Running Domain Controller on top of Hyper-V and Failover Cluster?
Generally this questions is currently a well discussed topic in my customer scenarios therefore I would like to cover the important points when talking about virtualized DCs and especially when Failover Clustering is involved.
Mainly the virtualization of DC roles are generally supported if you had understood the caveats. Generally in production environments you should NOT use “snapshot/save state” features for DCs especially in multi-DC deployment but also in single-DC. Reason even for Single-DC environments is that domain members does update their computer password frequently and which doesn’t match anymore when you apply an previous snapshot (please see KB175468 around machine password). Of course, there are some workarounds but from my perspective none of them apply in production environments.
If you read the below articles and you are aware what exactly to overlook, “Yes you can” use this feature in lab scenarios, like you must snapshot all domain members at the same time or reset computer password after applying an earlier DC snapshot. But GENERALLY YOU SHOULD (NEVER) NOT USE SNAPSHOT/SAVE STATE FUNCTION IN PRODUCTION for DC role(s)!
So when running a domain controller within a Hyper-V virtual machine do NOT use:
1. Save states OR,
2. Virtual machine snapshots
In Hyper-V deployments there are some general “considerations” which need to overlooked when deploying virtualized domain controllers, here are some great articles which covers this in detail and gives also some guidelines:
Running Domain Controllers in Hyper-V
Things to consider when you host Active Directory domain controllers in virtual hosting environments
Considerations when hosting Active Directory domain controller in virtual hosting environments
The Domain Controller Dilemma
Problems with virtual machines and domain membership
Hyper-V and Domain Controllers – Demo Tips and Tricks
Effects of machine account replication on a domain
Running Domain Controllers within Virtual Server 2005
Especially in Failover Cluster environments it is a “best practice” and recommended to have at least 1 physical/virtual DC available which is outside of the cluster environment as cluster service does require DC communication before starting cluster service (VCO/CNO).
Checkout the following blog post from my MVP colleague - Lai Yoong Seng MVP Virtual Machine - which discusses arising issues, when putting your DCs on top of Failover Cluster:
Windows 2003 MSCS:
Determining Domain Controller Access for Server Clusters (Windows 2003)
Active Directory, DNS and Domain Controllers (Windows 2003)
Cluster Networking Requirements (Windows 2003)