Presentation is loading. Please wait.

Presentation is loading. Please wait.

BCA1709 Successfully Running Active Directory in a Virtualized Environment Name, Title, Company.

Published byCorey Dorsey Modified over 8 years ago

Similar presentations

Presentation on theme: "BCA1709 Successfully Running Active Directory in a Virtualized Environment Name, Title, Company."— Presentation transcript:

1 BCA1709 Successfully Running Active Directory in a Virtualized Environment
Name, Title, Company

2 Disclaimer This session may contain product features that are currently under development. This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined.

3 Objectives and Goals You can virtualize Active Directory successfully
4/20/2017 Objectives and Goals You can virtualize Active Directory successfully It’s not difficult, mystical or magical Many companies have successfully deployed AD through virtualization Many clients have already successfully implemented Active Directory in a virtualized environment. As a corporate infrastructure solution, Active Directory is no more difficult implementing in a virtualized environment than it is in a physical.

4 Agenda Why virtualize Active Directory on vSphere?
What are the challenges virtualizing Active Directory? How to successfully migrate? 4

5 Why Virtualize Active Directory?

6 Why Virtualize Active Directory on vSphere?
Support Microsoft SVVP Support and Licensing Active Directory Performs extremely well in vSphere vSphere can drive 500,000+ IOPS 32 vCPU support and 1 TB memory per virtual machine Performance Reduce infrastructure costs Combine Active Directory servers with other server roles Eliminate need for additional dedicated servers Standardize domain controller images Cost Simplify IT Management Standardize on a single virtual server platform across all branch office environments Increase IT staff productivity by enabling them to remotely and centrally manage all branch office services from the data center Accelerate provisioning and deployment of new virtual machines to meet business needs across the entire branch office infrastructure Ensure Always-on Availability and Recoverability Reduce the need for IT expertise in branch offices by automating backup and restore processes Manage and secure confidential data through centralized backups Increase uptime of branch office servers by automatically restarting virtual machines in the case of hardware or site failure Reduce Hardware and Operational Costs Reduce hardware costs associated with deploying new applications Reduce operational costs (power, cooling, real estate) by increasing server utilization and consolidation in each branch office Experience valuable time savings through remote management and automation capabilities Dynamic Management Streamline testing & troubleshooting with snapshots and clones Provision servers in minutes Scale dynamically and right-size infrastructure Achieve high availability without complexity of clustering Management

7 Microsoft Server Virtualization Validation Program (SVVP)
Licensing Allows VMotion Support for Applications VMware Validated in SVVP Reassign licenses between servers as frequently as needed Covers many server apps including: Active Directory Exchange 2007/2010 SQL Server 2000/2005/2008 SharePoint Server 2010 Dynamics CRM 4.0 Microsoft SVVP Program to validate virtualization products Technical support for Windows and apps on SVVP validated software: Active Directory Exchange 2007/2010 SQL Server 2000/2005/2008 SharePoint Server 2010 Dynamics CRM 4.0 9/3/09 announcement VMware Products include: ESX/ESXi 3.5 Update 3-5 ESX/ESXi 4.0 thru Update 2 ESX/ESXi 4.1 thru Update 2 We have been making strides in obtaining support and acceptance of our virtualization platform from ISVs. Today, we have support statements from over 200 different ISVs, covering over 300 different applications. Furthermore, we are obtaining support statements from new ISVs every month. This is great momentum compared to several years ago when we had almost none.

8 Cost - Hardware Consolidation
Standardization – Eliminate imaging problems and reduce activation issues Repurpose multiple single-use server hardware Combine multiple physical server roles into separate VMs Great for creating Remote/Branch office servers (provides local authentication) Active Directory Physical VMware vSphere Multiple VMs Multiple Server Roles (File Server, DHCP, DNS, etc) 4 core 16 GB 4 core 16 GB These performance results are substantiated on a record capacity benchmark recently published for Exchange 2007. VMware achieved the highest performance ever achieved from a single server for Exchange 2007: 16K heavy user mailboxes supported in 8 VMs with VMware Max 8K mailboxes supported without VMware – on a single instance of Exchange 8

9 Greater Security Control
vCenter Role-Based access provides even more granular permissions than VI3 Address Space Layout Randomization (ASLR) in vSphere reduces attack surface and eliminates security breaches Isolated VM environments Better change control management Physical VMware vSphere Multiple VMs These performance results are substantiated on a record capacity benchmark recently published for Exchange 2007. VMware achieved the highest performance ever achieved from a single server for Exchange 2007: 16K heavy user mailboxes supported in 8 VMs with VMware Max 8K mailboxes supported without VMware – on a single instance of Exchange 4 core 16 GB 4 core 16 GB Active Directory Isolated VM environments (File Server, AD, DHCP, DNS, etc) 9

10 Improve Testing Efficiency with Snapshots and Clones
4 Production Move changes into production Active Directory Exch 2010 Active Directory Exchange 2007 ADAM 2 3 Exact copy of production 1 Archive for Fast Roll-back Run more tests faster The problem of pre-production infrastructure management is solved by: Consolidating physical pre-production resources and using VMware Infrastructure to set up resource pools to support each stage of the lifecycle Run IT services and business application software as virtual machines on VMware Infrastructure Use Stage Manager to manage the transition process of the service configurations Faster testing of Schema changes without affecting production More accurate testing on exact production copies Lower cost testing infrastructure 10

11 Agenda Why virtualize Active Directory on vSphere?
What are the challenges virtualizing Active Directory? How to successfully migrate? 11

12 What are the challenges virtualizing Active Directory?
Time Synchronization Performance Replication Availability Disaster Recovery

13 Time Synchronization

14 Windows Server Time Server Hierarchies
Synchronize Forest PDC emulator with an external stratum 1 time source Child PDC emulators can sync with any DC in the parent domain Clients can sync with any DC in its own domain DCs can sync with PDC emulator in its own domain or any DC in parent It is important to understand the relationship between the clients, member servers, and domain controller’s source of time. Here we attempt to visually show the relationships and source for the various entities. Ultimately the PDC emulator for the forest root domain becomes king. If we modify the defaults of this domain controller’s role to synchronize with an alternative external stratum 1 source, we can ensure that all the others within the domain would be accurate.

15 Why is time synchronization so important?
Active Directory implements Kerberos for authentication MS Kerberos implementation allows for a 5 minute tolerance Active Directory operations are critically time dependent Password changes Terminated user accounts Urgent replication (group membership change, account additions and modifications, group policy changes) File Replication Services (FRS) synchronizes scripts, database changes/updates, policies based, in part, on time-stamping A large part of a successful Active Directory implementation will be in the proper planning of time services. Active Directory is critically dependent on accurate time keeping. Kerberos is based on the workstation’s time for generating authentication tickets. If time drifts significantly, the authentication tickets may not be issued, become out-dated, or simply expire resulting in denied authentications. Accurate time keeping is essential for the replication process in a multi-master environment. AD replication uses Update Sequence Numbers (USN) to determine what changes to pull from its partners. If simultaneous changes are made resulting in identical USN numbers, timestamps are used as ”tie-breakers”. Virtualized machines can easily drift and fairly rapidly if not receiving constant and consistent time cycles. Therefore, in order to plan for an Active Directory implementation, one must carefully consider the most effective way of providing accurate time to AD.

16 Virtualization Issues with Clock Synchronization
If no CPU cycles are needed – none will be given to virtual machine Clock drift can be significant in a relatively short period Idle cycles in a virtual machine can and will be detrimental to Active Directory How can you ensure that your Active Directory does not experience time synchronization issues? More than a 28 minute drift! In a virtualized environment, VMs that don’t require CPU cycles, don’t get CPU cycles. Normally, for the typical Windows virtual machine, this is not a major problem. With Microsoft’s Active Directory, time drifting can be significant for domain controllers. Microsoft implemented Kerberos v5 for their authentication protocol. Kerberos is a time sensitive protocol. We will look at some solutions for supporting this type of time-sensitive environment in a virtualized infrastructure next.

17 Group Policy using WMI filtering to detect PDC Emulator
Define group policy object using Windows Time settings Modify global Windows Time Settings in: Computer configuration\Windows Settings\Administrative Templates\Windows Time Service Create policy under Domain Controllers container Create a WMI filter to detect the PDC emulator Group Policy Management Console (GPMC) Select “New WMI Filter” Choose a name for the filter Add namespace root\CIMv2 Add query (Select * from Win32_ComputerSystem where DomainRole = 5) Roles are 0 = standalone, 1 = Member workstation, 2 = Standalone Server, 3 = Member Server, 4 = Backup domain controller, 5 = Primary domain controller Link your created WMI filter to your configured group policy object (GPO) Will only apply to Domain controller holding the PDC emulator FSMO role Will automatically move to wherever the PDC emulator role resides

18 Option A – Using the Windows Time Services
Use Windows Time Service Define an external stratum time source Modify Registry settings on the PDC emulator for the forest root domain: HKLM\System\CurrentControlSet\Services\W32Time\Parameters Change Type value from NT5DS to NTP Change NtpServer value from (time.windows.com,0x1) to an external stratum 1 time source, (EX: timekeeper.isi.edu,0x1) HKLM\System\CurrentControlSet\Services\W32Time\Config Change AnnounceFlags REG_DWORD from 10 to 5 Change SpecialPollInterval to 900 decimal = every 15 minutes Stop and restart Time Service – net stop w32time & net start w32time Manually force update  w32tm /resync /rediscover The first option would be to use the Windows Time Service and NOT VMware Tools synchronization for the forest root PDC emulator. The Forest root PDC emulator is the “master” time server for the domain and can be configured to use an external source for its time. The first task is to configure for an external time source. Microsoft KB article # provides instructions for this process. The three key registry settings to accomplish this task are: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type This determines from which peers W32Time will accept synchronization. Modify the REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry key. HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer This entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list can use either FQDNs or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags This entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.

19 Option B – Using VMware Tools
Modify Windows Time Service – Use VMware Tools Implement Domain Controllers Group Policy to modify registry: Modify Enable ESX server NTP daemon to sync with external stratum 1 NTP source VMware Knowledge Base ID# 1339 Use VMware Tools Time Synchronization within the virtual machine Option B would be to modify Windows Time Service through the use of a Domain Controllers Group policy for all DCs, implement the NTP daemon from within the service console pointed to an external stratum 1 NTP source and use VMware Tools time synchronization for the domain controllers virtual machines. The key important issue is not to use both as a means of time synchronization as they are not aware of each others existence and can cause erratic behavior. NOTE: VMware Tools time sync is designed to play “catch-up”, not slow down!

20 Time Synchronization - Summary
4/20/2017 Time Synchronization - Summary Use one method or the other Do NOT use both!!! Decisions should be based on current time management infrastructure or organization’s policies One of the most important decisions regarding time keeping when virtualizing Active Directory is to choose one method of clock synchronization. It is imperative to not try and implement both solutions or your domain controllers will become very confused on which time to trust and may begin “time flipping”.

21 Performance

22 Performance for Virtualized Domain Controllers
4/20/2017 Performance for Virtualized Domain Controllers Virtualized AD domain controllers can run at 85-90% of native system’s performance Active Directory deployments in most datacenters utilize less than 10% of today’s computing power Requires significantly less hardware to achieve greater number of virtualized domain controllers Greater number of domain controllers provides better logon results, less points of failure Although a virtualized domain controller will not be able match the performance of a physical server in one on one tests, if properly configured with appropriate resource allocations, it can come very close. Combined with the ability to reduce the number of physical servers required to accomplish the same or more Active Directory infrastructure servers, dollar for dollar an organization can realize more with less. Having more domain controllers simply allows better login experiences for the users and implements more redundancy for administrators.

23 vSphere Performance Improvements
Windows Server 2008 x64 bit architecture allows you to trade I/O for memory. 32 vCPU and 1 GB of RAM support for the most demanding virtual machines Enhanced networking stack can accommodate ~20Gb/s bandwidth Enhancements to vSphere storage layer ensures that the I/O subsystem is not an inhibitor to application performance (>500,000 IOPS per ESX server)

24 4/20/2017 Performance Summary Virtualization does not necessarily increase performance Proper planning of resource allocation is still important Important to follow Microsoft’s best practices for the strategic placement of FSMO role servers, catalog servers, etc. To summarize performance related issues and concerns, virtualization is not a solutions for increasing the performance of a domain controller over its physical equivalent counterpart. It is still important to properly plan resource allocation to a virtual machine in the same way you would for its physical twin. We will discuss those issues in future slides. When all is said and done, you still want to make sure that you follow Microsoft’s best practices when implementing Active Directory for the placement and number of the critical servers used to support your organization.

25 Replication

26 Examining Replication Topology
Checking Replication Topology All partitions should be replicated and free of replication errors Use Replmon for Windows 2003 Use Repadmin for Windows 2008 Look for replication errors Additionally, it can graphically show you the relationship between domain controllers. You will be notified when there is a replication problem as we can see here.

27 Using Replication Monitor (Replmon)
Validating Active Directory replication inbound connections This slide is a example of a successful replication between partners.

28 Using Replication Admin (Repadmin)
Validating Inbound Connections Replication is not occurring to other domain controllers in this forest Repadmin can be used to validate connectivity issues or concerns.

29 Using Replication Admin (Repadmin)
Successful Active Directory Replication All Active Directory partitions have replicated successfully to all inbound partners or neighbors Repadmin displays no errors Other tools for checking Active Directory health: Nltest DCdiag Active Directory Best Practice Analyzer – New for Win2008 R2 Microsoft IT Environment Health Scanner – New from Microsoft Replication Admin will provide you very detailed information about the state of affairs within your Active Directory infrastructure. This unsung tool can show you a great deal of information about connections, updates, replication status, FSMO roles, etc.

30 Using Directory Server Diagnostics (DCdiag)
Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom Schema passed test CheckSDRefDom Starting test: CrossRefValidation Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom Configuration passed test CheckSDRefDom Starting test: CrossRefValidation Configuration passed test CrossRefValidation Running partition tests on : test Starting test: CheckSDRefDom test passed test CheckSDRefDom Starting test: CrossRefValidation ... test passed test CrossRefValidation Running enterprise tests on : test.local Starting test: LocatorCheck test.local passed test LocatorCheck Starting test: Intersite test.local passed test Intersite Use DCdiag to monitor the health of your Active Directory domain controllers Checking Active Directory domain controller health using Dcdiag Partial printout of a DCdiag run Diagnostics show that active directory partition tests passed successfully DCdiag can provide insight into how your Active Directory domain controllers are performing Available on Windows Server and Windows Server 2008 and R2 Replication Monitor will provide you very detailed information about the state of affairs within your Active Directory infrastructure. This unsung tool can show you a great deal of information about connections, updates, replication status, FSMO roles, etc.

31 High Availability and Disaster Recovery

32 Active Directory Backups
Perform consistent system state backups Eliminates hardware incapability when performing restore Follow Microsoft recommendations on FSMO role placement: All Active Directory restorations should be performed in accordance with Microsoft domain controller backup and restoration procedures Do not recover an Active Directory domain controller from a backup copy of an old virtual disk Do not use snapshots (differencing) disks as this could cause corruption and performance degradation within Active Directory Do not pause or suspend virtual domain controllers for extended periods of time. It is important to perform a routine of backing up system state data. Either using Window’s ntbackup.exe or a third-party solution, make sure it is capable of doing system state backups. During the system state backups, database IDs (InvocationID) and Update Sequence Numbers (USN) are properly set and identified. Because all VM’s hardware are created equal in ESX, performing an authoritative or non-authoritative restore is uneventful regardless of the hardware to which the VM sits. Use Microsoft’s KB article# for guidance on the placement and number of FSMO roles. Never attempt to use a copy of a VMs database virtual disk as a means of recovery.

33 Disaster Recovery Scenarios
In this slide, you can clearly see the implications of not restoring a virtual machine using a proper method such as, an authoritative or non-authoritative restore. On the left, restoring a virtual machine from an old copy of a virtual disk does not synchronize the database IDs nor the USNs. Using the proper method, will ensure that missing transactions are restored correctly to the failed database once it synchronizes with its replication parters.

34 Preparing for Disaster using vSphere Features
VMware provides solutions for automatically restarting virtual machines Restart Priorities vApp Containers Implement VMware HA as a high availability to ensure virtual machine domain controllers restart in the event an ESX server fails When a catastrophic event occurs and the loss of an ESX server is realized, VMware’s HA can be configured to automatically restart a domain controller virtual machine on one of the remaining hosts to prevent loss of Active Directory. Through the configuration options, you can prioritize individual virtual machines restart or isolation status. More importantly, there may a definite priority to the order in which you restart virtual machines. For example, it may be necessary for your domain controller (specifically a global catalog server) be online BEFORE your Exchange server initializes. Additionally, you may decide that a notification be sent in the event of loss of a heartbeat from one of you domain controllers. This, of course, can be accomplished through the use of a script or the SDK. Maybe you’ve implemented a script to restart a VM via a loss of heartbeat alarm through VirtualCenter.

35 Using DRS Anti-Affinity Rules
Combined with VMware DRS Anti-affinity rules can ensure domain controller VMs are segregated Combined with VMware’s DRS feature, we can ensure that domain controllers from the same domain always reside on different ESX server hosts to prevent placing all the domain controllers in “one basket”. The anti-affinity rules let you specify which domain controllers must stay together on must be separated.

36 High Availability, Disaster Recovery Summary
4/20/2017 High Availability, Disaster Recovery Summary Utilize DRS and HA to implement a successful recoverability solution Always to continue to use Microsoft’s System State data best practices to backup Active Directory database Default useful life of System State data  days Controlled by Tombstone lifetime attribute (depends on OS, SP, etc.) Microsoft does not support snapshots of DCs  KB888794 Continue to follow best practices around the placement of key, critical roles VMware Fault Tolerance Can protect critical domain controllers (PDC Emulators) Using DRS and HA will ensure that in the event of a catastrophic failure of a host machine running domain controllers, HA will restart those critical servers on one of the remaining hosts and DRS will balance the workloads. Making backup/duplicate copies of an Active Directory domain controller’s vmdk file does not ensure the database integrity or proper version/revision of that datastore. It is always recommended to follow Microsoft’s best practices and perform authoritative and non-authoritative restores for recovery. Virtualization does not change anything related to the proper placement of FSMO or catalog servers. Use Microsoft’s best practices for this as well.

37 Agenda Why virtualize Active Directory on vSphere?
What are the challenges virtualizing Active Directory? How to successfully migrate? 37

38 How to Successfully Migrate?

39 Transitioning from Physical to Virtual
4/20/2017 Transitioning from Physical to Virtual Start with a fresh system state backup for recovery Consider creating a dedicated virtual switch or virtual machine port group to isolate replication traffic Generally single processor virtual machines are adequate for domain controllers Validate inbound/outbound connections between physical and virtual machines Allow hours for replication to complete Change the weight and/or priority of the DNS SRV records for virtual machines Monitor the logon requests to ensure virtual machines are successfully responding Decommission physical domain controllers There are a good number of steps to consider as you migrate from the physical to virtual world. As any good administrator would do, make sure you start with a solid system state backup of your Active Directory database. Creating an isolated environment for the newly created domain controller virtual machines will exempt the VMs from contending with any other VMs as it completes is database replication. Generally, a single processor VM operating as a domain controller should be more than sufficient for performance as a production domain controller. Creating separate virtual disks for the Active Directory database, logs, and SYSVOL is consistent with Microsoft’s best practices as well. Simply put, it allows you to isolate from the operating system contention. Using the Replication Monitor (replmon.exe) from the Support Tools will allow you check, validate, and initiate the Knowledge Consistency Checker to guarantee all the connectors are in place for proper replication. Give it time to complete its replication process fully and completely. Changing the weight and/or priority of the DNS records will allow the administrator to direct logon requests more likely to the virtual machine domain controllers than the physical boxes. Using Performance Monitor, monitor log on requests to ensure that the DNS records are performing correctly. Once satisfied with the performance of the virtual machines, decomission the physical domain controllers. 39

40 DNS Modifications – Transitioning to VMs
4/20/2017 DNS Modifications – Transitioning to VMs Modify the weight and/or priority of the DNS SRV records Specifically offload the authentication requests from the PDC emulator when possible DNS weight is the proportional distribution of requests among DNS servers DNS priority is the likelihood a server will receive a request PDC emulators should have one or both adjusted accordingly by adding: Physical domain controllers should be adjusted similarly to decrease dependencies on PDC emulator HKLM\System\CurrentControlSet\Services\Netlogon\Parameters LdapSrvWeight DWORD decimal value of 25 or 50 LdapSrvPriority DWORD decimal value to 100 or 200 By modifying the weight and/or priorities of the DNS SRV records, you can direct log on authentications to specific domain controllers or away from the PDC emulator. PDC emulator is a very busy FSMO role in Active Directory. In addition to playing the part of a domain controller, the PDC emulator is responsible for processing password changes for its domain, authentication requests if password fails on authenticating domain controller and “emulating” a PDC for down level servers such as NT 4.0 BDCs and clients. Some legacy applications are also written to contact the PDC of the domain. DNS weight is a value assigned to DNS SRV records to balance or distribute authentication requests among the servers. By default, a value of 100 is assigned and reducing this value changes the proportional value so that a server with a lower value receives fewer requests. For example, if a DNS SRV record is lowered to 25 or 50 from a default of 100, that means the server will receive authentication requests 25% or 50% of the time in proportion to the others. DNS priority allows the administrator to artificially inflate the DNS SRV record so high, it would be unlikely it will ever receive a request unless no others are available to respond. By default, the value is set at 0. By setting it extremely high, say 100 or 200, it significantly reduces the chances the server will get the request. Using the weight and priority strategy would be a great way to “wean” client requests away from the physical domain controllers and direct them towards the virtual machine domain controllers. 40

41 DNS Modifications Can also be changed within DNS manager
4/20/2017 DNS Modifications Can also be changed within DNS manager Registry changes do not require a reboot These changes can also be done directly through DNS Manager by simply double clicking on the record and adjusting. 41

42 Virtual Machine Considerations
4/20/2017 Virtual Machine Considerations Add, modify, search, delete and update operations will benefit significantly from caching Slight penalty incurred for write operations – Physical or Virtual Microsoft’s AD Sizer can help you plan the size Use Microsoft’s best practices and separate boot, database, log virtual disks on individual SCSI controllers to optimize write performance

43 Typical VM Sizing: Active Directory
Active Directory Domain Controller  Hardware (Virtual) VMware ESX/ESXi 4.x (vSphere) Processor 1 vCPU (for smaller directories) 2 vCPU(larger directories start with 2vCPU and increase as required) Memory 4GB (smaller directories start with ~1 – 2 GB) 100,000 users can require up to 2.75GB of memory to cache directory (x86) ~16GB or greater (larger directories start with 16GB) 3 Million users can require up to 32GB of memory to cache entire directory (x64) Network Adapter  Enhanced VMXNet3 Physical NICs should be teamed and plugged into separate physical switches in your network infrastructure Storage Configuration vSCSI Controller 0 vSCSI Controller 1 Disk1 (C:) OS ~16GB or greater (depending on OS version) Disk2 (D:) Database ~16GB or greater for larger directories Disk3 (L:) Log files ~4GB or 25% of the database LUN size

44 Lead Practices Synchronize the forest PDC emulator to an external stratum 1 time source Avoid snapshots or REDOs for domain controller virtual machines Regularly monitor Active Directory replication Do not suspend domain controller virtual machines for long periods Perform regular system state backups as these are still very important to your recovery plan Utilize the Active Directory recycle bin (Win2008 R2) Protect OU’s from accidental deletion (Win2008 R2) To ensure database version and USN consistency, avoid the use of snapshots or REDO disk modes for domain controllers. If there is data or other services necessary on the physical machine that precludes you from avoiding migration altogether, transfer any FSMO roles and disable Global Catalog server, demote the domain controller as a member server, then migrate.

45 VMware’s Active Directory Environment
Internal Active Directory Deployment users (not including groups and objects) 33 Active Directory Sites 48 Domain Controllers (Including Global Catalogs) 47 Virtualized – Windows Server 2003 x86 & x64 1 Physical Domain Controller (Forest PDC emulator) Stratum 1 Time Synchronization Continuous uninterrupted service for 5+ years

46 Summary Perform and test your System State backups
Ensure time synchronization from reliable stratum 1 time source Create and test your disaster recovery plan and procedures Implement VMware HA to provide high availability Monitor replication traffic using Replmon, Repadmin tools Utilize safeguards in Windows Server 2008 (Recycle Bin, ADBPA, Repadmin, MS IT Environment Health Scanner, protect OU’s from accidental deletion) Analyze, Design, Deploy, Re-analyze In summary, it is very important not to abandon the practice of regular System State backups using your normal backup procedures. Since AD is heavily dependent on a transactional based datastore, you want to ensure integrity by making sure there is a solid, reliable means of providing accurate time services to the PDC emulator and other domain controllers. Practice the art of disaster recovery regularly. Use VMware HA to provide a means of high availability for your critical domain controller virtual machines. Monitor your Active Directory connectors to ensure continuity for reliable database replication. Use the SRV weight and priority values to steer your log on requests away from the PDC emulator as much as possible. Always go back and re-evaluate your strategies. Monitor results for improvements. Make adjustments when necessary.

47 Additional Resources

48 Additional Information
VMware Time Sync and Windows Time Service VMware Knowledge Base ID# 1318 Installing and Configuring NTP on VMware ESX Server VMware Knowledge Base ID# 1339 VMware Descheduled Time Accounting (VMware Infrastructure 3) How to detect and recover from a USN rollback in Windows Server 2003 How to detect and recover from a USN rollback in Windows 2000 Server Support policy for Microsoft software running in non-Microsoft hardware virtualization software How to configure an authoritative time server in Windows Server 2003 Microsoft does specify some support requirements, so of which pertain to a “virtualized” Active Directory environment.

49 Additional Information (2)
For more information & customer case studies visit us at the following websites: VMware Website Critical Business Applications Solutions and Performance Studies Virtualizing a Windows Active Directory Infrastructure on VMware Customer Case Studies apps/microsoft/active_directory.html

50 Thank You !!

51 Questions?

Download ppt "BCA1709 Successfully Running Active Directory in a Virtualized Environment Name, Title, Company."

Similar presentations

Housekeeping Utilities for VMware. 11 June 2009 2 Housekeeping is preparing meals for oneself and family and the managing of other domestic concerns.

Housekeeping Utilities for VMware. 11 June Housekeeping is preparing meals for oneself and family and the managing of other domestic concerns.
Implementing and Administering AD DS Sites and Replication

Implementing and Administering AD DS Sites and Replication
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
© 2010 VMware Inc. All rights reserved Confidential Performance Tuning for Windows Guest OS IT Pro Camp Presented by: Matthew Mitchell.

© 2010 VMware Inc. All rights reserved Confidential Performance Tuning for Windows Guest OS IT Pro Camp Presented by: Matthew Mitchell.
Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.

Module 10: Troubleshooting Active Directory, DNS, and Replication Issues.
Module 10: Troubleshooting AD DS, DNS, and Replication Issues.

Module 10: Troubleshooting AD DS, DNS, and Replication Issues.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.

1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.

1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
1 Chapter 1 Introduction to Windows Server 2003. 2 Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.

1 Chapter 1 Introduction to Windows Server Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
VIRTUALIZATION AND YOUR BUSINESS November 18, 2010 | Worksighted.

VIRTUALIZATION AND YOUR BUSINESS November 18, 2010 | Worksighted.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Copyright © 2005 VMware, Inc. All rights reserved. VMware Virtualization Phil Anthony Virtual Systems Engineer

Copyright © 2005 VMware, Inc. All rights reserved. VMware Virtualization Phil Anthony Virtual Systems Engineer
Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.

Microsoft ® Application Virtualization 4.5 Infrastructure Planning and Design Series.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
High Availability Module 12.

High Availability Module 12.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google