At branch offices, we want to run DC and F&P. I've seen the pros and cons batted back and forth in this forum and elsewhere. The MS white paper presented (as I recall) three scenarios for this but does not settle on a "best practice". The scenarios are:
1) Host machine runs VS2005; DC is virtual, other servers (such as F&P) are also virtual 2) Host machine runs VS2005 and DC; other servers are virtual 3) Host machine runs VS2005 and F&P; DC is virtual (Caveat: I have not re-read the white paper in about six months and don't know if there has been an update since late last year.) -- nme -----Original Message----- From: Brett Shirley [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 19, 2006 7:33 AM To: [email protected] Subject: RE: [ActiveDir] Virtual DCs Random thoughts on VM based DCs ... 1. There is a whitepaper on Virtual DCs on msft's site, I didn't see it mentioned below, so I thought I'd mention it. 2. The whitepaper neglected to mention that you should turn off HD caching on the host system. 3. of course "diff-disks" are absolutely not supported, as well as making copies of the .vhds or VMWare equiv (?what is this called?) for backup / restore purposes. If you don't know understand why, don't even try this, you're sure to mess up your _forest_ (not just a single DC). 4. Also there is some question in my mind, as to whether .vhds or the VMWare equivalent are as crash safe as the underlying ESE DB on raw hardware. 5. Also stacking all VM DCs for a single domain or NC on a single physical box, doesn't make sense as well as you ruin any real redunancy. Given 4 and the fact that I'm[1] unlikely to care about debugging / fixing a corruption from a database on a VM system, it makes 5 esp. critical. It doesn't mean you need physical DCs, just that you shouldn't expose yourself to single fault failures ... which I would probably include as a whole power grid, ergo if datacenter power goes out, you should have either a physical DC (or two) for each domain or NC there, or have at least VM DCs running in a different datacenter. I've always thought the multiple DCs from different domains on a server was intriquing way to create sort of a "forest on a box" for disaster recovery purposes, but once you realize that 3 limits the ways you can recover it is somewhat (though not entirely) less interesting. My 2c. Cheers, BrettSh [msft] [1] And I'm an ESE Developer, aka basically at the top of the escalation ladder of people who can return your corrupted DB to a working state. On Wed, 19 Jul 2006, Brad Smith wrote: > I would definitely back the use of VM's on this one, although I would > definitely keep one or two DC's present. I have personally done the > rounds with MS on this, and we ended up wit 5 physical DC's, and 38 > Virtual ones. There were two reasons we retained physical DC's: > > > > 1) At the time (a couple of months ago), different staff in MS > interpreted their own support policy differently, and they couldn't (and > still haven't) resolved it. To ensure we had a supported environment we > retained some physical DC's. > > 2) We were uncertain how much Exchange would pull on the DC's for > it lookups, and to minimise risk of deploying VM's we gave the bigger > sites (where our Exchange boxes were) physical DC's > > > > Ada, I say go for it, but keep one, possibly two physical DC's. > > > > Brad > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan > Sent: 08 June 2006 14:05 > To: [email protected] > Subject: RE: [ActiveDir] Virtual DCs > > > > Along these lines, has anyone seen an actual best practices whitepaper > for MS Virtual Server? How to configure disk arrays, controller cache, > how many VHDs per volume, memory allocation, etc. > > > > Bryan Lucas > > Server Administrator > > Texas Christian University > > (817) 257-6971 > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven > Sent: Wednesday, June 07, 2006 10:23 AM > To: [email protected] > Subject: RE: [ActiveDir] Virtual DCs > > > > This is absolutely true. I know virtualization scares a lot of people, > but the fact is that in some environments virtualizing systems saves a > great deal of money and actually makes managing systems much easier > (here it has reportedly saved a "significant" amount in hardware cost > for the enterprise). I have been closely watching my Exchange servers > ever since our AD side of the house started virtualizing DC's and with > domain controllers running on ESX servers in an optimized configuration > the performance is very close to hardware. I have noticed that in terms > of LDAP performance that VM's are a tad bit slower then hardware, but > that "tad" is well within the range of performance that applications > like Exchange require. After over a year of having virtualized DC's we > have not had any problems with virtualized domain controllers (placed > globally on ESX servers around the world). We do, however, work on the > side of caution and do maintain a few hardware DC's in our HQ that own > FSMO roles, but I've seen nothing to suggest that they could not be on > VM's to date (it's just a precaution). > > > > I have to admit at first I totally dismissed virtualization because I > considered it, like others, as more of a development\test environment > solution, however I have since been convinced after working with > virtualized OS's that it has it's place (we have 100's if not 1000's of > virtualized hosts currently in production). I/O intensive applications > are not a good place for virtualization in production, but other less > I/O intensive applications work great with it. Brian does have a point > in that it has to be "done correctly" and with the right understanding > of how to build a high performing virtualization environment it will > work just fine for domain controllers\global catalog servers. > > > > Regards, > > Steven > > > > > ________________________________ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond > Sent: Wednesday, June 07, 2006 12:04 AM > To: [email protected] > Subject: RE: [ActiveDir] Virtual DCs > > I have no problem with VMWare or Virtual Server DCs if done > correctly. Frankly, 7K users is like pocket change if you ask me. > Really, the users generate no load - they logon to the PC and change > their password. Things like Exchange (and OLK), machines, and other AD > aware apps do. If properly written and the virtual hardware properly > configured everything should still jive. If I had to make a one off > guess with no more info I'd say go for it. The price war with MS and EMC > on virtualization has made this far more economical, and if you're going > to be doing branches, you can play your sacred card and virtualize stuff > and quasi isolate it. There have been a couple lengthy discussions on > that subject recently - Tony has a search widget on the website for this > DL. :) > > > > Thanks, > > Brian Desmond > > [EMAIL PROTECTED] > > > > c - 312.731.3132 > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, > Steve > Sent: Tuesday, June 06, 2006 8:50 AM > To: [email protected] > Subject: RE: [ActiveDir] Virtual DCs > > > > Ada, > > > > I am intrigued as to why "management" are directing you to do > this. What benefits do they percieve? Do they understand the nature of > the 2K3 directory and the load 7,000 users puts on it? > > > > This is not a criticism - just a curious thinking out loud > moment... > > > > Personally - I wouldn't do it. Some would say a DC is a sacred > thing, not to be toyed with. Proof of concept is always good in these > scenarios... if you were to set this up in a lab, even with just two > VMWare-ed DC's, you could show the overhead this would place on the > machine and help them to understand the additional cost this will bring. > > > > Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't > need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server > on it. However it does need to stay up all the time. ;) > > > > themolk. > > > > > > > ________________________________ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada > Sent: Tuesday, 6 June 2006 9:51 PM > To: [email protected] > Subject: [ActiveDir] Virtual DCs > > We have a single domain forest with about 7,000 users. > Currently we 8 AD regional sites and one HQ AD site. The regional sites > each have a DC serving their local regional area and there are multiple > DCs in our HQ site. The environment is currently running Windows 2000 > SP4 and we are looking to upgrade our DCs to W2K3. The direction from > management is that we will put all of our domain controllers on VM Ware > when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? > Good or Bad idea? > > > ---------------------------------------------------------------------------- ------------ > This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E Ltd to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. > ---------------------------------------------------------------------------- ------------ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.1/391 - Release Date: 7/18/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.1/391 - Release Date: 7/18/2006 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
