31

Back in the pre-Windows Server 2012 days, the recommendation seemed to be to have at least one physical domain controller sat along-side your virtualised DCs.

One justification for this was because if your Hyper-V hosts were clustered, then they required a DC to be contactable during boot-up. This makes total sense to me.

However, I would often hear people say it is still important to have a physical DC even if you don't have a clustered set up (say for example in a simple setup with a single Hyper-V server running a couple of VMs, one of which is a DC). The justification for this seemed (and I could never quite be sure) that you would still have a problem in the sense that when the Hyper-V host first boots, there's no DC present on the network. Cached credentials mean you can still log on, but what about all those bits that happen during boot up that mean having a DC around is beneficial? Is this actually an issue? Are there actually any operations that might run only at boot up that will cause a problem? Any Group Policies for example? What I'm basically asking is, does the physical DC argument only really hold water when clustering is involved, or was (pre-2012) there a significant technical case for it without clustering? This article from Altaro (see "The “Chicken-and-Egg” Myth" section) suggests there is no need, but I'm still unsure.

Now to the second (and main) part of my question:

Windows Server 2012 introduced several features targeted at addressing the issues around virtualising domain controllers, including:

  1. VM-Generation ID - This addressed the USN rollback issue that meant snapshotting (or more specifically, rolling back to a snapshot) was unsupported/a really bad idea
  2. Cluster Bootstrapping - This addressed the "chicken and egg" issue surrounding Failover Clustering that I mentioned above. Failover Clustering no longer requires a DC to be present during boot-up.

So my second question is similar to the first, but this time for 2012+. Assuming both the vDC and the host are 2012+ and you take clustering out of the equation, are there any other issues like those mentioned above that mean I should still consider a physical DC? Should I still be considering having a physical DC along-side my single, non-clustered 2012/2012R2 Hyper-V host that has a single virtualised DC on it? I hear some people suggest putting AD on the Hyper-V host, but I don't like that idea for various reasons (WB cache being disabled for a start).

As a side-note, my question implicitly assumes that it makes sense to have your Hyper-V host joined to the domain to improve manageability. Does this assertion stand up to scrutiny?

UPDATE:

After reading some answers, it occurred to me that I could phrase things slightly differently to get to the heart of what I'm asking:

Even with the improvements in 2012 and later, the fact still remains that without any physical DCs or virtual DCs on another host, the host still boots when there's no DC available. Is this actually an issue? In a sense, I suppose it's the same (or very similar) question if you take virtualisation out of the picture completely. If you start member servers before any DCs regularly, is that a problem?

dbr
  • 1,812
  • 3
  • 22
  • 37
  • 4
    Personally I would never install AD on your Hyper-V host. Take everything cluster related out of the situation for the moment. You lose your one and only virtual DC - you lose your only source of DNS. – PnP Apr 05 '15 at 14:50

5 Answers5

18

One rationale for retaining one physical DC per domain is if there is a major incident that affects the host or trashes the frame storage for the virtualized DC's, you would have at least one physical DC with local storage to perform recovery and maintain continuity. Microsoft continues to perform this check and make this recommendation during Active Directory RAPs (Risk Assessment and Planning).

https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv%28v=ws.10%29.aspx

"Maintain physical domain controllers in each of your domains. This mitigates the risk of a virtualization platform malfunction that affects all host systems that use that platform."

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • 2
    Not sure that makes sense, though - see, for example, I know a company being 100% virtual with the DC and they make regular backups and have 3 dc on 2 continents (2 in europe, 1 in usa).... hard to imagine anything here that blows in a way that makes things not recoverable. – TomTom Apr 05 '15 at 15:25
  • I guess the point they're trying to make is if there's some sort of issue that affects Hyper-V as a whole, then you'd be (temporarily) screwed until you could restore a DC, where-as having a pDC would mean less disruption. Not sure I'd agree though as you'd be pretty screwed anyway if there was a Hyper-V-wide outage issue! – dbr Apr 05 '15 at 15:34
  • 1
    Nice and dandy, but again totally irrelevant UNLESS you have a significant part of your infrastructure out of Hyper-V then. DC's working but file shares, sharepoint, exchange, printing and all other things down - means I rather do not care about the DC being up again ;) It mostly runs down to "have multiple DC and make backups" and that is the case in both sides (Hyper-V and physical). – TomTom Apr 05 '15 at 15:56
  • @TomTom That's what I was eluding to with my "you'd be pretty screwed anyway" comment :) I was assuming just about everything else would be virtualised anyway. Completely agree that it comes down to "have multiple DC and make backups" – dbr Apr 05 '15 at 16:49
  • @TomTom Company I work for is entirely virtual for the AD infrastructure as well. And have been that since W2K3. But we don't use HyperV: ESX all the way. 2 separate sets of ESX cluster-infrastructure on each continent. Each domain has (at a minimum) 3 DC's: 1 DC on another continent and 1 DC in each of the 2 ESX environments on the "home" continent. – Tonny Apr 06 '15 at 15:58
11

I too wouldn't make the Hyper-V host a DC.

As for whether or not you should have a physical DC, my opinion is that with the changes Microsoft has implemented regarding virtualized Domain Controllers in general and DC-less cluster bootstrapping specifically, I don't personally see the need for, nor do I advocate having a physical DC. Maintaining a physical DC seems counterintuitive to the nature of moving your infrastructure to a virtualization platform. Virtualize my entire infrastructure but it all hinges on a single physical DC being available? What's the point in that?

There are ways to limit your "exposure" while still virtualizing your Domain Controllers. One way would be to deploy multiple DC's on different hosts in your cluster and use anti-affinity to keep them separated in the event of a host failure (dependent upon how many hosts are in the cluster).

While Greg's answer includes a link to some MS recommendations, that article is nonetheless two years old and addresses Windows Server 2008 and 2008 R2. I wouldn't consider that article to be the current best practice in relation to Windows Server 2012 and 2012 R2. I can't find an official MS document, but this guy is considered a leading authority on Hyper-V - http://www.aidanfinn.com/?p=13171

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Thanks Joe. I actually read Aidan's article a while ago and it partly informed my question. What strikes me is that following it logically, there wasn't really a case for a physical DC pre-2012 either unless you ran a clustered environment (other than perhaps making the setup 'cluster ready'). That's why I added the other bit about people who still justify the need for a pDC even without clustering, which doesn't seem to have changed with 2012. – dbr Apr 05 '15 at 15:31
  • would you agree with my above comment that if you take out the clustering issue, the situation hasn't really changed between 2008 and 2012? – dbr Apr 09 '15 at 21:27
  • @dbr I would only add to joe's answer that for a hyper-v (not xen or esx) I would test out the hyper-v mmc before. As it happened to me, a dead host with the DC on it, and the hyperv mmc needed a alive AD to open. I was stuck even if loged as domain admin with the cached credential. Could be fixed with latest update, but it's a important fact. (unlike esx that can use builtin user, as you can still open vsphere or vcenter) – yagmoth555 Jun 26 '15 at 16:16
  • Just want to add other ways to improve resilience: have more than one virtualization host cluster (either in the same location or other locations) and/or build a VPN to Azure (or AWS - Azure has a few benefits for MS shops) and put a DC or two up there. – Todd Wilcox Nov 10 '17 at 20:36
10

I feel like you're looking for a one line answer, so here it is:

You should have a physical DC if you do not trust your virtual environment's ability to withstand failure.

We could wax on about the peculiarities and exceptions with each scenario, but I think this strikes the root of the question.

blaughw
  • 2,242
  • 1
  • 10
  • 17
3

Let's take clusters out the equation and focus on the one line in your question that makes me shudder.

Should I still be considering having a physical DC along-side my single, non-clustered 2012/2012R2 Hyper-V host that has a single virtualised DC on it?

Why, why, why, would you want a single DC? In any given environment we try to avoid having single points of failure for any given infrastructure. DCs are your bread and butter - they provide DNS, the backbone of Active Directory. Seriously, rebuild a Windows 7 Desktop PC on 2008R2 and promote it. There is always a strong case for a physical DC.

Hyper-V with AD DS? No, just no. Firstly, Microsoft doesn't support this. Secondly, as you mentioned, handling backups will become a pain dependent on your disk configuration. Not to mention - the beauty of virtualization is the ability to retire physical hosts as quickly as we can build them (and I appreciate a dcpromo isn't a huge deal (depending on the size of your environment)) and hosting AD DS just complicates matters. You also introduce another Windows Time complexity.

Personally I leave my stand-alone Hyper-V hosts off the domain, but in reality, I have no real argument for either configuration.

PnP
  • 1,684
  • 8
  • 37
  • 65
  • 3
    Most of your answer is needlessly critical by making points which are entirely valid, but have nothing to do with the question. Of course multiple DCs are almost always a must - the quoted portion is being used to illustrate a point/question. The HV+AD combo again is only really a side note, and I think I was pretty clear that I'm not a lover of the combo either. – dbr Apr 05 '15 at 15:23
  • 2
    If there "is always a strong case for a physical DC." [vs. a second vDC for example] - could you explain that case? That's really my question. – dbr Apr 05 '15 at 15:25
1

To answer the last question about if this is actually ever an issue: I've noticed that my Hyper-V hosts with RDP enabled, but requiring NLA, don't allow RDP until after I restart the Network Location Awareness service if there's not a DC up when it boots. I've had occasional issues with connecting to VMMS remotely at these points as well, but only when something else was also broken. When you can't RDP in, or connect to Hyper-V manager remotely it's really hard to figure out whats broken and fix things. Keeping a physical DC around has prevented this from happening to me at any point.

RobbieCrash
  • 1,131
  • 7
  • 25