Recommendations for Running a Domain Controller Virtualized Environment using Virtual Server

  • Article

I have been visiting a few customer sites where they are virtualizing their Domain Controllers. This always makes me a little nervous as this should always be coupled with strong control and management of this environment. If this is not well managed this can cause serious implications to your Active Directory Forest.

If this is something you do or are thinking of doing  then there are some very important tasks and configurations which you should implement to ensure this works well and consistently across your environment.

This is well documented in the following two articles and should be read from COVER to COVER if you are looking to virtualize Domain Controllers.

Running Domain Controllers within Virtual Server 2005

https://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en

(Taken from above) Time Synchronization Recommendations

For virtual machines that are configured as domain controllers, the Host time synchronization feature of Virtual Machine Additions should always be disabled. Instead, accept the default W32time domain hierarchy time synchronization.

The Host time synchronization feature allows guest operating systems to synchronize their system clocks with the system clock of the host operating system. Because domain controllers have their own time synchronization mechanism, Host time synchronization must be disabled on virtual machines that are configured as domain controllers. If domain controllers synchronize time from their own source and also synchronize time from the host, the domain controller time can change frequently.

Use the Administration Website to disable Host time synchronization when the virtual machine is turned off. You can disable Host time synchronization during or after installing Virtual Machine Additions.

For information about how to use the Administration Website, see the “ Virtual Server 2005 Administrator’s Guide ” on the Web at https://go.microsoft.com/fwlink/?linkID=27540

So based upon the above the following steps are recommended.

1. Follow the Domain Hierarchy. E.G. all Domain Controllers EXCEPT the PDCE should be set to NT5DS.

2. The PDC(E) should be configured NTP to a reliable time source. See an earlier blog entry of mine which has an excellent article all about time.

3. In the Virtual Machine Additions of Virtual Server ensure the  option "Host time synchronization  is disabled (I.E. unticked).

I also suggest reading the following KBARTICLE to further underline the importance of strong management  and maintenance of Domain Controllers if you intend  running on a virtualized environment.

https://support.microsoft.com/kb/888794

The above information holds true for Hyper-V too. There will be updates to the documentation in the future.