-1

I know there has been some articles pertaining to the concerns and it is a big NO NO. I'm wondering over the years with the latest OS versions and numerous patches by Microsoft, does this theory still applies ?

Below are some of the old articles that i have read but with the latest versions , does this still applies ? https://www.starwindsoftware.com/blog/hyper-v/combining-hyper-v-dc-role-server-bad-idea/ (3 years) https://www.altaro.com/hyper-v/reasons-not-to-make-hyper-v-a-domain-controller/ (9 years ago)

Its a common practices where usually company commence building up an infrastructure with 2 core mid range servers (Datacenter versions) and configure Hyper V host

Reading best practices by Microsoft indicating that the domain controller should be in both a physical and virtualized environment.

i Intend to have at least 2 hyper V hosts while i configure replication for our VMs. Not possible for me to have the 3rd server just for the sake of having a physical domain controller.

Or should a physical DC be completed disregarded and just have pri/sec domain controllers on VMs?

Appreciate your thoughts Thank you.

Improve this question
2
  • I doubt there are many organizations that do this simply because it does not pass an audit. A domain controller really should not host other roles. Even something that seems benign like a print server can turn into a critical vulnerability overnight. In a perfect world you should have a physical DC, but that isn't a huge priority with the relatively simple configuration of servers and storage in the small to medium market. In large environments where a failure could wipe out 20 Hyper V hosts, sure, having one physical DC would be a good idea. Commented Dec 18, 2023 at 14:42
  • @peter Thank you for the quick respond. With your experiences and answering heaps of questions, have you come across environment that run their DC in only virtualized environment ? Commented Dec 19, 2023 at 5:26

3 Answers 3

Reset to default
0

You could also have a domain controller in Azure and one on your hyper-v host. I think the advice to have a psychical dc is a bit outdated. Just make sure you don't live migrate the dc from host to host. And pay good attention to the time sync when using a hyper-v guest as DC

But if you require replication, that means that the DC needs to be up and running before the Hyper-v starts so that would mean either a dc on hardware or in Azure

Improve this answer
1

After Windows Server 2012 it was safer to have a virtual DC.

Windows Server 2012 and later support the implementation of virtualized domain controllers (DCs) with safeguards to prevent update sequence number (USN) rollback on virtual DCs and the ability to clone virtual DCs. Hyper-V consolidates different server roles onto a single physical computer. For more information, see Safely virtualizing Active Directory Domain Services (AD DS).

Ref: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v

For most smaller client I see are all facing a challenge to have a physical DC. I still recommand a physical DC (on top of a virtual's one) + backup server role if you have a older server laying around, to just be sure you don't loose you domain if you loose your hyperv cluster. (Not on the Hyper-V server host directly as for the licensing you can't and it would make your DC possibly multihomed, which will bring you a lot of other problems)

Something I seen in the past is if you have a backup software that run inside a VM, and you loose your environment, imaging to reload the software backup to re-read the data when the AD is offline. The time to recover is a lot higher. If money is a problem just be sure to be clear to your boss that if it happen you will do your best, but you can't have zero downtime in such crash.

Improve this answer
1
  • Thank you for your quick respond. Am new to this company and basically starting from scratch . They have about 500 users, 200 concurrent, and growing to 1000 in the next 2 years. I proposed 2 mid range r750 servers as i've done in the past and intend to scale from there with SAN etc once budget for the next batch approved. Commented Dec 19, 2023 at 5:30
0

Thank you for your quick respond. Am new to this company and basically starting from scratch . They have about 500 users, 200 concurrent, and growing to 1000 (3 branches)in the next 2 years. I proposed 2 mid range r750 servers as i've done in the past and intend to scale from there with SAN etc once budget for the next batch approved. With the latest version Windows 2023 (havent touched on this yet) , would it have reached a stable OS and robust compared to the others? Like XP ? lol

As per below articles explains best practices

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controllers-hyper-v

But the above implies in the ideal world in which budget isn't a constrain

Improve this answer
1
  • I'm not familiar with Hyper-V, but do the host servers need to be domain-joined? If not, I'd suggest setting them up as workgroup servers and then hosting the DCs on that. Obviously you won't get certain management capabilities like GPOs etc on the Hyper-V hosts, but with only two servers, it sounds like you'll be doing a lot of stuff by hand anyway. This scenario works perfectly well with non-Windows hypervisors like ESX or Xen. Btw, there's so such thing as "primary/secondary" DCs - sure, there's the PCDE role, but you shouldn't use language that applies to NT domains for AD environments. Commented Jan 4, 2024 at 22:26

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.