Considerations when hosting Active Directory domain controller in virtual hosting environments

A virtual hosting environment lets you run multiple guest operating systems on a single host computer at the same time. Host software virtualizes resources that include the following:

• CPU
• Memory
• Disk
• Network
• Local devices

By virtualizing these resources on a physical computer, host software lets you use fewer computers to deploy operating systems for test, development, and production roles. However, certain restrictions apply to the deployment of Active Directory domain controllers that runs in a virtual hosting environment. These restrictions do not apply to a domain controller that runs on a physical computer.

This article discusses considerations when a Microsoft Windows 2000 Server-based domain controller, a Windows Server 2003-based domain controller, or a Windows Server 2008-based controller runs in a virtual hosting environment. Virtual hosting environments include the following, among others:

• Windows Server 2008 Virtualization with Hyper-V
• Microsoft Virtual PC
• Microsoft Virtual Server 2005
• EMC VMware family of virtualization products
• Novel family of virtualization products

Considerations when hosting domain controller roles in a virtual hosting environment

When you deploy an Active Directory domain controller on a physical computer, certain requirements must be satisfied throughout the domain controller's life cycle. The deployment of a domain controller in a virtual hosting environment adds more requirements and considerations which are in the following list:

• To help preserve the integrity of the Active Directory database if a power loss or another failure were to occur, the Active Directory directory service performs unbuffered writes and tries to disable the disk write cache on volumes hosting the Active Directory database and log files. Active Directory also works in this manner when it runs in a virtual hosting environment.
  
  If the virtual hosting environment software correctly supports a SCSI emulation mode that supports forced unit access (FUA), unbuffered writes that Active Directory performs in this environment are passed to the host operating system. If forced unit access is not supported, you must disable the write cache on all volumes of the guest operating system that host the Active Directory database, the logs, and the checkpoint file.
  
  Note You must disable the write cache for all components that use Extensible Storage Engine (ESE) as their database format. These components include Active Directory, the File Replication service (FRS), Windows Internet Name Service (WINS), and Dynamic Host Configuration Protocol (DHCP).
  
  Note As a best practice, consider installing uninterruptable power supplies on VM hosts.
• An Active Directory domain controller is intended to run Active Directory mode continuously as soon as it is installed. When the domain controller is started, end-to-end replication of Active Directory must occur. Make sure that all the domain controllers perform inbound replication on all locally held Active Directory partitions according to the schedule defined on site links and connection objects, especially in the number of days that is specified by the tombstone lifetime attribute.
  
  If inbound replication does not occur, the following Error event may be logged in the Directory Service log:

  Event ID: 2042
  Source: NTDS Replication
  Type: Error
  Description: It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.

  
  
  When this replication does not occur, you may experience an inconsistency in the contents of Active Directory databases on domain controllers in the forest. This inconsistency occurs because knowledge of deletes is persisted for tombstone lifetime number of days. Domain controllers that do not transitively inbound replicate Active Directory change in a rolling tombstone lifetime number of days cause lingering objects. Lingering objects are objects intentionally deleted by an administrator, service or operating system that incorrectly exist on destination DC's that did not perform timely replication. The cleanup of lingering objects can be very time-consuming, especially in multi-domain forests that include many domain controllers.
• When a domain controller runs in a virtual hosting environment, do not pause the domain controller for long periods of time before you resume the operating system image. If you do pause the domain controller for a long time, replication may stop and cause lingering objects. The following Error event may be logged in the Directory Service log:

  Event ID: 2042
  Source: NTDS Replication
  Type: Error
  Description: It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.

• An Active Directory domain controller requires regular system state backups to recover from user, hardware, software, or environmental problems. The default useful life of a system state backup is 60 or 180 days depending on the operating system version and the service pack revision during the installation. This useful life is controlled by the tombstone lifetime attribute in Active Directory. At least one domain controller in every domain in the forest should be backed up every tombstone lifetime number of days.
  
  In a production environment, you may want to back up the system state of at least one domain controller in every domain several times a day.
• To roll back the contents of Active Directory to a previous point in time, restore a valid system state backup. A system state backup can be restored up to the tombstone lifetime number of days after the backup was performed. The backup must have also been made on the same operating system installation as the operating system that you are restoring.
  
  Active Directory does not support other methods to roll back the contents of Active Directory. In particular, Active Directory does not support any method that restores a snapshot of the operating system or the volume the operating system resides on. This kind of method causes an update sequence number (USN) rollback. When a USN rollback occurs, the replication partners of the incorrectly restored domain controller may have inconsistent objects in their Active Directory databases. In this situation, you cannot make these objects consistent.
  
  We also do not support using "undo" and "differencing" features in Virtual PC on operating system images for domain controllers that run in virtual hosting environments.
• Performance considerations
  
  The peak and steady state load generated by a collection of VM guests should not exceed the capabilities of the virtual host computer and network infrastructure. Specifically, collection of VM guests should not exceed the capabilities of the CPU, disk subsystem, memory and network bandwidth on a common host computer. Some load scenarios can exceed capabilities that a DC on single physical computer can service so multiple physical or virtual computers may be required.
  
  Load and criticality may dictate that some roles be deployed on physical hardware.
  • Global Catalogs - Evaluate whether Exchange facing Global Catalogs in your deployment can be deployed on VM’s or physical hardware.
  • FSMO roles - The load for FSMO roles is relatively light except for the primary domain controller which receives password updates for users, computers and trusts following password changes. Additionally, the PDC is consulted by remote DC’s if user or computers logon with mismatched passwords.
    
    The RID and Schema FSMO availability are used infrequently but are critical when required.
  • DNS Server – Both the DNS client and DNS Server cache queries. DNS Servers provide their best performance when sufficient memory is available to cache the contents of DNS zones. The loading of AD-integrated zones is delayed unless Active Directory 1st inbound replicates. The DNS Client settings on a DNS Server should point to multiple DNS Servers that can resolve the CNAME records of replication partners to their IP addresses.
• Avoid single points of failure
  
  The same rules that apply to a domain controller running on physical hardware also apply to deployments on virtual machines. In an ideal deployment, the domain controllers in a common domain or forest should be staged across multiple VM hosts, in different racks, on different VLANS and power grids, in different data centers, in different regions of the world.
• Make a list of the hotfixes that must be installed on the domain controller that runs in the virtual hosting environment.
  
  We recommend that you install either Windows Server 2003 Service Pack 1 or the 875495 hotfix on all Windows Server 2003 domain controllers. On a Windows 2000 Server-based domain controller, install the 885875 hotfix. For more information about Windows Server 2003 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
  889100  (http://support.microsoft.com/kb/889100/ ) How to obtain the latest service pack for Windows Server 2003
  For more information about the 875495 hotfix, click the following article number to view the article in the Microsoft Knowledge Base:
  875495  (http://support.microsoft.com/kb/875495/ ) How to detect and recover from a USN rollback in Windows Server 2003
  For more information about the 885875 hotfix, click the following article number to view the article in the Microsoft Knowledge Base:
  885875  (http://support.microsoft.com/kb/885875/ ) How to detect and recover from a USN rollback in Windows 2000 Server
  
  To view the "Running Domain Controllers in Virtual Server 2005" white paper, visit the following Microsoft Web site:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-8ed2-e261a117fc6b&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-8ed2-e261a117fc6b&displaylang=en)
  The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Support for Active Directory domain controllers in virtual hosting environments

For more information about the supportability of hosting domain controllers in Microsoft and third-party virtual hosting environments, click the following article number to view the article in the Microsoft Knowledge Base: