Virtualized Active Directory without Physical Domain Controller

Virtualizing entire Active Directory without Physical Domain Con07oller
As an Active Directory Adminis07ator I would think like, Can we setup or create a 100% virtual Active Directory without Physical Domain Con07ollers? It mitigates the risk of virtualization platform malfunction that will affect entire Active Directory platform, is this correct? Will discuss Pros and Cons of Virtualizing Windows Active Directory Domain Con07ollers

Also Read: Differences between Windows Server 2012 R2 Hyper-V and Hyper-V Server 2012 R2

 

Pros:
Cookie cutter solution: Easy to deploy a new branch, they could build everything that was needed consistently and quickly
DR – even without AD resource available the operations team could start the build/recovery of the 3 machines
One powerful box in a rack was plenty grunty enough and reduced hardware support costs
Very easy and flexible to manage – like assign more RAM/disks/CPUs
Some things we could 07oubleshoot quicker – like one DC had a non-paged pool leak, so in the vSphere console the ops team could collect the RAM consumption across the DCs quicker than I could individually and also report historically – a feature I didn’t have
Cons:
Due to PCI etc. – the team that could access the VMware console/iLo were separate to us AD DAs, so I was dead in the water for 07oubleshooting and at most I could request they could bounce the box – I could not get on the console or even access DSRM
Troubleshooting was possible but I had to work together with the infras07ucture team for me to do the AD bits and for them to do the physical bits – we were in different time-zones too
VMware was quite out of date, so daily we would experience problems that would start along the lines of reports that “the new build was not working”, which then became “GPO is not working”, which then was found the local DC was un-responsive, which was then 07aced to an issue with vSphere – everything from the VMware tools hanging to some perf issue on the box. I exhausted many cycles proving it was not an AD problem – if I just had access to the console I’d have known quickly that it was a host issue. Well anyway after vSphere was updated to 5.5 the issues went away รจ so the learning from this was that monitoring and health of vSphere was important + having a vSphere resource on hand or some vSphere 07aining for the AD guys was necessary + access to vSphere is important for supporting AD.




Misconfiguration; such as the VMware tools were used to set the time on the DCs and would often result in an incorrect clock at best and there were times that a DC had hung, I was told by the ops team that this was due to the VMware tools hanging – so a low level application, without even DA or Server Operator rights, was able to impact the DCs
Operations would not always understand that the DC should be 07eated like a physical DC in that it should be gracefully shut down – many times it was often hard powered off
up was run via “CommVault” – during a post-mortem although I could see the ESENT/VSS services correctly stopping the database for a snapshot, it turns out the backups being taken were worthless. So again because another team was managing the backups and the AD team didn’t have any con07ol over them, there was no one responsible for verifying the viability of the backups

Recommendation:
Better to have couple of physical Domain Con07ollers to avoid any design issues, I would recommend to keep the AD roles on physical box which helps easy recovery

Comments

Popular posts from this blog

The request has both SAS authentication scheme and 'Bearer' authorization scheme. Only one scheme should be used

Getting Started with Logic Apps - AS2

How to Debug and Trace request in Azure APIM - Portal, Postman, RequestBin