Virtualized Active Directory without Physical Domain Controller

Virtualizing entire Active Directory without Physical Domain Con07oller
As an Active Directory Adminis07ator I would think like, Can we setup or create a 100% virtual Active Directory without Physical Domain Con07ollers? It mitigates the risk of virtualization platform malfunction that will affect entire Active Directory platform, is this correct? Will discuss Pros and Cons of Virtualizing Windows Active Directory Domain Con07ollers

Also Read: Differences between Windows Server 2012 R2 Hyper-V and Hyper-V Server 2012 R2

 

Pros:
Cookie cutter solution: Easy to deploy a new branch, they could build everything that was needed consistently and quickly
DR – even without AD resource available the operations team could start the build/recovery of the 3 machines
One powerful box in a rack was plenty grunty enough and reduced hardware support costs
Very easy and flexible to manage – like assign more RAM/disks/CPUs
Some things we could 07oubleshoot quicker – like one DC had a non-paged pool leak, so in the vSphere console the ops team could collect the RAM consumption across the DCs quicker than I could individually and also report historically – a feature I didn’t have
Cons:
Due to PCI etc. – the team that could access the VMware console/iLo were separate to us AD DAs, so I was dead in the water for 07oubleshooting and at most I could request they could bounce the box – I could not get on the console or even access DSRM
Troubleshooting was possible but I had to work together with the infras07ucture team for me to do the AD bits and for them to do the physical bits – we were in different time-zones too
VMware was quite out of date, so daily we would experience problems that would start along the lines of reports that “the new build was not working”, which then became “GPO is not working”, which then was found the local DC was un-responsive, which was then 07aced to an issue with vSphere – everything from the VMware tools hanging to some perf issue on the box. I exhausted many cycles proving it was not an AD problem – if I just had access to the console I’d have known quickly that it was a host issue. Well anyway after vSphere was updated to 5.5 the issues went away รจ so the learning from this was that monitoring and health of vSphere was important + having a vSphere resource on hand or some vSphere 07aining for the AD guys was necessary + access to vSphere is important for supporting AD.




Misconfiguration; such as the VMware tools were used to set the time on the DCs and would often result in an incorrect clock at best and there were times that a DC had hung, I was told by the ops team that this was due to the VMware tools hanging – so a low level application, without even DA or Server Operator rights, was able to impact the DCs
Operations would not always understand that the DC should be 07eated like a physical DC in that it should be gracefully shut down – many times it was often hard powered off
up was run via “CommVault” – during a post-mortem although I could see the ESENT/VSS services correctly stopping the database for a snapshot, it turns out the backups being taken were worthless. So again because another team was managing the backups and the AD team didn’t have any con07ol over them, there was no one responsible for verifying the viability of the backups

Recommendation:
Better to have couple of physical Domain Con07ollers to avoid any design issues, I would recommend to keep the AD roles on physical box which helps easy recovery

Comments

Post a Comment

Popular posts from this blog

The request has both SAS authentication scheme and 'Bearer' authorization scheme. Only one scheme should be used

Image
While doing testing after doing a POC on Securing Logic App with Azure Active Directory authentication , where I have put logic app behind APIM and before passing the request to logic app, apim does validation of the token.  I was encountered with an error "The request has both SAS authentication scheme and 'Bearer' authorization  scheme.  Only one scheme should be used." Why it happened After validating the token which is part of the header i.e. Authorization, APIM forwards the request as it is to backend. As  Logic app is configured as  back end , it's url already consist of SAS signature plus the request also has Authorization section and this is the problem. By default every request endpoint on a logic app has a Shared Access Signature (SAS) in the endpoint's URL, which follows this format: https://<request-endpoint-URI>sp=<permissions>sv...
Read more

Getting Started with Logic Apps - AS2

Image
What is AS2? Every enterprise requires some kind of product, service or counselling from another enterprises thus there happens a B2B(business to business) communications, some of the communication is unique whereas most of the communications are common for most of the enterprises e.g., Purchase Order. But every enterprise has there own way(format) of sending the messages, leading to difficult management when number of partners increased.  Considering this the Enterprise leaders decided to have some standards/rules defined across the communication leading to B2B protocol standards which provide guidelines for trading partners to follow when conducting business between enterprises. EDI X12, EDIFACT, TRADACOM etc. AS2 stands for Applicability Statement 2 and is a B2B messaging protocol used to transmit Electronic Data Interchange (EDI)/Business documents from one organization to another. So EDI standards define how to format data and AS2 specifies how to securely transport...
Read more

How to Debug and Trace request in Azure APIM - Portal, Postman, RequestBin

Image
Introduction  APIM is a great option to expose API's with out of box features for applying restrictions, preprocessing, postprocessing etc. You can leverage existing API's,  by importing it and it gets added as a new API with all the operations associated with it. And based on the requirements you  apply policies at the stage/level (Inbound,Backend/Outbound) and you are ready to use the API. Before it is shared, we do some testing to make sure everything is working as per the expectation and this is where Debugging and Tracing request becomes important. APIM does provide a way to Trace a call with the help of  Ocp-Apim-Trace http header. So whichever request/call is to be traced, it needs to include this in header  with the value set to true and it has dependency on another header, so that also needs to be passed i.e.  Ocp-Apim-Subscription-Key Note: The api on which Tracing is to applied , it requires the subscription key to be en...
Read more