Virtualizing a domain controller, how hard can it be?

For an upcoming project I was preparing to P2V a domain controller and found a lot of “info” on this subject which got me thinking. Everybody is talking about all the dangers related to P2V-ing a domain controller but let’s be honest, when you look closely at the problems most people are talking about, are problems that also occur when practicing bad management on physical domain controllers. Didn’t those same problems arise in the old days when you made a backup of your DC using Ghost and then after a failed Windows update decided to roll it back using that Ghost image?

When working with domain controllers, either physical or virtual, you should keep in mind that you should never revert them back in time or just restore a backup without using the special Active Directory (Authoritive) restore mode.  Each domain controller has an internal counter (USN) by which it knows which updates it has already received. The other domain controllers in the domain also know what updates each domain controller has received. So if you revert a domain controller back in time, even though its internal USN has gone back, the other domain controllers will stop talking to it since the USN the domain controller says it has doesn’t match the one they have in their own records. Microsoft has some very good docs on how to perform restores of domain controllers and how to handle USN rollbacks. Be sure to read them before playing with domain controllers.

If you follow these few very simple rules when P2V-ing a domain controller, all should be fine:

1-      Only do a cold clone of a DC.

2-      Before you start, make sure the replication is working fine, run some dcdiag tests to make sure your AD is healthy. Yes, you can virtualize an unhealthy domain controller just as well, but you want to make sure your problems are not related to virtualization. So, clean it up.

3-      Shut down your DC, boot the server from the CD with your favorite cold cloning tool on it, like VMware vCenter Converter.

4-      Perform the P2V like you would normally do. Remove drivers after the copying is complete, insert and update VMware Tools, etc.

5-      Once your virtual DC has seen the network, never ever again power on that old server.

Keep in mind that VMware Standalone Converter 4.3 does not have the cold clone ISO anymore, you should go back to VMware vCenter Converter 4.0U2, which is on the list of your vCenter 4.0u2 downloads.

Christian Mohn has written a response to my blog on: “p2v a domain controller? why would you?

  • I reckon for a GC/DC it is a lot easier to biuld a blank VM , copy a system state backup form another GC and run dcpromo /adv – migrating th service not the server is probably less work/quicker. than a p2v if you have a good build process

  • I know, rebuilding might be quicker, although I often doubt it. Installing backup agents, anti-virus, downloading all the updates, making sure you have all the correct settings, etc, etc. But just for the sake of argument, using those simple steps (as you would with many other P2V's) why would it go wrong?

  • Sanderdaems

    4- If HP server I use allways PSP Cleaner : http://blog.vmpros.nl/2010/01/21/software-hp-proliant-support-pack-cleaner/

    Still I prefer demote > new vm > promote new domain controller

    Nice post!

  • Why??? Is gut feeling enough to base this kind of decisions on?

  • Well the basic reason I never do P2Vs on DCs in there is always a big gap for errors. Customer can someday turn the old box on even if you told them not to and etc. Also after being shut down it makes me uneasy how it is going to come back up after being virtualized (some unknown issue or some kind of strange inconsistency that couldn't be accounted for). This might be more personal preference and paranoia rather than a solid reason tho ;-). Usually I bring up another DC in the Virtual environment then decomission the old one (after making sure the proper roles are moved to the other one and etc). In my opinion this is almost faster and eliminates most room for error.

    Cheers,
    Ed

  • I think your process would work , but it does go against the majority gut feeling , that is a lower risk to deploy an additional GC than to P2V. I wonder if the scenario changes when you have a small AD with a single GC.

  • I fully understand you, but I'm also trying to get people to rethink it or come up with better arguments. What feeds that gut feeling? Because of problems in the past when using Ghost and getting into trouble?

    Its like in the begin years with ESX 2.5 and 3.0 where it was still very difficult to convince people to run databases and exchange on ESX. Most discussions ended only because their gut feeling said no. Often even reluctant to try it in a test environment. Nowadays virtualizing Exchange is no issue at all.

  • If you p2v an app and it goes a bit wrong , you can revert back to the physical. Only one team comes and shouts at you. Kill AD and you have a lot of people shouting. Ad isn't that scarey once you are used to it , but once its got in a bad way it can be pretty painfull to rectify :(

  • Afidel

    And the rollback plan is easier, shutdown VM and power up physical box. That alone is enough reason not to P2V a DC.

  • I like to keep in mind that my physical DC serves as a fallback mechanism for when things get screwed up in the process. When doing it the “nice” way for AD, you can take your time replicating stuff and make sure everything is correctly replicated and put into place.

    Once you P2V the machine, there is a certain point of no return. When things start failing after the point of no return, you have to start restoring AD using your system state backups and the such. In that time, no active directory data is available for your users.

    But, when we take a look at Microsofts own Hyper-V combined with SCVMM, “offline mode” is enforced for P2V-ing. Offline mode is the same as the method Gabe suggests (cold clone). This will tell us that Microsofts own products support P2V-ing DC's.

    I think each method has it's own pre's and con's and the decision has to be made on a personal favorite base.

  • The correct sentence is ofcourse: “”offline mode” is enforced for P2V-ing a DC” :)

  • Joe__C

    If I P2V a box then the good thing that can happen is that I have a virtual machine with all the issues and problems (known and unknown) that the original box had. If I install from scratch I know exactly what I have.

  • I'll add one more gotcha but it only pertains to 3.5 environments — make sure that the Legato SYNC driver has not been installed with VMWare tools. This driver was automatically installed with VMware Tools with ESX 3.5 up to Update 2 I think. I've come across environments where customers did not realize that the SYNC driver was still present on the VM after upgrading hosts to 4.x.

    The problem with the SYNC driver is that when invoked it will on occasion lock up the AD database. I observed a case where clients were unable to authenticate to the AD (it was reported as the AD was down!). Clients that had this DC as their preferrecd/current DC were getting a negative response from the DC. The DC was still running, but the DB was locked, so the DC would issue a negative response to everything. Clients were not being re-directed to other DC's because this DC was answering them — the problem was that the answer was “NO” because the SYNC driver had locked the AD database. So if your DC was virtualized when the host was running ESX 3.5 I would strongly recomend that you check for the presence of this driver and remove it if found :)

  • Duncan

    I personally don't see the point in converting a DC. Just build a new server, promote it and demote the old one. Less risk involved.

  • Pingback: P2V a Domain Controller? Why would you? | vNinja.net()

  • Jkasal

    Go new DC.

    One word of advice I learned the hardway that may help someone else the embaressment. If you are going to reuse an IP and/or Hostname of a previous DC, make sure you fully install DNS (if the DC hosts DNS) before changing the IP and adding the DC to the Domain. While installing via dcpromo, dns will (if selected) be installed and any hosts looking for DNS will get a balnk look from the new DC and all hell will break loose until it fully syncs its records. By that time the damage is done. Hosts won't look to a secondary DC/DNS server because they will get a responce of “No record Found” from and authorized DNS server.

  • Pingback: Virtualization of an Active Directory domain controller (P2V) « UP2V()

  • Anonymous

    Do you dream of owning the beautiful designer handbags that you see celebrities carrying? Are you fashion conscious, but on a budget, want to be the envy of

    the crowd, and impress all of your family and friends,Gucci Handbags

    and then you have found the gucci-shopping.coach swingpacks

    net of your dreams! The handbag that you wear on your arm can make all the difference when it comes to your personal fashion look and styling. Our replica

    Gucci handbags will let you complete your fashion look without spending thousands of dollars. gucci mens bag

    Not all women can afford the high prices that designer handbags charge. Designer Replica Handbags lets you master your fashion wardrobe while still staying

    within your budget. We are the best site with superb Customer service and best Replicas. coach bags for cheap

    ‘Great attention is paid to detailing to ensure that your replica handbag looks as good as the real thing. This includes the materials that are used, exact

    duplication of stitching, and correct placement of the designer logo. Pleased, satisfied customers are what we desire, happy customers mean return customers,

    customers who will always come to http://www.gucci-shopping.online gucci outlet
    net for all their replica handbag needs! If there is something we can do for you, please contact us, we will do our best to service for you.

  • Anonymous

    In 1989, Maurizio managed to persuade Dawn Mello, Gucci Tote

    whose revival of New York’s Bergdorf Goodman in the 1970s made her a star in the retail business, to join the newly formed gucci handbags on saleGroup as

    Executive Vice President and Creative Director Worldwide. At the helm of Gucci America was Domenico De Sole, a former lawyer who helped oversee Maurizio’s

    takeover of ten 1987 and 1989.coach carryalls

    The last addition to the creative team,designer gucci already included designers from Geoffrey Beene and Calvin Klein, was a young designer named Tom

    Ford.Raised in Texas and New Mexico, Gucci Canvas Bags

    he had been interested in fashion since his early teens but only decided to pursue a career as a gucci bag saledesigner after dropping out of Parsons School

    of Design in 1986 as an architecture major. gucci outlet online Dawn Mello hired Ford in 1990 at the urging of

    his partner, writer and editor Richard Buckley.
    cheap gucci

  • Nilanga Chandrasekara

    I recently convert my Physical Server to Virtual using VMware vConverter (Hot Clone) & Ran it on my VMPlayer 6.0. but the Active Directory is not functional. I am getting an error stating “The Server is not Operational”….. Any Idea Why?

  • JR

    This path won’t work on a Windows Server 2013 instance. You do the migration but it’s vmware 6 compatible with the last ISO. The newer VMware player and workstation complain the instance needs to be upgraded as isn’t compatible with windows 2013. The goes into a vicious repair loop.

    JR

  • JR

    Meant 2012 below.