DC: Virtualized and External NTP servers
The following two discussion points arose today again for what feels the 100 time:
Why Don't you recommend Virtualized DCs?
Why Can't we point our domain DC to our network NTP servers – why should we set it to an external time server?
Virtualization first.
1. Performance.
2. Support (3rd party)
3. The possibility of a USN Rollback due to the guest machine being set to the time (date) of the host and the host undergoing a in accurate time change (BIOS update/reset or accidental change).
4. There is also the possibility of a the loss of backups of AD by those thinking that snapshots of DC in a virtualized environment is an appropriate method for doing so. Again making a snapshot will capture the USN of the DC that is previous to the USN of DC as now know to other DCs in the Domain. This is why a supported backup method (NTBackup is the easiest) is required.
NTP next.
Again USN is the reason – what happens if the NTP server gets reset due to a firmware update or accidental change? You’ll be in the same boat. It’s not to say that external time server’s can have this happened – but most well know internet time servers have very tight controls and fail safes placed on them.
Again you can do both – just be conscience of the fact that you may need to know how to do an Authoritative Restore of your Domain
Links:
How to detect and recover from a USN rollback in Windows 2000 Server https://support.microsoft.com/?id=885875
How to detect and recover from a USN rollback in Windows Server 2003 https://support.microsoft.com/?id=875495
Performing an Authoritative Restore of Active Directory Objects https://technet2.microsoft.com/windowsserver/en/library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx?mfr=true
How to restore deleted user accounts and their group memberships in Active Directory https://support.microsoft.com/kb/840001
The effects on trusts and computer accounts when you authoritatively restore Active Directory https://support.microsoft.com/kb/216243
After you restore deleted objects by performing an authoritative restoration on a Windows Server 2003-based domain controller, the linked attributes of some objects are not replicated to the other domain controllers https://support.microsoft.com/kb/937855
How to configure an authoritative time server in Windows Server 2003 https://support.microsoft.com/kb/816042
Microsoft Virtual Server support policy https://support.microsoft.com/kb/897613
Windows Server System software not supported within a Microsoft Virtual Server environment https://support.microsoft.com/kb/897614
Support policy for Microsoft software running in non-Microsoft hardware virtualization software https://support.microsoft.com/kb/897615/
Running Domain Controllers within Virtual Server 2005
Considerations when hosting Active Directory domain controller in virtual hosting environments