Hyper-V: Can I Virtualise Everything: Domain Controllers?

I’ve seen this one a few times on forums and I’ve been asked it at sessions I’ve presented at.  People are deploying Hyper-V in medium and large businesses and they are wondering if they should virtualise absolutely everything in their data centre.

The answer is no. 

Let’s start with the obvious.  Some applications or operating systems may not have vendor support for virtualisation.  If that’s the case then you shouldn’t virtualise them.  However, many still do and they get by with no negative impacts.  Okey dokey.

Some servers just require too many resources to consider for virtualisation.  Consider a data warehouse application.  If you virtualise it, it might require a 1 VM per host deployment.  For the vast majority of us that’s a bad idea.  However some might like it because it means the machine is abstracted from the hardware.  But remember that you can only have a maximum of 4 virtual processors in a Windows Server VM on Hyper-V.  That likely won’t be enough for any machine that needs 32GB or 64GB RAM.

Then there’s domain controllers.  You can virtualise domain controllers but you have to be very careful.  Basically you have to treat them as you would physical domain controllers.  Checkpoints/saved states and host level backup is a bad idea for domain controllers because of the risks of AD corruption, e.g. USN rollback.  Microsoft takes the idea of virtual domain controllers very seriously and has a very long support article on it.

Should you virtualise all of your domain controllers?  Typically I will say no to this.  There’s a few exceptions, e.g. virtualised SBS running on a workgroup member Hyper-V host.  But take a Hyper-V cluster.  The presence of AD is a requirement of a Hyper-V cluster.  What happens if you need to power down your entire cluster for maintenance or power suddenly cuts out.  These things happen.  Electricians might need to work on power board or a UPS/generator might fail to kick in.  I’ve seen both take place in the past.  What happens to that cluster if all of the DC’s are virtualised on the cluster?  The cluster relies on AD for authentication/authorization.  Things will fail.  It’s a chicken and egg scenario.

Microsoft recently blogged about this.  The workaround solution is to find the LUN where the VHD(s)  for a DC with DNS role installed and configured is located, copy that to a temporary workgroup Hyper-V server and set it up to boot up.  Now you can power up the cluster.  But you have to be really careful and make sure that original DC VM doesn’t start up and cause a mess.

The advice is to have at least one physical DC.  When I did my ESX 3.X training a few years ago the advice was the same when running Virtual Center.  I recommend having 2: Murphy tends to like to mess up plans and wouldn’t it be a bad day if both the cluster powered down and your lone physical DC wouldn’t start up?  Alternatively you can run those DC’s on a separate workgroup host but that just complicates things in terms of virtualisation management.  I like to keep things simple so I’d go the 2 physical DC route.  Then you can safely virtualise other DC’s while sticking to Microsoft’s advice on the subject.

5 thoughts on “Hyper-V: Can I Virtualise Everything: Domain Controllers?”

  1. Aidan,

    You mention that things have changed. Have you written an update to this or could you give us a link to find more information? When our current infrastructure was built, we were told we could virtualize all of our DCs, but one had to be on non-clustered storage. Is that the change, or are things even different than that? I’m building a new 2012 R2 cluster and would love the advice.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.