One would think that the idea of virtualizing Active Directory Domain Controllers would not be a topic needing discussion, and yet I find that the question arises regularly as to whether or not AD DCs should be virtualized. In theory, there is no need to ask this question because we have far more general guidance in the industry that tells us that all possible workloads should be virtualized and AD certainly presents no special cases with which to create an exception to this long standing and general rule.
Oddly, people seem to go out regularly seeking clarification on this one particular workload, however and if you seek bad advice, someone is sure to provide. Tons of people post advice recommending physical servers for Active Directory, but rarely, if ever, with any explanation as to why they would recommend violating best practices at all, let alone with such a mundane and well known workload.
As to why people implementing AD DCs decide that it warrants specific investigation around virtualization when no other workload does, I cannot answer. But after many years of research into this phenomenon I do have some insight into the source of the reckless advice around physical deployments.
The first mistake comes from a general misunderstanding of what virtualization even is. This is sadly incredibly common and people quite often think that virtualization means consolidation, which of course it does not. So they take that mistake and then apply the false logic that consolidation means consolidating two AD DCs onto the same physical host. It also requires the leap to thinking that there will always be two or more AD DCs, but this is also a common belief. So three large mistakes in logic come together for some very bad advice that, if you dig into the recommendations, you can normally trace back. This seems to be the root of the majority of the bad advice.
Other causes are sometimes misunderstanding actual best practices, such as the phrase “If you have two AD DCs, each needs to be on a separate physical host.” This statement is telling us that two physically disparate machines need to be used in this scenario, which is absolutely correct. But it does not imply that either of them should not have a hypervisor, only that two different hosts are needed. The wording used for this kind of advice is often hard to understand if you don’t have the existing understanding that under no circumstance is a non-virtual workload acceptable. If you read the recommendation with that understanding, its meaning is clear and, hopefully, obvious. Sadly, that recommendation often gets repeated out of context so the underlying meaning can easily get lost.
Long ago, as in around a decade ago, some virtualization platforms had some issues around timing and system clocks that could play havoc with clustered database systems like Active Directory. This was a legitimate issue long ago but was long ago solved, as it needed to be for many different workloads. A perception was created that AD might need special treatment, however, and it seems to linger on even though it has been a generation or two in IT terms since this was an issue and should have long ago been forgotten.
Another myth leading to bad advice is rooted in the fact that AD DCs, like other clustered databases, when used in a clustered mode should not be snapshotted as this will easily create database corruption if only one node of the cluster gets restored in that manner. This is, however, a general aspect of storage and databases and is not related to virtualization at all. The same information is necessary for physical AD DCs just the same. That snapshots are associated with virtualization is another myth; virtualization implies no such storage artefact.
Still other myths arise from a belief that virtualization much rely on Active Directory itself in order to function and therefore AD has to run without virtualization. This is completely a myth and nonsensical. There is no such circular requirement.
Sadly, some areas of technical have given rise to large scale myths, often many of them, that surround them and can make it difficult to figure out the truth. Virtualization is just complex enough that many people attempt to learn but just how to use it, but what it is conceptually, by rote giving rise to sometimes crazy misconceptions that are so far afield that it can be hard to figure out that that is really what we are seeing. And in a case like this, misconceptions around virtualization, history, clustered databases, high availability techniques, storage and more add up to layer upon layer of misconceptions making it hard to figure out how so many things can come together around one deployment question.
At the end of the day, few workloads are as ideally suited to virtualization as Active Directory Domain Controllers are. There is no case where the idea of using a physical bare metal operating system deployment for a DC should be considered – virtualize every time.
One thought on “Virtualize Domain Controllers”
I think this statement of your says it all:
“Oddly, people seem to go out regularly seeking clarification on this one particular workload, however and if you seek bad advice, someone is sure to provide. ”
I guess the only reason advice like this is given out is that a few people do not understand what the role of virtualizing your assets are.