Always Virtualize Domain Controllers
-
@black3dynamite said in Always Virtualize Domain Controllers:
I think its easier, faster and safer to recover from a one domain controller vm setup than it is to recover from a physical domain controller.
This is really the case for all systems that need to be recovered.
-
@black3dynamite said in Always Virtualize Domain Controllers:
It would help if Microsoft would also recommend to always virtualize domain controllers.
The issue is that they do recommend virtualizing Domain Controllers, except is specific setups. Like DC's using CSV's as the underlying storage.
In those cases they recommend having an external physical due to the chicken / egg issue.
-
@DustinB3403 said in Always Virtualize Domain Controllers:
@black3dynamite said in Always Virtualize Domain Controllers:
It would help if Microsoft would also recommend to always virtualize domain controllers.
The issue is that they do recommend virtualizing Domain Controllers, except is specific setups. Like DC's using CSV's as the underlying storage.
In those cases they recommend having an external physical due to the chicken / egg issue.
That's a decade old resource and has the explanation so that it shows you that they didn't actually make the recommendation: "Note: Always have at least one DC that is on physical hardware so that failover clusters and other infrastructure can start. "
They explain their statement so that you know that they misworded the statement. The goal is so that failover clusters can start, and we know that there is no need for physical for that. They meant physically separated. Yes, they mispoke, but MS is really good about giving the logic so that there is no question that it was a mis-statement or misunderstood (written incorrectly in this case.) So even in this article, they don't actually say that a physical DC is okay, even a decade ago.
-
Microsoft recommendations seems to take up multiple pages instead of just straight up say it from the beginning. I understand its necessary to go in further detail about the right way to configured a virtualized domain.
It like when asking a yes or no question. The answer becomes damn sentence.
That's why I enjoy these types of forums. Its quick and precise.
-
-
@scottalanmiller said in Always Virtualize Domain Controllers:
@DustinB3403 said in Always Virtualize Domain Controllers:
@black3dynamite said in Always Virtualize Domain Controllers:
It would help if Microsoft would also recommend to always virtualize domain controllers.
The issue is that they do recommend virtualizing Domain Controllers, except is specific setups. Like DC's using CSV's as the underlying storage.
In those cases they recommend having an external physical due to the chicken / egg issue.
That's a decade old resource and has the explanation so that it shows you that they didn't actually make the recommendation: "Note: Always have at least one DC that is on physical hardware so that failover clusters and other infrastructure can start. "
They explain their statement so that you know that they misworded the statement. The goal is so that failover clusters can start, and we know that there is no need for physical for that. They meant physically separated. Yes, they mispoke, but MS is really good about giving the logic so that there is no question that it was a mis-statement or misunderstood (written incorrectly in this case.) So even in this article, they don't actually say that a physical DC is okay, even a decade ago.
Reviewed and updated in March of 2017.
So it's still a pertinent document to review based on how things are being planned in "your" environment.
Yes virtualize, if you are virtualizing while utilizing CSV storage, its recommended that you keep a physical DC system.
-
@DustinB3403 said in Always Virtualize Domain Controllers:
Yes virtualize, if you are virtualizing while utilizing CSV storage, its recommended that you keep a physical DC system.
No, absolutely not. First, because no matter what MS recommends it's not okay to do, ever. This is an industry best practice, no vendor can say anything about that. Second, MS doesn't say that, they explain clearly that that is not what they meant to convey.
-
@scottalanmiller said in Always Virtualize Domain Controllers:
@DustinB3403 said in Always Virtualize Domain Controllers:
Yes virtualize, if you are virtualizing while utilizing CSV storage, its recommended that you keep a physical DC system.
No, absolutely not. First, because no matter what MS recommends it's not okay to do, ever. This is an industry best practice, no vendor can say anything about that. Second, MS doesn't say that, they explain clearly that that is not what they meant to convey.
Why haven't they fixed it?
Stupid conversations come up because of these mis-writings. -
@scottalanmiller said in Always Virtualize Domain Controllers:
@DustinB3403 said in Always Virtualize Domain Controllers:
Yes virtualize, if you are virtualizing while utilizing CSV storage, its recommended that you keep a physical DC system.
No, absolutely not. First, because no matter what MS recommends it's not okay to do, ever. This is an industry best practice, no vendor can say anything about that. Second, MS doesn't say that, they explain clearly that that is not what they meant to convey.
Note: Always have at least one DC that is on physical hardware so that failover clusters and other infrastructure can start. When you host domain controllers on virtual machines that are managed by Windows Server 2008 R2 or by Hyper-V Server 2008 R2, we recommend that you store the virtual machine files on cluster disks that are not configured as Cluster Shared Volumes (CSV) disks. This allows for easier recovery in specific failure situations. If there is a site failure or a problem that causes the whole cluster to crash and the DC on physical hardware is not available, storing the virtual machine files on a non-CSV cluster disk should enable the cluster to start. In this situation, the disks that are required by the virtual machine can be brought online. This will let you start the virtual machine that hosts the domain controller. Then, you can bring CSV disks online and start other nodes. This process is required only if there are no other domain controllers available at the time that the cluster is startedEither they have messed up documentation, that was reviewed just a few months ago (likely) or they have a solid reason for this that is being ignored.
I'm quoting MS here, so don't shoot the messenger.
-
@DustinB3403 said in Always Virtualize Domain Controllers:
Either they have messed up documentation, that was reviewed just a few months ago (likely) or they have a solid reason for this that is being ignored.
I'm quoting MS here, so don't shoot the messenger.
Yes, you quoted the same quote that I gave and explained why you were confused. Go back and read what they and I wrote again. We know that they got the wording wrong, but they made it crystal clear what they goal was which made it perfectly clear that a physical install was not the answer.
You are quoting their mistake AND you are quoting their clarification of it.
Just because they review something doesn't mean that they paid enough attention to catch their own mistake. We know it has a mistake as it conflicts with itself. That there is a mistake isn't up for debate. That they reviewed it and didn't correct the mistake is not up for debate. Those are set in stone.
What's obviously is that they made one little mistake missing like one word in a phrase, but they finished the phrase explaining what they meant and clarifying it for us. Everyone makes mistakes, but they wrote this well enough so that we should never also make the mistake of thinking that they just said a physical install is ever acceptable.
-
I even bolded it so that you could not miss their clarification.
Since we know that a physical install is not what does that, we know that they typed the wrong thing and left out the word "separated".
-
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
-
@scottalanmiller said in Always Virtualize Domain Controllers:
I even bolded it so that you could not miss their clarification.
Since we know that a physical install is not what does that, we know that they typed the wrong thing and left out the word "separated".
To play devils advocate here, you're adding the word "separated". They could very well mean it. . .
-
Assuming everyone is correctly deploying Domain Controllers (2016, 2012 R2 at least), then yes ALWAYS virtualize DCs.
-
@DustinB3403 said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
I even bolded it so that you could not miss their clarification.
Since we know that a physical install is not what does that, we know that they typed the wrong thing and left out the word "separated".
To play devils advocate here, you're adding the word "separated". They could very well mean it. . .
Except they explain what they meant.
-
@Tim_G said in Always Virtualize Domain Controllers:
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
Rollback is a risk with physical too. That's not a virtual risk. That's a general best practice about snapshotting one portion of a live database.
-
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
Rollback is a risk with physical too. That's not a virtual risk. That's a general best practice about snapshotting one portion of a live database.
Yes but as a VM, the risk is so much greater if you aren't aware of what can cause it.
-
@Tim_G said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
Rollback is a risk with physical too. That's not a virtual risk. That's a general best practice about snapshotting one portion of a live database.
Yes but as a VM, the risk is so much greater if you aren't aware of what can cause it.
But it isn't the virtualization. This is just "do your job well". This same logic would lead us to say that using a SAN is always bad too, because even more so than virtualization that "encourages" snapping.
-
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
Rollback is a risk with physical too. That's not a virtual risk. That's a general best practice about snapshotting one portion of a live database.
Yes but as a VM, the risk is so much greater if you aren't aware of what can cause it.
But it isn't the virtualization. This is just "do your job well". This same logic would lead us to say that using a SAN is always bad too, because even more so than virtualization that "encourages" snapping.
Right.
Who are those that are still running Server 2008 DCs, that are wanting to virtualize them on old Hyper-V?
I'll tell you, exactly the type of people who are more likely to unknowingly cause rollback or other issues by not doing things right or not doing their job well as you say.
-
@Tim_G said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
Rollback is a risk with physical too. That's not a virtual risk. That's a general best practice about snapshotting one portion of a live database.
Yes but as a VM, the risk is so much greater if you aren't aware of what can cause it.
But it isn't the virtualization. This is just "do your job well". This same logic would lead us to say that using a SAN is always bad too, because even more so than virtualization that "encourages" snapping.
Right.
Who are those that are still running Server 2008 DCs, that are wanting to virtualize them on old Hyper-V?
I'll tell you, exactly the type of people who are more likely to unknowingly cause rollback or other issues by not doing things right or not doing their job well as you say.
Right, so the recommendation is "don't be those people." It's not virtualization that's the risk, it's incompetent shops. That's the actually issue that needs to be solved. Running a physical DC isn't going to protect them in any way.
