,
2. Virtual machine snapshots

In Hyper-V deployments there are some general “considerations” which need to overlooked when deploying virtualized domain controllers, here are some great articles which covers this in detail and gives also some guidelines:

Running Domain Controllers in Hyper-V
https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx

Things to consider when you host Active Directory domain controllers in virtual hosting environments
https://support.microsoft.com/kb/888794/en-us

Considerations when hosting Active Directory domain controller in virtual hosting environments
https://support.microsoft.com/kb/888794/en-us

The Domain Controller Dilemma
https://blogs.msdn.com/b/virtual_pc_guy/archive/2008/11/24/the-domain-controller-dilemma.aspx

Problems with virtual machines and domain membership
https://blogs.msdn.com/b/virtual_pc_guy/archive/2006/03/28/561508.aspx

Hyper-V and Domain Controllers – Demo Tips and Tricks
https://blogs.msdn.com/b/virtual_pc_guy/archive/2009/11/20/hyper-v-and-domain-controllers-demo-tips-and-tricks.aspx

Effects of machine account replication on a domain
https://support.microsoft.com/kb/175468

Running Domain Controllers within Virtual Server 2005
https://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en

Failover Cluster:

Especially in Failover Cluster environments it is a “best practice” and recommended to have at least 1 physical/virtual DC available which is outside of the cluster environment as cluster service does require DC communication before starting cluster service (VCO/CNO).

Checkout the following blog post from my MVP colleague - Lai Yoong Seng MVP Virtual Machine - which discusses arising issues, when putting your DCs on top of Failover Cluster:

https://www.ms4u.info/2011/05/why-you-should-not-running-domain.html

We call this “Henne und Ei Problem” in German where translation has the same sense “Chicken and Egg IssueSmile

Windows 2003 MSCS:

Determining Domain Controller Access for Server Clusters (Windows 2003)
https://technet.microsoft.com/en-us/library/cc779512(WS.10).aspx

Active Directory, DNS and Domain Controllers (Windows 2003)
https://technet.microsoft.com/en-us/library/cc775654(WS.10).aspx

Cluster Networking Requirements (Windows 2003)
https://technet.microsoft.com/es-es/library/cc783193(WS.10).aspx

Stay tuned…. Winking smile

Regards

Ramazan