DC: Virtualized and External NTP servers


The following two discussion points arose today again for what feels the 100 time:


Why Don't you recommend Virtualized DCs?


Why Can't we point our domain DC to our network NTP servers – why should we set it to an external time server?


 


Virtualization first.


1.      Performance.


2.      Support (3rd party)


3.      The possibility of a USN Rollback due to the guest machine being set to the time (date) of the host and the host undergoing a in accurate time change (BIOS update/reset or accidental change).


4.      There is also the possibility of a the loss of backups of AD by those thinking that snapshots of DC in a virtualized environment is an appropriate method for doing so.  Again making a snapshot will capture the USN of the DC that is previous to the USN of DC as now know to other DCs in the Domain.  This is why a supported backup method (NTBackup is the easiest) is required.


 


NTP next.


Again USN is the reason – what happens if the NTP server gets reset due to a firmware update or accidental change?  You’ll be in the same boat.  It’s not to say that external time server’s can have this happened – but most well know internet time servers have very tight controls and fail safes placed on them.


 


Again you can do both – just be conscience of the fact that you may need to know how to do an Authoritative Restore of your Domain


 


Links:


How to detect and recover from a USN rollback in Windows 2000 Server http://support.microsoft.com/?id=885875


How to detect and recover from a USN rollback in Windows Server 2003 http://support.microsoft.com/?id=875495


Performing an Authoritative Restore of Active Directory Objects http://technet2.microsoft.com/windowsserver/en/library/690730c7-83ce-4475-b9b4-46f76c9c7c901033.mspx?mfr=true


How to restore deleted user accounts and their group memberships in Active Directory http://support.microsoft.com/kb/840001


The effects on trusts and computer accounts when you authoritatively restore Active Directory http://support.microsoft.com/kb/216243


After you restore deleted objects by performing an authoritative restoration on a Windows Server 2003-based domain controller, the linked attributes of some objects are not replicated to the other domain controllers http://support.microsoft.com/kb/937855


How to configure an authoritative time server in Windows Server 2003 http://support.microsoft.com/kb/816042


Microsoft Virtual Server support policy http://support.microsoft.com/kb/897613


Windows Server System software not supported within a Microsoft Virtual Server environment http://support.microsoft.com/kb/897614


Support policy for Microsoft software running in non-Microsoft hardware virtualization software http://support.microsoft.com/kb/897615/


 


Running Domain Controllers within Virtual Server 2005


http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en


 


Considerations when hosting Active Directory domain controller in virtual hosting environments


http://support.microsoft.com/kb/888794/en-us


 


 


      


 


 


 


Comments (3)

  1. Anonymous says:

    Hi,

    thanks for clarification and that you are more discussing about 3rd party virtualization solutions. Well, in Austria mid-sized business have at all only 10 servers and maybe 2 or 3 of them are virtualized. In that manner, if using Virtual Server or Hyper-V there should be no problem in virtualizing DCs, that’s what I meant. But I’m sure we are talking from the same basis…

    Peter Forster, MVP Virtual Machine, Austria

  2. Anonymous says:

    Hi Peter,

    Yes I should have added that link and other KB (added above now) on virtualized DCs.

    If we are discussing virtualized DC in Windows Virtualization software (VS2k5, HyperV) then yes there is support.  If its 3rd party virtualization software (which is by far more common today – and what I was referring to – sorry I should have made that clear) then the KB list our support position.

    Performance is always a concern of mine (both physical and virtual) – only monitoring and historical analysis will save you there….Unless the solution is completely over sized in the first place.  

    Most virtualization implementations do not add monitoring to the requirements.  So the solution starts off great with the 8-10 virtual machines running fine, then somewhere around the year and a half mark, 20-30 virtual machines later, everything is slow, people are complaining and everyone is wondering how this could have happened.  This can obviously happen in the physical server world, but usually the cascading of resource pressures is exhibited on shared (SAN/NAS/network) resources in a more obvious fashion.

    rs

  3. Anonymous says:

    Hi,

    I don’t completely understand the problem you are discussing. Virtualized DCs are supported since 2004 in Virtual Server. There is also a guide how to do that:

    http://www.microsoft.com/downloads/details.aspx?familyid=64db845d-f7a3-4209-8ed2-e261a117fc6b&displaylang=en

    So support should not be the problem because it is supported. Performance? Yes, on very large networks, but in mid-sized business I don’t see any problem here.

    Peter Forster

    MVP Virtual Machine

    Austria

Skip to main content