Your SlideShare is downloading. ×
  • Like
  • Save

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

12 best practices for virtualizing active directory DCs


Why consider virtualizing Active Directory domain controllers (AD DCs)? …

Why consider virtualizing Active Directory domain controllers (AD DCs)?
The challenges of virtualized AD DCs
12 Expert’s Best Practices for smart AD DCs virtualization

Published in Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. 12 Best Practicesfor VirtualizingActive Directory DCsBy Greg Shields
  • 2. What’s in? Why consider virtualizing Active Directory domain controllers (AD DCs)? The challenges of virtualized AD DCs 12 Expert’s Best Practices for smart AD DCs virtualization
  • 3. Virtualize Everything!With the advancements in hardware and hypervisortechnology, every element of the infrastructure has nowbecome “Virtual Machine candidates”: services, applications, even high-powered databases!
  • 4. Virtualize Everything, but DCs!While any application can run atop VMs today, doingthe same with Active Directory domain controllers(AD DCs) remains one of IT’s greatest questions.You may have wondered yourself:“Should I virtualize my DCs, and if I do what mistakescould I make?”The short answer is: Plenty!
  • 5. What makes AD DC different?AD DC is unlike other IT workloads in many ways: Its implementation of multi-master replication must be carefully designed to avoid replication errors. Its services require a transactional database that can’t be backed up like regular files and folders. Its functionality exists as the foundation for every other IT service: ● Lose AD and you’ve lost that foundation ● Lose objects within it, and the people and computers those objects represent are quickly locked out.
  • 6. Why Virtualize AD DCs?AD DCs aren’t large consumers of server resources.Even an environment of 1,000 users might never see theirAD database grow much larger than about 400 megabytes.CPU and memory utilization tend to be relatively smallas well.Why then should we even consider virtualizing AC DCs?AD DCs come in pairs. Due to geographic distances,many environments find themselves needing even more –up to 10’s of DCs. Since AD is a lightweight service, it islogical to cut cost through virtualization.
  • 7. To virtualize or Not to virtualize?While virtualization indeed brings benefits, it also adds riskwhen virtualized AD DCs are not created smartly.If you’re considering virtualization for your AD DCs,or even if you’ve virtualized them already, don’t missthese 12 important best practices.
  • 8. 12 Best Practices for virtualizingActive Directory Domain Controllers
  • 9. #1 DCs Require VM High AvailabilityWith every part of a Windows infrastructure requiring AD’sauthentication services, those services must remainhighly-available.AD can disable disk write caches on volumes hostingits database and log files. It preserves the integrity of thedatabase should the server unexpectedly go down.Even so, preventing DC outages must be a priority.=> Any virtualized DCs should be hosted in a highly-available virtual environment.
  • 10. #2 Never Pause, Never Clone, Never Snapshot…Virtual server’s state can be paused. Its disks can besnapshotted and/or cloned in order to protect theircontents or duplicate them elsewhere.These hypervisor snapshotting, pausing, and cloningcapabilities are excellent tactics for many kinds of servers.However, using any of them against a AD DC isnever recommended unless your VM backup solutionprovides full application-aware quiescence duringa snapshot
  • 11. #3 Not All Backups Are Created EqualVarious backup tools provide different range of options.For AD DCs you need the one that: gathers the necessary data quickly via an image-based, block-level approach. can restore any object, server, or forest back to any period in time.That’s why the third best practice in this list suggestsEducating yourself on all the backup options availablefor DCs.
  • 12. #4 Avoid Clock DriftUnlike physical servers, VMs are often subject to Clock Drift.You can handle it by: by the virtual platform’s installed tools by synchronizing clocks to an external time source.No matter which option you choose, pay carefulattention to your DC’s clocks.Should their clocks drift beyonda mere 5 minutes, you’ll find your DCswill no longer service client requests.
  • 13. #5 Don’t Overprovision ResourcesDon’t make your virtual environment work harderthan it needs!Use performance management tools to find and assignthe right quantity the VM needs, and avoid assigningmultiple virtual processors whenever possible.
  • 14. #6: Ensure Backups Actually WorkA backup isn’t usable unless it can be verifiably restored!You need a backup solution that performs an integritycheck for every backup job. That verification gives youthe guarantee that every object, DC, or forest restore willcomplete successfully.The right solution for protecting your AD data will notonly backup and restore that data, it will alsoautomatically verify the integrity of each backup.
  • 15. #7: Implement Anti-Affinity RulesWith the ever-changing nature of server resourceutilization, load balancing is a never-ending activity.Relocating VMs can help keep the balance, but it can alsoresult in two DCs being collocated on the same host.In every virtual platform there are “affinity rules”. They letyou determine which VMs should, and which shouldn’t,end up on the same host.An anti-affinity rule is important with any virtualizedDCs. That rule will instruct the virtual environmentto ensure DCs never end up on the same host.
  • 16. #8: Separate Client and Administrator TrafficThe red button that powers off a VM is no different thanthe power button on a physical server. Hit that button —and the VM along with its workload are going to go down.You lock the doors of your datacenter. You should dothe same with your virtual infrastructure.Separating client network traffic from the traffic usedfor virtual environment activities is just as importantas locking your datacenter.
  • 17. #9: Prioritize Quick Object RestoresIndividual object restores remain a challenge in AD.It is for this reason why every DC should be protectedusing solutions that prioritize quick restores. Virtualizationmakes it a bit easier:For example, a virtualized DC can be resurrected to a protectedlocation for the purpose of restoring data. Once restored, the DC canbe safely removed without impacting the production environment.Seek an AD backup solution that restores deletedobjects with minimum time and effort.
  • 18. #10: Monitor Storage PerformanceToday the storage has become a primary sourceof performance loss. It comes from incorrectly-configuredor oversubscribed connections as a result of overtaxingSAN disks or spindle contention.While virtualized DCs tend not to have heavy storageperformance requirements, monitoring IOPS acrossstorage connections is important to performancemanagement.
  • 19. #11: Remain a Bit PhysicalVirtualization creates new risks for the servers.Hypervisor vulnerabilities, storage interruptions,and resource overutilization can all result in a virtualenvironment-wide outage.That outage becomes even more problematic whenthe entirety of your AD resides in the failed virtualenvironment.Preserving at least one DC as a physical server willensure your AD foundation remains, even duringthe worst of virtual environment outages.
  • 20. #12: Have a Plan Solution for Disaster RecoveryPreparing for the worst requires having more than justa plan for disaster recovery. To make it efficient you needa back up tool that:1. Incorporate the tools for backing up AD data.2. NB! Regularly ensure that your tools are functioning and can resurrect servers and data!3. Remember that native backup tools (like Windows system state backup) won’t get you this far!
  • 21. What we covered?Making the decision to virtualize your Active DirectoryDomain Controllers can be smart for datacenteroperations.Doing so, you: free server resources for other activities add the high availability and migration features;While virtualizing those DCs can make your life easier,doing it incorrectly will have the opposite effect!Virtualize DCs with Care. Protect Their Data withGreater Care.
  • 22. More questions?If you have any more questions on this or any related topic,don’t forget to visit our treasury of free educationalcontent at
  • 23. Thank you!And don’t forget to add your feedback!