One would think that the idea of virtualizing Active Directory Domain Controllers would not be a topic needing discussion, and yet I find that the question arises regularly as to whether or not AD DCs should be virtualized.\u00a0 In theory, there is no need to ask this question because we have far more general guidance in the industry that tells us that all possible workloads should be virtualized and AD certainly presents no special cases with which to create an exception to this long standing and general rule.<\/p>\n
Oddly, people seem to go out regularly seeking clarification on this one particular workload, however and if you seek bad advice, someone is sure to provide.\u00a0 Tons of people post advice recommending physical servers for Active Directory, but rarely, if ever, with any explanation as to why they would recommend violating best practices at all, let alone with such a mundane and well known workload.<\/p>\n
As to why people implementing AD DCs decide that it warrants specific investigation around virtualization when no other workload does, I cannot answer.\u00a0 But after many years of research into this phenomenon I do have some insight into the source of the reckless advice around physical deployments.<\/p>\n
The first mistake comes from a general misunderstanding of what virtualization even is.\u00a0 This is sadly incredibly common and people quite often think that virtualization means consolidation, which of course it does not.\u00a0 So they take that mistake and then apply the false logic that consolidation means consolidating two AD DCs onto the same physical host.\u00a0 It also requires the leap to thinking that there will always be two or more AD DCs, but this is also a common belief.\u00a0 So three large mistakes in logic come together for some very bad advice that, if you dig into the recommendations, you can normally trace back.\u00a0 This seems to be the root of the majority of the bad advice.<\/p>\n
Other causes are sometimes misunderstanding actual best practices, such as the phrase “If you have two AD DCs, each needs to be on a separate physical host.”\u00a0 This statement is telling us that two physically disparate machines need to be used in this scenario, which is absolutely correct.\u00a0 But it does not imply that either of them should not have a hypervisor, only that two different hosts are needed.\u00a0 The wording used for this kind of advice is often hard to understand if you don’t have the existing understanding that under no circumstance is a non-virtual workload acceptable.\u00a0 If you read the recommendation with that understanding, its meaning is clear and, hopefully, obvious.\u00a0 Sadly, that recommendation often gets repeated out of context so the underlying meaning can easily get lost.<\/p>\n
Long ago, as in around a decade ago, some virtualization platforms had some issues around timing and system clocks that could play havoc with clustered database systems like Active Directory.\u00a0 This was a legitimate issue long ago but was long ago solved, as it needed to be for many different workloads.\u00a0 A perception was created that AD might need special treatment, however, and it seems to linger on even though it has been a generation or two in IT terms since this was an issue and should have long ago been forgotten.<\/p>\n
Another myth leading to bad advice is rooted in the fact that AD DCs, like other clustered databases, when used in a clustered mode should not be snapshotted as this will easily create database corruption if only one node of the cluster gets restored in that manner.\u00a0 This is, however, a general aspect of storage and databases and is not related to virtualization at all.\u00a0 The same information is necessary for physical AD DCs just the same.\u00a0 That snapshots are associated with virtualization is another myth; virtualization implies no such storage artefact.<\/p>\n
Still other myths arise from a belief that virtualization much rely on Active Directory itself in order to function and therefore AD has to run without virtualization.\u00a0 This is completely a myth and nonsensical.\u00a0 There is no such circular requirement.<\/p>\n
Sadly, some areas of technical have given rise to large scale myths, often many of them, that surround them and can make it difficult to figure out the truth.\u00a0 Virtualization is just complex enough that many people attempt to learn but just how to use it, but what it is conceptually, by rote giving rise to sometimes crazy misconceptions that are so far afield that it can be hard to figure out that that is really what we are seeing.\u00a0 And in a case like this, misconceptions around virtualization, history, clustered databases, high availability techniques, storage and more add up to layer upon layer of misconceptions making it hard to figure out how so many things can come together around one deployment question.<\/p>\n
At the end of the day, few workloads are as ideally suited to virtualization as Active Directory Domain Controllers are.\u00a0 There is no case where the idea of using a physical bare metal operating system deployment for a DC should be considered – virtualize every time.<\/p>\n","protected":false},"excerpt":{"rendered":"
One would think that the idea of virtualizing Active Directory Domain Controllers would not be a topic needing discussion, and yet I find that the question arises regularly as to whether or not AD DCs should be virtualized.\u00a0 In theory, there is no need to ask this question because we have far more general guidance … Continue reading Virtualize Domain Controllers<\/span>