Always Virtualize Domain Controllers
-
@scottalanmiller said in Always Virtualize Domain Controllers:
@DustinB3403 said in Always Virtualize Domain Controllers:
Yes virtualize, if you are virtualizing while utilizing CSV storage, its recommended that you keep a physical DC system.
No, absolutely not. First, because no matter what MS recommends it's not okay to do, ever. This is an industry best practice, no vendor can say anything about that. Second, MS doesn't say that, they explain clearly that that is not what they meant to convey.
Note: Always have at least one DC that is on physical hardware so that failover clusters and other infrastructure can start. When you host domain controllers on virtual machines that are managed by Windows Server 2008 R2 or by Hyper-V Server 2008 R2, we recommend that you store the virtual machine files on cluster disks that are not configured as Cluster Shared Volumes (CSV) disks. This allows for easier recovery in specific failure situations. If there is a site failure or a problem that causes the whole cluster to crash and the DC on physical hardware is not available, storing the virtual machine files on a non-CSV cluster disk should enable the cluster to start. In this situation, the disks that are required by the virtual machine can be brought online. This will let you start the virtual machine that hosts the domain controller. Then, you can bring CSV disks online and start other nodes. This process is required only if there are no other domain controllers available at the time that the cluster is started
Either they have messed up documentation, that was reviewed just a few months ago (likely) or they have a solid reason for this that is being ignored.
I'm quoting MS here, so don't shoot the messenger.
-
@DustinB3403 said in Always Virtualize Domain Controllers:
Either they have messed up documentation, that was reviewed just a few months ago (likely) or they have a solid reason for this that is being ignored.
I'm quoting MS here, so don't shoot the messenger.
Yes, you quoted the same quote that I gave and explained why you were confused. Go back and read what they and I wrote again. We know that they got the wording wrong, but they made it crystal clear what they goal was which made it perfectly clear that a physical install was not the answer.
You are quoting their mistake AND you are quoting their clarification of it.
Just because they review something doesn't mean that they paid enough attention to catch their own mistake. We know it has a mistake as it conflicts with itself. That there is a mistake isn't up for debate. That they reviewed it and didn't correct the mistake is not up for debate. Those are set in stone.
What's obviously is that they made one little mistake missing like one word in a phrase, but they finished the phrase explaining what they meant and clarifying it for us. Everyone makes mistakes, but they wrote this well enough so that we should never also make the mistake of thinking that they just said a physical install is ever acceptable.
-
I even bolded it so that you could not miss their clarification.
Since we know that a physical install is not what does that, we know that they typed the wrong thing and left out the word "separated".
-
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
-
@scottalanmiller said in Always Virtualize Domain Controllers:
I even bolded it so that you could not miss their clarification.
Since we know that a physical install is not what does that, we know that they typed the wrong thing and left out the word "separated".
To play devils advocate here, you're adding the word "separated". They could very well mean it. . .
-
Assuming everyone is correctly deploying Domain Controllers (2016, 2012 R2 at least), then yes ALWAYS virtualize DCs.
-
@DustinB3403 said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
I even bolded it so that you could not miss their clarification.
Since we know that a physical install is not what does that, we know that they typed the wrong thing and left out the word "separated".
To play devils advocate here, you're adding the word "separated". They could very well mean it. . .
Except they explain what they meant.
-
@Tim_G said in Always Virtualize Domain Controllers:
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
Rollback is a risk with physical too. That's not a virtual risk. That's a general best practice about snapshotting one portion of a live database.
-
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
Rollback is a risk with physical too. That's not a virtual risk. That's a general best practice about snapshotting one portion of a live database.
Yes but as a VM, the risk is so much greater if you aren't aware of what can cause it.
-
@Tim_G said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
Rollback is a risk with physical too. That's not a virtual risk. That's a general best practice about snapshotting one portion of a live database.
Yes but as a VM, the risk is so much greater if you aren't aware of what can cause it.
But it isn't the virtualization. This is just "do your job well". This same logic would lead us to say that using a SAN is always bad too, because even more so than virtualization that "encourages" snapping.
-
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
Rollback is a risk with physical too. That's not a virtual risk. That's a general best practice about snapshotting one portion of a live database.
Yes but as a VM, the risk is so much greater if you aren't aware of what can cause it.
But it isn't the virtualization. This is just "do your job well". This same logic would lead us to say that using a SAN is always bad too, because even more so than virtualization that "encourages" snapping.
Right.
Who are those that are still running Server 2008 DCs, that are wanting to virtualize them on old Hyper-V?
I'll tell you, exactly the type of people who are more likely to unknowingly cause rollback or other issues by not doing things right or not doing their job well as you say.
-
@Tim_G said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
@Tim_G said in Always Virtualize Domain Controllers:
I would advise against virtualizing domain controllers Pre-Server 2012, mostly due to prior versions missing safeguards. But if you know what you are doing and know how to prevent rollback and other issues, then it should be done. This is of course if there's no possible way to run 2016, or even 2012 R2.
Rollback is a risk with physical too. That's not a virtual risk. That's a general best practice about snapshotting one portion of a live database.
Yes but as a VM, the risk is so much greater if you aren't aware of what can cause it.
But it isn't the virtualization. This is just "do your job well". This same logic would lead us to say that using a SAN is always bad too, because even more so than virtualization that "encourages" snapping.
Right.
Who are those that are still running Server 2008 DCs, that are wanting to virtualize them on old Hyper-V?
I'll tell you, exactly the type of people who are more likely to unknowingly cause rollback or other issues by not doing things right or not doing their job well as you say.
Right, so the recommendation is "don't be those people." It's not virtualization that's the risk, it's incompetent shops. That's the actually issue that needs to be solved. Running a physical DC isn't going to protect them in any way.
-
What that document should be saying is that you need a DC on a system that is not part of the cluster.
Said system should be a domain joined Hyper-V Server running the DC as a VM.
-
@JaredBusch said in Always Virtualize Domain Controllers:
What that document should be saying is that you need a DC on a system that is not part of the cluster.
Said system should be a domain joined Hyper-V Server running the DC as a VM.
Exactly.
-
But that said, you are wrong @scottalanmiller. You are choosing to interpret the words with your own bias. The words mean what they mean and there is no clarification that correctly states what you want.
You are correct it is an industry standard to always virtualize and you are right that the Microsoft document should be corrected.
-
@JaredBusch said in Always Virtualize Domain Controllers:
But that said, you are wrong @scottalanmiller. You are choosing to interpret the words with your own bias. The words mean what they mean and there is no clarification that correctly states what you want.
You are correct it is an industry standard to always virtualize and you are right that the Microsoft document should be corrected.
But they explained what they meant and it didn't match what they said. So the other option is that they don't know enough. If I'm wrong, it's really bad that MS doesn't understand the issue.
-
@scottalanmiller said in Always Virtualize Domain Controllers:
@JaredBusch said in Always Virtualize Domain Controllers:
But that said, you are wrong @scottalanmiller. You are choosing to interpret the words with your own bias. The words mean what they mean and there is no clarification that correctly states what you want.
You are correct it is an industry standard to always virtualize and you are right that the Microsoft document should be corrected.
But they explained what they meant and it didn't match what they said. So the other option is that they don't know enough. If I'm wrong, it's really bad that MS doesn't understand the issue.
No, they clearly state multiple times physical server. They should not, but they do. They do correctly say that at least one DC on the cluster make sure that the virtual disks for the DC not be on the CSV for when the physical DC is not available.
-
@JaredBusch said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
@JaredBusch said in Always Virtualize Domain Controllers:
But that said, you are wrong @scottalanmiller. You are choosing to interpret the words with your own bias. The words mean what they mean and there is no clarification that correctly states what you want.
You are correct it is an industry standard to always virtualize and you are right that the Microsoft document should be corrected.
But they explained what they meant and it didn't match what they said. So the other option is that they don't know enough. If I'm wrong, it's really bad that MS doesn't understand the issue.
No, they clearly state multiple times physical server. They should not, but they do. They do correctly say that at least one DC on the cluster make sure that the virtual disks for the DC not be on the CSV for when the physical DC is not available.
I only saw one spot with it and there was every reason to accept a typo. At least they provide the explanation of their goal so we know they provided the wrong solution. Because we know that they confused their goal with the wrong proximate.
-
@scottalanmiller said in Always Virtualize Domain Controllers:
@JaredBusch said in Always Virtualize Domain Controllers:
@scottalanmiller said in Always Virtualize Domain Controllers:
@JaredBusch said in Always Virtualize Domain Controllers:
But that said, you are wrong @scottalanmiller. You are choosing to interpret the words with your own bias. The words mean what they mean and there is no clarification that correctly states what you want.
You are correct it is an industry standard to always virtualize and you are right that the Microsoft document should be corrected.
But they explained what they meant and it didn't match what they said. So the other option is that they don't know enough. If I'm wrong, it's really bad that MS doesn't understand the issue.
No, they clearly state multiple times physical server. They should not, but they do. They do correctly say that at least one DC on the cluster make sure that the virtual disks for the DC not be on the CSV for when the physical DC is not available.
I only saw one spot with it and there was every reason to accept a typo. At least they provide the explanation of their goal so we know they provided the wrong solution. Because we know that they confused their goal with the wrong proximate.
Then read closer because there is more than one.
-
Yeah, this is confusing. My co-worker was quoting Microsoft the other day and I looked exactly this up. It's hard to be able to justify virtualization in this scenario from where I am standing because I'd essentially either be insinuating microsoft doesn't know their own products or saying people I know, know more than they do. It's not an easy sell.