This blog is in response to a few questions I have and I would like to hear your opinions.
This past week I took the time to put my VMworld.com account to use and listen to some sessions. I took an hour to listen to EA6705 Best Practices for Virtualizing Active Directory. After listening to Chris Skinner, Sr. Program Manager-Worldwide Education, VMware, Inc, for an hour I had a better understanding of how to go about a best practice.
- TIME! this should always be on your radar when virtualizing AD. Chris makes some good suggestions about using registry hacks or even using VMware tools to sync your virtualized AD server.
- Make sure this VM always has enough CPU cycles to the clock can be updated. If your servers are strained for resources, and your AD server has to sit back and wait for a CPU cycle, there is a chance that the time sync may go off and things can go haywire in your environment.
- There was some heat between Gabe and Christian Mohn on this subject that you can read below. But "best practice" is to never do a P2V of your DC
- Don't oversubscribe virtual hardware to this box. Always start off with 1vCPU unless you know you are going to have TONs of objects, then a 2vCPU VM may be necessary.
- Make sure this VM is on a High priority for VMware HA
- If you have multiple virtualized AD servers, use VMware DRS Anti-Affinity rules to make sure these 2 VMs are never sitting on the same host at one time.
- VMware Fault Tolerance is an available option for use with your PDC.
- Remote to decommission your old AD server, not just take it offline.
- Perform System State backups of your AD server
- Do not take snapshots of your AD server........................whoa, wait a hot minute. Let's examine this.
Chris states that you should "never, under any circumstance, take a snapshot of your Active Directory server. Microsoft has specifically said they will NOT support any domain controller that has been snapshotted". Here are his reasons
- it can cause corruption
- can start serious performance degradation
- it's not supported
It almost makes sense in a way. You never want to restore an entire VM or revert a snapshot of your DC. This would cause it to go back in time and hence screw everything up. If something happens, you want to have a system state backup and use that to create the new VM. Much less, when you are committing a snapshot to disk, there could be some time loss or interruption during the process.
So for all of us out there running Veeam, vRanger or any other virtualization only backup product that inherently takes a snapshot of a VM and off-loads that VM snapshot for backup processing, how do you get around this best practice? Currently with Veeam4 there is no way to take a system state backup, but Veeam5 will take care of that little requirement (so i hear 
). Take a read at Microsoft's Things to consider when you host Active Directory domain controllers in virtual hosting environments and see if it changes your mind on anything.
Chris Dearden over at jfvi.co.uk suggested "I would possibly look at in guest system state backups (thats what SCDPM does.)" or "you may decide not to back up your AD vm's , just take a system state off to a VM that does"
Any more suggestions on proper backup of your Active Directory VMs? What products do you use, is it a product developed for virtualization in mind?
