|
The problem with this is delegating the ability
to support the remote systems. Possible of course -web based admin of the
VM, and all that, but usually a pain. ANd if done wrong...
--Paul
----- Original Message -----
Sent: Thursday, July 20, 2006 3:35
AM
Subject: Re: [ActiveDir] Virtual
DCs
Actually... thinking more about it, I think I'd rather go
VMware for something else on a physical DC. In other words: load up a
low utilization server on a VM inside a DC. This reduces your
vulnerability, IMO.
On 7/19/06, Matt
Hargraves <[EMAIL PROTECTED]> wrote:
I'd say that it should depend on the size of your
environment.
I've seen the difference in performance between a 64-bit
DC and a 32-bit DC in a large environment and unless a VM can run with
enough RAM to load your entire DIT database in RAM, then a VM would be a
poor idea, IMO.
In other words:
Small environments, go
virtual with 2-4GB of RAM and you should be fine.
Larger environments
where the DIT database is getting over 2GB in size, you will probably be
better off going with physical machines and considering 64-bit DCs if your
DIT is breaking 3GB of size.
The only recommendation that I'd put
out there is to make sure that the physical boxes you're running your VMs on
has more than enough bandwidth to do the job. In other words: Test a
whole lot before you go forward with a plan to do it and make sure that
you've got redundancy in place because you now have 2 more points of failure
on a single DC: The OS that it's sitting on and the VMWare application.
On 7/19/06, Al
Mulnick < [EMAIL PROTECTED]>
wrote:
The voice of reason? WTF? ;-)
Identifying return on effort is a great way to start any
project. I highly recommend (and get beaten soundly for) it.
Brett, one additional thought on the "Forest-On-A-Box" idea: for
remote sites that need a single server from a performance perspective, but
need multiple forest NC's represented, this presents an opportunity to
deploy more Microsoft DC's without additional hardware constraints.
Since some of your brethren are advocating multiple forest deployments
where once multiple domains existed, and because of WAN traffic
limitations, virtualization offers a great way to make this happen without
4 extra physicals in the geo. This scenario requires an all-or-nothing
approach to the DC - it either works or doesn't and that's all they really
care about. Backups of that particular set of DC's wasn't likely
going to happen anyway, and they very likely would not have anyone local
that they'd trust to restore the machine either and may not even want
those people to have local server access. Offering a way to add in
F/P plus the other forests and it's a compelling branch office
forest-on-a-box with F/P solution.
Oh, the other product(s) you asked about is likely VMware Server
http://www.vmware.com/products/ - Note that the
virtualization software is also listed as a freely available option,
although I have not personally seen what that entails at this point. They
tend to make quality stuff though.
-ajm
On 7/19/06, Alex
Alborzfard <
[EMAIL PROTECTED]> wrote:
As others have
suggested, virtualizing your DCs is obviously a viable
option.
However, before
doing so, I think you (or your management) first need to identify what
you are trying to get out of it. Companies implement virtualization
mainly for hardware consolidation reasons. There are other valid reasons
such as saving time & $$ in server provisioning/administration,
redundancy, and disaster recovery.
Speaking from
experience with my clients, the decision to go virtual or not should be
based on two factors: the physical requirement for the server and number
of users or amount of activity on the server. The rule of thumb is to
virtualize a server if it is currently under-utilized from CPU/Memory
standpoint. So except for heavily used Exchange, SQL, or Citrix servers,
almost all servers can be good candidates to be virtual. Almost all AD
DCs fall within this category.
If your
management is considering building a solid virtualization environment, I
would recommend going with VMware (ESX) solution, especially if you have
SAN.
It may not be
free and there is a bigger learning curve involved, but you get the best
bang for your buck especially in an enterprise environment because of
its many advanced features and complementing technologies such as
Virtual Center, VMotion, P2V, etc. To me it's like the difference
between using Terminal Server and Citrix.
If however this
is a one-time, ad-hoc effort, you can go with either VMware or MS server
solutions. In either case, if your box is beefed up (has at least 2GB of
RAM), with VMware Server you can get away with putting all DCs as VMs on
one box. If you have SAN and ESX, you can even boot all your VMs from it
and resolve your redundancy concerns. With MS, I would probably split
them across 2 boxes.
Just my 2
cents!
I would
definitely back the use of VM's on this one, although I would definitely
keep one or two DC's present. I have personally done the rounds
with MS on this, and we ended up wit 5 physical DC's, and 38 Virtual
ones. There were two reasons we retained physical DC's:
1)
At the time (a
couple of months ago), different staff in MS interpreted their own
support policy differently, and they couldn't (and still haven't)
resolved it. To ensure we had a supported environment we retained
some physical DC's.
2)
We were
uncertain how much Exchange would pull on the DC's for it lookups, and
to minimise risk of deploying VM's we gave the bigger sites (where our
Exchange boxes were) physical DC's
Ada , I say go for
it, but keep one, possibly two physical DC's.
Brad
Along these
lines, has anyone seen an actual best practices whitepaper for MS
Virtual Server? How to configure disk arrays, controller cache,
how many VHDs per volume, memory allocation, etc.
Bryan
Lucas
Server
Administrator
Texas Christian
University
(817)
257-6971
This is
absolutely true. I know virtualization scares a lot of people, but
the fact is that in some environments virtualizing systems saves a great
deal of money and actually makes managing systems much easier (here it
has reportedly saved a "significant" amount in hardware cost for the
enterprise). I have been closely watching my Exchange servers ever
since our AD side of the house started virtualizing DC's and with domain
controllers running on ESX servers in an optimized configuration the
performance is very close to hardware. I have noticed that in
terms of LDAP performance that VM's are a tad bit slower then hardware,
but that "tad" is well within the range of performance that applications
like Exchange require. After over a year of
having virtualized DC's we have not had any problems with
virtualized domain controllers (placed globally on ESX servers
around the world). We do, however, work on the side of
caution and do maintain a few hardware DC's in our HQ that own FSMO
roles, but I've seen nothing to suggest that they could not be
on VM's to date (it's just a precaution).
I have to admit
at first I totally dismissed virtualization because I considered it,
like others, as more of a development\test environment solution, however
I have since been convinced after working with virtualized OS's that it
has it's place (we have 100's if not 1000's of virtualized hosts
currently in production). I/O intensive applications are not a
good place for virtualization in production, but other less I/O
intensive applications work great with it. Brian does have a point
in that it has to be "done correctly" and with the right understanding
of how to build a high performing virtualization environment it will
work just fine for domain controllers\global catalog servers.
Regards,
Steven
From:
[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Brian
Desmond
Sent:
Wednesday, June 07, 2006 12:04 AM
To: [email protected]
Subject: RE: [ActiveDir] Virtual
DCs
I have
no problem with VMWare or Virtual Server DCs if done correctly.
Frankly, 7K users is like pocket change if you ask me. Really, the
users generate no load – they logon to the PC and change their
password. Things like Exchange (and OLK), machines, and other AD aware
apps do. If properly written and the virtual hardware properly
configured everything should still jive. If I had to make a one off
guess with no more info I'd say go for it. The price war with MS and
EMC on virtualization has made this far more economical, and if you're
going to be doing branches, you can play your sacred card and
virtualize stuff and quasi isolate it. There have been a couple
lengthy discussions on that subject recently – Tony has a search
widget on the website for this DL. :)
Ada
,
I am
intrigued as to why "management" are directing you to do this. What
benefits do they percieve? Do they understand the nature of the 2K3
directory and the load 7,000 users puts on it?
This is not a
criticism - just a curious thinking out loud
moment...
Personally -
I wouldn't do it. Some would say a DC is a sacred thing, not to be
toyed with. Proof of concept is always good in these
scenarios... if you were to set this up in a lab, even with just
two VMWare-ed DC's, you could show the overhead this would place on
the machine and help them to understand the additional cost this will
bring.
Remember, a
DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy
box - it can just be a PC rebuilt with Win2K3 server on it. However it
does need to stay up all the time. ;)
themolk.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Rivera,
Ada
Sent: Tuesday,
6 June 2006 9:51 PM
To: [email protected]
Subject: [ActiveDir] Virtual
DCs
We have a single
domain forest with about 7,000 users. Currently we 8
AD regional sites and
one HQ AD site. The regional sites each
have a DC serving their local
regional area and there are multiple DCs in our HQ
site.
The environment is
currently running Windows 2000 SP4 and we are looking to upgrade our
DCs to W2K3. The direction from management is that we will put all
of our domain controllers on VM Ware when we upgrade the DCs to
W2K3. Does anyone have any thoughts on this? Good
or Bad
idea?
----------------------------------------------------------------------------------------
This is a PRIVATE message. If
you are not the intended recipient, please delete without copying and
kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless
of content, this e-mail shall not operate to bind 1E Ltd to any order or
other contract unless pursuant to explicit written agreement or
government initiative expressly permitting the use of e-mail for such
purpose.
----------------------------------------------------------------------------------------
|
