Feedback – Virtualized Domain Controllers (Part One)
Posted by Scott Horsfield - 06/12/07 at 10:12:52 amPrior to a recent opportunity, I had limited experience with virtualized domain controllers, especially in a production environment. I have always been skeptical of their use, and the research I’ve done on the topic has always confirmed my suspicions. Now that I have direct experience support virtualized domain controllers I know why. I’m not entirely convinced that Virtualized DCs cannot work well, but in my opinion they should only be used in a few special scenarios.
Follow the break to hear more about my experience and feel free to share yours as well.
When I found out that the organization I was working with had multiple virtualized DCs, and they servers were holding FSMO roles I was skeptical. Nightmares of snapshots being restored from last month ran through my mind, and I knew that I had to trust our VM Engineers more than I wanted to. The errors I’ve experienced go beyond this however.
What led the organization to use virtual DCs was a large push to virtualize the majority of their servers. The company had experienced rapid growth and had more equipment than physical space to host it. They rapidly P2Ved servers that they determined were eligible, but the criteria for eligibility were flawed. Without revealing more than I should about the environment I’ll explain their logic.
The network consisted of two sites, SiteA and SiteB. SiteA maintained corporate resources and SiteB serviced external customers. In SiteA they had two domain controllers and in SiteB they had three. Neither of the sites was mapped to all of the respective subnets so clients were authenticating cross-site. When they examined the two DCs in SiteA they determined that they were under-performing and no longer required separate physical systems. So they virtualized them.
As the network topology changed, and the subnets were correctly mapped to sites, more clients started to authenticate against the domain controllers in SiteA. SiteA also contained the company’s Exchange Organization. This caused the once underutilized Physical Domain Controllers to become over utilized Virtual Domain Controllers. In addition to the increased traffic to SiteAs DCs, these servers also held all of the FSMO roles between the two of them, and served as a mapping point for applications authenticating with LDAP.
The company started to experience issues with the Virtual Domain Controllers. They would run out of memory and no longer replicate. Clients could not logon to VPN, and mail would not be delivered. Accounts couldn’t be locked or unlocked, and all of the applications pointing to the DCs failed.
To fix the issue we deployed two Physical Domain Controllers and distributed the FSMO Roles as recommended. We then demoted the virtualized domain controllers and ensured proper site to subnet mapping. Applications and VPN now point to a round-robin DNS entry for LDAP authentication and a complete reevaluation of the environment is in development.
What would you have done differently to fix this issue? What experiences do you have with Virtualized Domain Controllers?
Look for Part Two in the next few days, along with my recommendations for when to use Virtualized Domain Controllers and when to avoid them like the plague.
1 Comment »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress with [GimpStyle]
Entries and comments feeds.
What version of VMWare were they running. We’ve had resources problems (with application servers, we do not run our AD servers on VM’s) but with the resource reallocation available via VMWare infrastructure they should have been able to create resource pools and allocate what was needed to the DC’s. This is assuming they were running a recent version of ESX server. What where the physical hosts hardware specs? Did they have HA enabled? These would be good indicators of whether or not they should have been virtualizing those servers.
I would see no problems running some of the DC’s in a VM as long as the resources where there.
Comment by Dain — January 30, 2008 #