Test, test and test again From: Guyer, Don [mailto:[email protected]] Sent: Friday, June 17, 2011 11:54 AM To: Active Directory Admin Issues Subject: RE: Replacing DCs with new Hyper-V "guest" DCs?
In a multi-AD controller environment, I'm gonna have to argue FOR taking snapshots. Don Guyer Windows Systems Engineer RIM Operations Engineering Distributed - A Team, Tier 2 Enterprise Technology Group Fiserv [email protected]<mailto:[email protected]> Office: 1-800-523-7282 x 1673 Fax: 610-233-0404 www.fiserv.com<http://www.fiserv.com/> From: James Brennan [mailto:[email protected]] Sent: Friday, June 17, 2011 11:44 AM To: Active Directory Admin Issues Subject: RE: Replacing DCs with new Hyper-V "guest" DCs? In the rare case you have a complete system shutdown. Power failure etc.. Then the first Hyper-V host does not have a DC to authenticate against. As Edward said, don't take DC snapshots. If you every restore a DC snapshot, that cause all sorts of problems with DC replication, client authentication etc.. This is an official "Things to consider when you host Active Directory domain controllers in virtual hosting environments" http://support.microsoft.com/kb/888794/en-us From: Robert Peterson [mailto:[email protected]] Sent: Friday, June 17, 2011 10:35 AM To: Active Directory Admin Issues Subject: RE: Replacing DCs with new Hyper-V "guest" DCs? Thank you James... you make an interesting statement I wasn't thinking about. If it is our common practice to always have 2 or more hosts and their guests running, would I still need the physical DC? From: James Brennan [mailto:[email protected]] Sent: Friday, June 17, 2011 10:25 AM To: Active Directory Admin Issues Subject: RE: Replacing DCs with new Hyper-V "guest" DCs? DCs can be in Hyper-V cluster. Need to make sure that all virtual DCs cannot be on the same physical machine at the same time, which you will do by having them on separate clusters. The biggest gotcha, do not allow virtual DCs to get time from physical hosts. DCs must be able to get their own time. If Hyper-V hosts are domain members, then there should be a separate physical DC, so that Hyper-V hosts can authenticate when they are all booting. From: Robert Peterson [mailto:[email protected]] Sent: Friday, June 17, 2011 10:18 AM To: Active Directory Admin Issues Subject: Replacing DCs with new Hyper-V "guest" DCs? We have a good and maturing Hyper-V environment, multiple hosts with High Availability (Failover Clusters available) Our current DCs... hard W2003 Servers, are ready to be replaced. Tried to do some Googling... but it looked a little sparse of information or folks who have already moved to "virtual" DCs. Does anyone have some good links they'd share or experiences? I have (2) "clusters" of 2-Hyper-V hosts... 4 hosts in all. I am thinking a DC on each host, but NOT in the "fail-over" cluster, just one individual guest "DC" on each Hyper-V host. I would build the DCs as new 2008 servers. Sure there is a lot more I need to be thinking about, appreciate any feedback. Thx, Robert ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ad-list ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ad-list ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~ After a lot of failed attempts by what's in the help file and by various suggestions, this is our new footer (btw unsubscribe by email is LAGGED and takes 5-10 minutes before it works): --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ad-list
