best practices for virtualizing active directory

8/6/2019 Best Practices for Virtualizing Active Directory

1/51

Best Practices for VirtualizingActive Directory

Breakout Session AP01

Chris Skinner

Senior Technical Instructor ,VMware, Inc.

February 25, 2009


2/51

Disclaimer

This session may contain product features that arecurrently under development.

This session/overview of the new technology represents

no commitment from VMware to deliver these features inany generally available product.

Features are subject to change, and must not be included incontracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new technologies or features

discussed or presented have not been determined.These features are representative of feature areas under development. Feature commitments aresubject to change, and must not be included in contracts, purchase orders, or sales agreements ofany kind. Technical feasibility and market demand will affect final delivery.


3/51

Objectives and Goals

You can virtualize Active Directory successfully

Its not difficult, mystical or magical

Many companies have successfully deployed AD through

virtualization


4/51

Agenda

Why should we virtualize Active Directory?

What are the challenges with virtualizing AD?

How does a company successfully migrate?


5/51

Why Virtualize?


6/51

Why Virtualize Active Directory?

Hardware Consolidation

Combine multiple, single use boxes

Standardization eliminating imaging issues

Reduce product activation issues

Leverage VI 3 Features HA & DRS


7/51


Testing and Development

Policy testing

Schema changes

Migration/upgrade testing Domain reconfigurations

Deployment scenarios

Disaster recovery solutions


8/51


Security Controls

Limiting physical access

Additional administrative controls

Separate applications from domain controllers


9/51


10/51

Time SynchronizationVirtualization Challenges


11/51

Time Synchronization Why is it so important?

Active Directory operations are critically time dependent

MS Kerberos implementation allows a 5 minute tolerance

File Replication Services (FRS) synchronizes scripts, databasechanges/updates, policies based, in part, on time-stamping


12/51

Time Server Hierarchies

Source: Microsoft Corporation

Child PDC emulators can syncwith any DC in the parent

domain

Clients sync with any DC in itsown domain

DCs can sync with PDCemulator in its own domain orany DC in parent


13/51


14/51


15/51

Time SynchronizationOption B VMware Tools

Modify Windows Time Service Use VMware Tools

Implement Domain Controllers Group Policy to modify registry:

Enable ESX server NTP daemon tosync with external stratum NTP source

VMware Knowledge Base ID# 1339

Use VMware Tools time synchronizationwithin the virtual machine

NOTE: VMware Tools time sync is designedto play catch-up, not slow down!

Modify


16/51

Time Synchronization Descheduled Time

Accounting

Custom VMware Tools component

Tightly integrated with hypervisor

Use with ESX 3.x VMs only

Currently for uniprocessor Windows and Linux VMs only

Improved accuracy for guest OSes CPU time accounting

Allows quicker catch-up of time for guest OS

Launches a VMDesched thread or process within VMs OS


17/51

Time Synching Descheduled Time Accounting (2)

Perform a Custom installation of VMware Tools in Windows guest OS


18/51

Time Synchronization - Summary

Use one method or the other

Do NOT use both!!!

Decisions should be based on current time managementinfrastructure or organizations policies


19/51

Performance IssuesVirtualization Challenges


20/51

Performance for Virtualized Domain Controllers

Virtualized AD domain controllers can run at 85-90% of nativesystems performance

Active Directory deployments in most datacenters utilize less than10% of todays computing power

Requires significantly less hardware to achieve greater number ofvirtualized domain controllers

Greater number of domain controllers provides better logon results,less points of failure


21/51

Performance Single Processor


22/51

Performance Dual Processors


23/51

Performance - Scaling Processors Up


24/51

Performance Summary

Virtualization does not necessarily increase performance

Proper planning of resource allocation is still important

Its still important to follow Microsofts best practices for thestrategic placement of FSMO role servers, catalog servers, etc.


25/51

Virtualization ChallengesSecurity, Network and Replication


26/51

Security - VM Access Control


27/51

Network - Connections

Use the Maps viewto verify networkinfrastructure

Create separate VM port groupsconnected to individual NICs


28/51

Network - Advanced Switch Settings

Vmware ESX 3.x provides some more sophisticated networksettings


29/51


30/51


31/51

Virtualization ChallengesHigh Availability &Disaster Recovery/Preparedness


32/51

High Availability VMware ESX 3.x / vCenter

Server 2.x

VMware provides solutions for automatically restarting virtualmachines

Implement VMware HA as a high availability to ensure virtualmachine domain controllers restart in the event an ESX server fails


33/51

High Availability VMware ESX 3.x / vCenter

Server 2.x

Combined with VMware DRS Anti-affinity rules can ensure domaincontroller VMs are segregated


34/51

Disaster Recovery Best Practices

Perform consistent system state backups

Provided by most major commercial backup software

Follow Microsoft recommendations on FSMO role placement

http://support.microsoft.com/kb/223346

All Active Directory restorations should be performed usingauthoritative and non-authoritative methods Do not recover an Active Directory database from a backup copy of

an old virtual disk!
http://support.microsoft.com/kb/223346http://support.microsoft.com/kb/223346


35/51

Disaster Recovery - ScenariosImproper Restore of VM Proper Restore of VM

Source: Microsoft Corporation


36/51

High Availability, Disaster Recovery Summary

Utilize VMware DRS and HA to implement a successfulrecoverability solution

Always to continue to use Microsofts System State data bestpractices to backup AD database

Default useful life of System State data 60-180 days

Controlled by Tombstone lifetime attribute (depends on OS, SP, etc.)

Microsoft does not support snapshots of DCs KB888794

Continue to follow best practices around the placement of key,

critical roles


37/51

Transitioning fromPhysical to Virtual


38/51

How to you successfully migrate?

Virtual machine considerations

DNS configurations

Best practices


39/51

Virtual Machine Considerations

Size the VMs memory to run entire AD database in cache to avoiddisk performance hits

Windows 2003 Server

Value 32-Bit 64-bit

RAM Cache2.75GB

(using /3GB switch)16GB

Approx. #of Users 100,000 2.5 million


40/51

Virtual Machine Considerations

Add, modify, search, delete and update operations will benefitsignificantly from caching

Slight penalty incurred for write operations Physical or Virtual

Microsofts AD Sizer can help you plan the size

Use Microsofts best practices and separate boot, database, logvirtual disks on individual SCSI controllers to optimize writeperformance


41/51

Transitioning from Physical to Virtual

Start with a fresh system state backup for recovery

Consider creating a dedicated virtual switch or virtual machine port group

to isolate replication traffic

Generally single processor virtual machines are adequate for domaincontrollers

Validate inbound/outbound connections between physical and virtual

machines

Allow 24-48 hours for replication to complete

Change the weight and/or priority of the DNS SRV records for virtualmachines

Monitor the logon requests to ensure virtual machines are successfullyresponding

Decommission physical domain controllers


42/51

DNS Modifications Transitioning to VMs

Modify the weight and/or priority of the DNS SRV records

Specifically offload the authentication requests from the PDC

emulator when possible

DNS weight is the proportional distribution of requests among DNSservers

DNS priority is the likelihood a server will receive a request

PDC emulators should have one or both adjusted accordingly byadding:

Physical domain controllers should be adjusted similarly to decreasedependencies on PDC emulator

HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

LdapSrvWeight DWORD decimal value of 25 or 50

HKLM\System\CurrentControlSet\Services\Netlogon\ParametersLdapSrvPriority DWORD decimal value to 100 or 200


43/51


44/51

Best Practices

Avoid snapshots or REDOs for domain controller virtual machines

Do not suspend domain controller virtual machines for long periods

Consistent and regular system state backups still very important

Avoid physical to virtual DC conversions


45/51

Virtualizing Active Directory can be done!!!

System State backups regularly

Time Synchronization

High Availability/Disaster Recovery Plan

Monitor Replication Traffic

Modify DNS SRV records to redirect logon authentications to VMs

Go back and constantly re-evaluate your strategy!!!


46/51

Features

Approved Operational

Practices Best Practices of

Industry Experts

Prescriptive Guidance

For customers bycustomers

Consistent appearance

Features

Approved Operational

Practices Best Practices of

Industry Experts

Prescriptive Guidance

For customers bycustomers

Consistent appearance

VI OPS Portal

A customizablecollaboration site for sharingrole and subject basedproven, prescriptive, and

actionable guidance.

A customizablecollaboration site for sharingrole and subject basedproven, prescriptive, and

actionable guidance.

http://viops.vmware.comhttp://viops.vmware.com


47/51

Additional Information

VMware Time Sync and Windows Time Service

VMware Knowledge Base ID# 1318 - http://kb.vmware.com/kb/1318

Installing and Configuring NTP on VMware ESX Server

VMware Knowledge Base ID# 1339 - ttp://kb.vmware.com/kb/1339

VMware Descheduled Time Accounting

http://www.vmware.com/pdf/vi3_esx_vmdesched.pdf

How to detect and recover from a USN rollback in Windows Server 2003


How to detect and recover from a USN rollback in Windows 2000 Server

http://kb.vmware.com/kb/1318http://kb.vmware.com/kb/1339http://www.vmware.com/pdf/vi3_esx_vmdesched.pdfhttp://support.microsoft.com/kb/875495http://support.microsoft.com/kb/885875http://support.microsoft.com/kb/885875http://support.microsoft.com/kb/875495http://www.vmware.com/pdf/vi3_esx_vmdesched.pdfhttp://kb.vmware.com/kb/1339http://kb.vmware.com/kb/1318


48/51

Additional Information (2)

Active Directory Performance for 64-bit Versions of Windows Server 2003

http://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=en

Microsofts Active Directory Sizer for Windows 2000

http://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exe

Active Directory Performance Testing Tool (ADTest.exe) http://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=en

Support policy for Microsoft software running in non-Microsoft hardware

virtualization software http://support.microsoft.com/kb/897615

How to configure an authoritative time server in Windows Server 2003

http://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=enhttp://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exehttp://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exehttp://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=enhttp://support.microsoft.com/kb/897615http://support.microsoft.com/kb/816042http://support.microsoft.com/kb/816042http://support.microsoft.com/kb/897615http://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=enhttp://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exehttp://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exehttp://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=en


49/51

Thank you!!


50/51


51/51

best practices for virtualizing active directory

Documents