Help and Support
 

powered byLive Search

Considerations when hosting Active Directory domain controller in virtual hosting environments

View products that this article applies to.
Article ID:888794
Last Review:November 15, 2006
Revision:4.4
On This Page

SUMMARY

A virtual hosting environment lets you run multiple guest operating systems on a single computer at the same time. Host software virtualizes resources that include the following:
CPU
Memory
Disk
Network
Local devices
By virtualizing these resources on a physical computer, host software lets you use fewer computers to deploy operating systems for test, development, and production roles. However, certain restrictions apply to the deployment of domain controllers that runs in a virtual hosting environment. These restrictions do not apply to a domain controller that runs on a physical computer.

This article discusses considerations when a Microsoft Windows 2000 Server-based domain controller, a Windows Server 2003-based domain controller, or a Windows Server 2008-based controller runs in a virtual hosting environment. Virtual hosting environments include the following, among others:
Hyper-V
Microsoft Virtual PC
Microsoft Virtual Server 2005
EMC VMware

Back to the top

MORE INFORMATION

Considerations when hosting domain controller roles in a virtual hosting environment

When you deploy an Active Directory domain controller on a physical computer, certain requirements must be satisfied throughout its life cycle. The deployment of a domain controller in a virtual hosting adds more requirements and considerations which are in the following list:
To help preserve the integrity of the Active Directory database if a power loss or another failure were to occur, the Active Directory directory service performs unbuffered writes and tries to disable the disk write cache on volumes hosting the Active Directory database and log files. Active Directory also works in this manner when it runs in a virtual hosting environment.

If the virtual hosting environment software correctly supports a SCSI emulation mode that supports forced unit access (FUA), unbuffered writes that Active Directory performs in this environment are passed to the host operating system. If forced unit access is not supported, you must disable the write cache on all volumes of the guest operating system that host the Active Directory database, the logs, and the checkpoint file.

Note You must disable the write cache for all components that use Extensible Storage Engine (ESE) as their database format. These components include Active Directory, the File Replication service (FRS), Windows Internet Name Service (WINS), and Dynamic Host Configuration Protocol (DHCP).
An Active Directory domain controller requires regular system state backups to recover from user, hardware, software, or environmental problems. The default useful life of a system state backup is 60 or 180 days depending on the operating system version and the service pack revision during the installation. This useful life is controlled by the tombstone lifetime attribute in Active Directory. At least one domain controller in every domain in the forest should be backed up every tombstone lifetime number of days.

In a production environment, you may want to back up the system state of at least one domain controller in every domain several times a day.
An Active Directory domain controller is intended to run Active Directory mode continuously as soon as it is installed. When the domain controller is started, end-to-end replication of Active Directory must occur. Make sure that all the domain controllers perform inbound replication on all locally held Active Directory partitions according to the schedule defined on site links and connection objects, especially in the number of days that is specified by the tombstone lifetime attribute.

If inbound replication does not occur, the following Error event may be logged in the Directory Service log:

Event ID: 2042
Source: NTDS Replication
Type: Error
Description: It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.



When this replication does not occur, you may experience an inconsistency in the contents of Active Directory databases on domain controllers in the forest. This inconsistency occurs because knowledge of deletes is persisted for tombstone lifetime number of days. Domain controllers that do not transitively inbound replicate Active Directory change in a rolling tombstone lifetime number of days cause lingering objects. Lingering objects are objects intentionally deleted by an administrator, service or operating system that incorrectly exist on destination DC's that did not perform timely replication. The cleanup of lingering objects can be very time-consuming, especially in multi-domain forests that include many domain controllers.
When a domain controller runs in a virtual hosting environment, do not pause the domain controller for long periods of time before you resume the operating system image. If you do pause the domain controller for a long time, replication may stop and cause lingering objects. The following Error event may be logged in the Directory Service log:

Event ID: 2042
Source: NTDS Replication
Type: Error
Description: It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.

To roll back the contents of Active Directory to a previous point in time, restore a valid system state backup. A system state backup can be restored up to the tombstone lifetime number of days after the backup was performed. The backup must have also been made on the same operating system installation as the operating system that you are restoring.

Active Directory does not support other methods to roll back the contents of Active Directory. In particular, Active Directory does not support any method that restores a snapshot of the operating system or the volume the operating system resides on. This kind of method causes an update sequence number (USN) rollback. When a USN rollback occurs, the replication partners of the incorrectly restored domain controller may have inconsistent objects in their Active Directory databases. In this situation, you cannot make these objects consistent.

We also do not support using "undo" and "differencing" features in Virtual PC on operating system images for domain controllers that run in virtual hosting environments.
We recommend that you locate critical server roles on domain controllers that are installed directly on physical hardware. Critical server roles include the following:
Global catalog servers
Domain Name System (DNS) servers
Operations master roles, also known as flexible single master operations (FSMO)
Make a list of the hotfixes that must be installed on the domain controller that runs in the virtual hosting environment.

We recommend that you install either Windows Server 2003 Service Pack 1 or the 875495 hotfix on all Windows Server 2003 domain controllers. On a Windows 2000 Server-based domain controller, install the 885875 hotfix. For more information about Windows Server 2003 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
889100 (http://support.microsoft.com/kb/889100/) How to obtain the latest service pack for Windows Server 2003
For more information about the 875495 hotfix, click the following article number to view the article in the Microsoft Knowledge Base:
875495 (http://support.microsoft.com/kb/875495/) How to detect and recover from a USN rollback in Windows Server 2003
For more information about the 885875 hotfix, click the following article number to view the article in the Microsoft Knowledge Base:
885875 (http://support.microsoft.com/kb/885875/) How to detect and recover from a USN rollback in Windows 2000 Server

To view the "Running Domain Controllers in Virtual Server 2005" white paper, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-8ed2-e261a117fc6b&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-8ed2-e261a117fc6b&displaylang=en)
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Back to the top

Support for Active Directory domain controllers in virtual hosting environments

For more information about the supportability of hosting domain controllers in Microsoft and third-party virtual hosting environments, click the following article number to view the article in the Microsoft Knowledge Base:
897615 (http://support.microsoft.com/kb/897615/) Support policy for Microsoft software running in non-Microsoft hardware virtualization software

Back to the top

APPLIES TO
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Windows Server 2008 Standard
Windows Server 2008 Enterprise

Back to the top

Keywords: 
kbinfo kbhowto KB888794

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by E-mail, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.