RE: [ActiveDir] Virtual Domain Controllers
Two good points - VS2005 SP1 (R2) will relieve both these issues. The beta version is very stable and I actually know some running it in production. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, August 23, 2005 8:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers A couple of notes: VS 2005 will not install on an X64 version of windows. If you use a server with an AMD CPU, install 32 bit windows. Do not install server 2003 SP1 on the virtuals (the host is ok). It will slow your virtuals into what seems like 66MHz 486 machines. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the F&P element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: >For your first question, you can find Microsoft's Branch Office >Infrastructure Solution (BOIS) here: >http://www.microsoft.com/technet/itsolutions/branch/default.mspx > >In short, and more direct for your question, some organizations are >deploying a single server solution to a branch office/remote site which, >as an example, is a domain controller running VS2005 with VMs >representing other local servers/services that might be required (i.e. >File and Print, web caching, etc.). Using this approach, your Domain >Admins continue to be responsible for the physical machine and the >Domain Controller itself, however your local admin can fully administer >the other servers living within VMs (via RDP or remote tools) without >compromising the security of the DC. This of course assumes that VS2005 >does not contain a flaw that allows a guest to host breach. :) > >As for performance, I do not have any concrete numbers, but you will >most certainly take a performance hit on both your host and your guests >when using virtualization. I think your statement of 50-60% is quite >high based on my experience, but then again YMMV depending on what the >environment is hosting and what the end-user demands are and what the >host hardware configuration looks like. (I prefer an x64 system with a >small array of disks - like the HP Proliant DL385 for ~$3500US.) >Regardless, in small remote sites performance is typically not critical >and nearly any server class system will perform adequately as a DC and a >VS2005 host. Keep in mind the small remote office solutions often have >two common single points of failure - the server (in a single server >solution) and the network. The failure of either can have a significant >impact on the end-users... > >Regards, > >Aric Bernard > > > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Mylo >Sent: Monday, August 22, 2005 10:17 AM >To: ActiveDir@mail.activedir.org >Subject: Re: [ActiveDir] Virtual Domain Controllers > >It'd be interesting to hear what solutions are in place in larger >enterprise environments (for small remote sites). IMO, the hybrid >DC/File and Print in one box, for remote sites, sounds nasty because: > >1. There's no local sam so a 'local' administrator needs to be >built-in administrator in AD.. I guess that's fine if your domain >admin=F&P Admin but if not >2. If you're file and print server contains loads of local groups etc... > >that becomes part of AD database I know that this is less of an >issue under Win2K3 versus Win2k/NT4, but if you're in a largish >organisation dealing with 100+ sites, each with a hybrid FAP/DC with >lots of groups and users that meet
RE: [ActiveDir] Virtual Domain Controllers
A couple of notes: VS 2005 will not install on an X64 version of windows. If you use a server with an AMD CPU, install 32 bit windows. Do not install server 2003 SP1 on the virtuals (the host is ok). It will slow your virtuals into what seems like 66MHz 486 machines. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the F&P element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: >For your first question, you can find Microsoft's Branch Office >Infrastructure Solution (BOIS) here: >http://www.microsoft.com/technet/itsolutions/branch/default.mspx > >In short, and more direct for your question, some organizations are >deploying a single server solution to a branch office/remote site which, >as an example, is a domain controller running VS2005 with VMs >representing other local servers/services that might be required (i.e. >File and Print, web caching, etc.). Using this approach, your Domain >Admins continue to be responsible for the physical machine and the >Domain Controller itself, however your local admin can fully administer >the other servers living within VMs (via RDP or remote tools) without >compromising the security of the DC. This of course assumes that VS2005 >does not contain a flaw that allows a guest to host breach. :) > >As for performance, I do not have any concrete numbers, but you will >most certainly take a performance hit on both your host and your guests >when using virtualization. I think your statement of 50-60% is quite >high based on my experience, but then again YMMV depending on what the >environment is hosting and what the end-user demands are and what the >host hardware configuration looks like. (I prefer an x64 system with a >small array of disks - like the HP Proliant DL385 for ~$3500US.) >Regardless, in small remote sites performance is typically not critical >and nearly any server class system will perform adequately as a DC and a >VS2005 host. Keep in mind the small remote office solutions often have >two common single points of failure - the server (in a single server >solution) and the network. The failure of either can have a significant >impact on the end-users... > >Regards, > >Aric Bernard > > > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Mylo >Sent: Monday, August 22, 2005 10:17 AM >To: ActiveDir@mail.activedir.org >Subject: Re: [ActiveDir] Virtual Domain Controllers > >It'd be interesting to hear what solutions are in place in larger >enterprise environments (for small remote sites). IMO, the hybrid >DC/File and Print in one box, for remote sites, sounds nasty because: > >1. There's no local sam so a 'local' administrator needs to be >built-in administrator in AD.. I guess that's fine if your domain >admin=F&P Admin but if not >2. If you're file and print server contains loads of local groups etc... > >that becomes part of AD database I know that this is less of an >issue under Win2K3 versus Win2k/NT4, but if you're in a largish >organisation dealing with 100+ sites, each with a hybrid FAP/DC with >lots of groups and users that meet this criteria...I guess you wouldn't >want to add the bloat to your AD if you can avoid it. > >Any other reasons? > >On the other side, what ort of performance hit do you get >virtualising... GSX, I get around 50-60% of real life, subject to the >number of Guests running and server role, and can't afford ESX so can't >comment :-) > &
RE: [ActiveDir] Virtual Domain Controllers
Steal was a bad word. What I was trying to say was lsass likes as much memory as you can give it. My personal inclination is to take all the available memory and divide it as you like amongst the two VMs. Rather than fire up one VM and then leave the leftovers for lsa & os. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 7:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers Hi Brian, Out of curiosity, how will LSASS steal memory from that which you have physically allocated to a specific virtual machine? Since VS2005 does not allow over committing of physical memory, this should not be possible. May be I am missing your point? Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, August 22, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers I wouldn't ride the DC on the physical hardware and the FP on the VS install. I'd ride them both on there. Lsass will steal all the memory you'd like to allocate to VS. Instead, let lsass and company in its own instance, allocate it 2/3 the memory available and then the other third to your f & p instance. ESX IMHO Is not the tool for this type of gig. A) its expensive and b) it's suited to running dozens if not hundreds of VMs on high power hardware. GSX/VS is more for a smaller operation on a much smaller dose of hardware (e.g. a 380/385 or 2850). --brian Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the F&P element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: >For your first question, you can find Microsoft's Branch Office >Infrastructure Solution (BOIS) here: >http://www.microsoft.com/technet/itsolutions/branch/default.mspx > >In short, and more direct for your question, some organizations are >deploying a single server solution to a branch office/remote site which, >as an example, is a domain controller running VS2005 with VMs >representing other local servers/services that might be required (i.e. >File and Print, web caching, etc.). Using this approach, your Domain >Admins continue to be responsible for the physical machine and the >Domain Controller itself, however your local admin can fully administer >the other servers living within VMs (via RDP or remote tools) without >compromising the security of the DC. This of course assumes that VS2005 >does not contain a flaw that allows a guest to host breach. :) > >As for performance, I do not have any concrete numbers, but you will >most certainly take a performance hit on both your host and your guests >when using virtualization. I think your statement of 50-60% is quite >high based on my experience, but then again YMMV depending on what the >environment is hosting and what the end-user demands are and what the >host hardware configuration looks like. (I prefer an x64 system with a >small array of disks - like the HP Proliant DL385 for ~$3500US.) >Regardless, in small remote sites performance is typically not critical >and nearly any server class system will perform adequately as a DC and a >VS2005 host. Keep in mind the small remote office solutions often have >two common single points of failure - the server (in a single server >solution) and the network. The failure of either can have a significant >impact on the end-users... > >Re
RE: [ActiveDir] Virtual Domain Controllers
Hi Brian, Out of curiosity, how will LSASS steal memory from that which you have physically allocated to a specific virtual machine? Since VS2005 does not allow over committing of physical memory, this should not be possible. May be I am missing your point? Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, August 22, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers I wouldn't ride the DC on the physical hardware and the FP on the VS install. I'd ride them both on there. Lsass will steal all the memory you'd like to allocate to VS. Instead, let lsass and company in its own instance, allocate it 2/3 the memory available and then the other third to your f & p instance. ESX IMHO Is not the tool for this type of gig. A) its expensive and b) it's suited to running dozens if not hundreds of VMs on high power hardware. GSX/VS is more for a smaller operation on a much smaller dose of hardware (e.g. a 380/385 or 2850). --brian Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the F&P element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: >For your first question, you can find Microsoft's Branch Office >Infrastructure Solution (BOIS) here: >http://www.microsoft.com/technet/itsolutions/branch/default.mspx > >In short, and more direct for your question, some organizations are >deploying a single server solution to a branch office/remote site which, >as an example, is a domain controller running VS2005 with VMs >representing other local servers/services that might be required (i.e. >File and Print, web caching, etc.). Using this approach, your Domain >Admins continue to be responsible for the physical machine and the >Domain Controller itself, however your local admin can fully administer >the other servers living within VMs (via RDP or remote tools) without >compromising the security of the DC. This of course assumes that VS2005 >does not contain a flaw that allows a guest to host breach. :) > >As for performance, I do not have any concrete numbers, but you will >most certainly take a performance hit on both your host and your guests >when using virtualization. I think your statement of 50-60% is quite >high based on my experience, but then again YMMV depending on what the >environment is hosting and what the end-user demands are and what the >host hardware configuration looks like. (I prefer an x64 system with a >small array of disks - like the HP Proliant DL385 for ~$3500US.) >Regardless, in small remote sites performance is typically not critical >and nearly any server class system will perform adequately as a DC and a >VS2005 host. Keep in mind the small remote office solutions often have >two common single points of failure - the server (in a single server >solution) and the network. The failure of either can have a significant >impact on the end-users... > >Regards, > >Aric Bernard > > > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Mylo >Sent: Monday, August 22, 2005 10:17 AM >To: ActiveDir@mail.activedir.org >Subject: Re: [ActiveDir] Virtual Domain Controllers > >It'd be interesting to hear what solutions are in place in larger >enterprise environments (for small remote sites). IMO, the hybrid >DC/File and Print in one box, for remote sites, sounds nasty because: > >1. There's no local sam so a &#x
RE: [ActiveDir] Virtual Domain Controllers
I wouldn't ride the DC on the physical hardware and the FP on the VS install. I'd ride them both on there. Lsass will steal all the memory you'd like to allocate to VS. Instead, let lsass and company in its own instance, allocate it 2/3 the memory available and then the other third to your f & p instance. ESX IMHO Is not the tool for this type of gig. A) its expensive and b) it's suited to running dozens if not hundreds of VMs on high power hardware. GSX/VS is more for a smaller operation on a much smaller dose of hardware (e.g. a 380/385 or 2850). --brian Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, August 22, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the F&P element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: >For your first question, you can find Microsoft's Branch Office >Infrastructure Solution (BOIS) here: >http://www.microsoft.com/technet/itsolutions/branch/default.mspx > >In short, and more direct for your question, some organizations are >deploying a single server solution to a branch office/remote site which, >as an example, is a domain controller running VS2005 with VMs >representing other local servers/services that might be required (i.e. >File and Print, web caching, etc.). Using this approach, your Domain >Admins continue to be responsible for the physical machine and the >Domain Controller itself, however your local admin can fully administer >the other servers living within VMs (via RDP or remote tools) without >compromising the security of the DC. This of course assumes that VS2005 >does not contain a flaw that allows a guest to host breach. :) > >As for performance, I do not have any concrete numbers, but you will >most certainly take a performance hit on both your host and your guests >when using virtualization. I think your statement of 50-60% is quite >high based on my experience, but then again YMMV depending on what the >environment is hosting and what the end-user demands are and what the >host hardware configuration looks like. (I prefer an x64 system with a >small array of disks - like the HP Proliant DL385 for ~$3500US.) >Regardless, in small remote sites performance is typically not critical >and nearly any server class system will perform adequately as a DC and a >VS2005 host. Keep in mind the small remote office solutions often have >two common single points of failure - the server (in a single server >solution) and the network. The failure of either can have a significant >impact on the end-users... > >Regards, > >Aric Bernard > > > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Mylo >Sent: Monday, August 22, 2005 10:17 AM >To: ActiveDir@mail.activedir.org >Subject: Re: [ActiveDir] Virtual Domain Controllers > >It'd be interesting to hear what solutions are in place in larger >enterprise environments (for small remote sites). IMO, the hybrid >DC/File and Print in one box, for remote sites, sounds nasty because: > >1. There's no local sam so a 'local' administrator needs to be >built-in administrator in AD.. I guess that's fine if your domain >admin=F&P Admin but if not >2. If you're file and print server contains loads of local groups etc... > >that becomes part of AD database I know that this is less of an >issue under Win2K3 versus Win2k/NT4, but if you're in a largish >organisation dealing with 100+ sites, each with a hybrid FAP/DC with >lots of groups and users that meet this criter
RE: [ActiveDir] Virtual Domain Controllers
My understanding is that Windows Server 2003 provides full support for dual core processors and abstracts them, so to speak, from VS2005 insomuch as the application sees two physical processors - so yes; this is currently not true of ESX until the next point release. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the F&P element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: >For your first question, you can find Microsoft's Branch Office >Infrastructure Solution (BOIS) here: >http://www.microsoft.com/technet/itsolutions/branch/default.mspx > >In short, and more direct for your question, some organizations are >deploying a single server solution to a branch office/remote site which, >as an example, is a domain controller running VS2005 with VMs >representing other local servers/services that might be required (i.e. >File and Print, web caching, etc.). Using this approach, your Domain >Admins continue to be responsible for the physical machine and the >Domain Controller itself, however your local admin can fully administer >the other servers living within VMs (via RDP or remote tools) without >compromising the security of the DC. This of course assumes that VS2005 >does not contain a flaw that allows a guest to host breach. :) > >As for performance, I do not have any concrete numbers, but you will >most certainly take a performance hit on both your host and your guests >when using virtualization. I think your statement of 50-60% is quite >high based on my experience, but then again YMMV depending on what the >environment is hosting and what the end-user demands are and what the >host hardware configuration looks like. (I prefer an x64 system with a >small array of disks - like the HP Proliant DL385 for ~$3500US.) >Regardless, in small remote sites performance is typically not critical >and nearly any server class system will perform adequately as a DC and a >VS2005 host. Keep in mind the small remote office solutions often have >two common single points of failure - the server (in a single server >solution) and the network. The failure of either can have a significant >impact on the end-users... > >Regards, > >Aric Bernard > > > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Mylo >Sent: Monday, August 22, 2005 10:17 AM >To: ActiveDir@mail.activedir.org >Subject: Re: [ActiveDir] Virtual Domain Controllers > >It'd be interesting to hear what solutions are in place in larger >enterprise environments (for small remote sites). IMO, the hybrid >DC/File and Print in one box, for remote sites, sounds nasty because: > >1. There's no local sam so a 'local' administrator needs to be >built-in administrator in AD.. I guess that's fine if your domain >admin=F&P Admin but if not >2. If you're file and print server contains loads of local groups etc... > >that becomes part of AD database I know that this is less of an >issue under Win2K3 versus Win2k/NT4, but if you're in a largish >organisation dealing with 100+ sites, each with a hybrid FAP/DC with >lots of groups and users that meet this criteria...I guess you wouldn't >want to add the bloat to your AD if you can avoid it. > >Any other reasons? > >On the other side, what ort of performance hit do you get >virtualising... GSX, I get around 50-60% of real life, subject to the >number of Guests running and server role, and can't afford ESX so can't >comment :-) > >Regards, >Mylo > >Seely Jonathan J wrote: > > > >>Thanks, Brad. That is very good to hear. I also appreciate the tips. >> >>JJ >> >> >> >> >--- - > > >>*From:* [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad >>*Sent:* Tuesday, August 09, 2005 3:09 AM >>*To:* ActiveDir@mail.activedir.org >>*Subject:* RE: [Activ
Re: [ActiveDir] Virtual Domain Controllers
Thanks Aric, great link! I'd seen the older BOG (2004) but this latest one I've missed. The VS Server is an interesting angle, running the DC on the physical machine and the F&P element within VS2005 is an option provided the user requirements aren't too onerous. The 50-60% I referred to was probably on the generous side... and my experience of this has limited to fairly low yield boxes (web servers, app servers) mostly for PoC or cloning production environments for testing/troubleshooting and development. Incidentally, you mentioned the DL385... does VS2005SP1 include support for dual core? Thanks again, Mylo Bernard, Aric wrote: For your first question, you can find Microsoft's Branch Office Infrastructure Solution (BOIS) here: http://www.microsoft.com/technet/itsolutions/branch/default.mspx In short, and more direct for your question, some organizations are deploying a single server solution to a branch office/remote site which, as an example, is a domain controller running VS2005 with VMs representing other local servers/services that might be required (i.e. File and Print, web caching, etc.). Using this approach, your Domain Admins continue to be responsible for the physical machine and the Domain Controller itself, however your local admin can fully administer the other servers living within VMs (via RDP or remote tools) without compromising the security of the DC. This of course assumes that VS2005 does not contain a flaw that allows a guest to host breach. :) As for performance, I do not have any concrete numbers, but you will most certainly take a performance hit on both your host and your guests when using virtualization. I think your statement of 50-60% is quite high based on my experience, but then again YMMV depending on what the environment is hosting and what the end-user demands are and what the host hardware configuration looks like. (I prefer an x64 system with a small array of disks - like the HP Proliant DL385 for ~$3500US.) Regardless, in small remote sites performance is typically not critical and nearly any server class system will perform adequately as a DC and a VS2005 host. Keep in mind the small remote office solutions often have two common single points of failure - the server (in a single server solution) and the network. The failure of either can have a significant impact on the end-users... Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 10:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers It'd be interesting to hear what solutions are in place in larger enterprise environments (for small remote sites). IMO, the hybrid DC/File and Print in one box, for remote sites, sounds nasty because: 1. There's no local sam so a 'local' administrator needs to be built-in administrator in AD.. I guess that's fine if your domain admin=F&P Admin but if not 2. If you're file and print server contains loads of local groups etc... that becomes part of AD database I know that this is less of an issue under Win2K3 versus Win2k/NT4, but if you're in a largish organisation dealing with 100+ sites, each with a hybrid FAP/DC with lots of groups and users that meet this criteria...I guess you wouldn't want to add the bloat to your AD if you can avoid it. Any other reasons? On the other side, what ort of performance hit do you get virtualising... GSX, I get around 50-60% of real life, subject to the number of Guests running and server role, and can't afford ESX so can't comment :-) Regards, Mylo Seely Jonathan J wrote: Thanks, Brad. That is very good to hear. I also appreciate the tips. JJ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad *Sent:* Tuesday, August 09, 2005 3:09 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and MS will give their best endeavours on support. Most of the time they don't even ask us if the DC is virtual ;-) Also, ensure that the time sync capability is disabled in the VMWare Tools, and that the DC boots up completely before the file and print, so that the file and print can authorise itself against it. Otherwise the F&P may take up to half an hour (or thereabouts) to realise it can now contact a DC for file/print access authorisation. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Grillenmeier, Guido *Sent:* Monday, August 08, 2005 12:16 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [Acti
RE: [ActiveDir] Virtual Domain Controllers
For your first question, you can find Microsoft's Branch Office Infrastructure Solution (BOIS) here: http://www.microsoft.com/technet/itsolutions/branch/default.mspx In short, and more direct for your question, some organizations are deploying a single server solution to a branch office/remote site which, as an example, is a domain controller running VS2005 with VMs representing other local servers/services that might be required (i.e. File and Print, web caching, etc.). Using this approach, your Domain Admins continue to be responsible for the physical machine and the Domain Controller itself, however your local admin can fully administer the other servers living within VMs (via RDP or remote tools) without compromising the security of the DC. This of course assumes that VS2005 does not contain a flaw that allows a guest to host breach. :) As for performance, I do not have any concrete numbers, but you will most certainly take a performance hit on both your host and your guests when using virtualization. I think your statement of 50-60% is quite high based on my experience, but then again YMMV depending on what the environment is hosting and what the end-user demands are and what the host hardware configuration looks like. (I prefer an x64 system with a small array of disks - like the HP Proliant DL385 for ~$3500US.) Regardless, in small remote sites performance is typically not critical and nearly any server class system will perform adequately as a DC and a VS2005 host. Keep in mind the small remote office solutions often have two common single points of failure - the server (in a single server solution) and the network. The failure of either can have a significant impact on the end-users... Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, August 22, 2005 10:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Virtual Domain Controllers It'd be interesting to hear what solutions are in place in larger enterprise environments (for small remote sites). IMO, the hybrid DC/File and Print in one box, for remote sites, sounds nasty because: 1. There's no local sam so a 'local' administrator needs to be built-in administrator in AD.. I guess that's fine if your domain admin=F&P Admin but if not 2. If you're file and print server contains loads of local groups etc... that becomes part of AD database I know that this is less of an issue under Win2K3 versus Win2k/NT4, but if you're in a largish organisation dealing with 100+ sites, each with a hybrid FAP/DC with lots of groups and users that meet this criteria...I guess you wouldn't want to add the bloat to your AD if you can avoid it. Any other reasons? On the other side, what ort of performance hit do you get virtualising... GSX, I get around 50-60% of real life, subject to the number of Guests running and server role, and can't afford ESX so can't comment :-) Regards, Mylo Seely Jonathan J wrote: > Thanks, Brad. That is very good to hear. I also appreciate the tips. > > JJ > > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad > *Sent:* Tuesday, August 09, 2005 3:09 AM > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Virtual Domain Controllers > > We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine > so far, and MS will give their best endeavours on support. Most of the > time they don't even ask us if the DC is virtual ;-) > > Also, ensure that the time sync capability is disabled in the VMWare > Tools, and that the DC boots up completely before the file and print, > so that the file and print can authorise itself against it. Otherwise > the F&P may take up to half an hour (or thereabouts) to realise it can > now contact a DC for file/print access authorisation. > > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of > *Grillenmeier, Guido > *Sent:* Monday, August 08, 2005 12:16 AM > *To:* ActiveDir@mail.activedir.org > *Subject:* RE: [ActiveDir] Virtual Domain Controllers > > hehe - single DC - must have overread that - I would have called that > to be a problem in itself ;-) > But then again it's only for 10 users and likely ok. As such, I even > doubt that SID reissue is much of a problem as this environment is > likely rather static rgd. new objects in AD ;-) > > -------- > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *joe > *Sent:* Sonntag, 7. August 2005 00:43 > *To:* ActiveDir@mail.ac
Re: [ActiveDir] Virtual Domain Controllers
It'd be interesting to hear what solutions are in place in larger enterprise environments (for small remote sites). IMO, the hybrid DC/File and Print in one box, for remote sites, sounds nasty because: 1. There's no local sam so a 'local' administrator needs to be built-in administrator in AD.. I guess that's fine if your domain admin=F&P Admin but if not 2. If you're file and print server contains loads of local groups etc... that becomes part of AD database I know that this is less of an issue under Win2K3 versus Win2k/NT4, but if you're in a largish organisation dealing with 100+ sites, each with a hybrid FAP/DC with lots of groups and users that meet this criteria...I guess you wouldn't want to add the bloat to your AD if you can avoid it. Any other reasons? On the other side, what ort of performance hit do you get virtualising... GSX, I get around 50-60% of real life, subject to the number of Guests running and server role, and can't afford ESX so can't comment :-) Regards, Mylo Seely Jonathan J wrote: Thanks, Brad. That is very good to hear. I also appreciate the tips. JJ *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Smith, Brad *Sent:* Tuesday, August 09, 2005 3:09 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and MS will give their best endeavours on support. Most of the time they don't even ask us if the DC is virtual ;-) Also, ensure that the time sync capability is disabled in the VMWare Tools, and that the DC boots up completely before the file and print, so that the file and print can authorise itself against it. Otherwise the F&P may take up to half an hour (or thereabouts) to realise it can now contact a DC for file/print access authorisation. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Grillenmeier, Guido *Sent:* Monday, August 08, 2005 12:16 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers hehe - single DC - must have overread that - I would have called that to be a problem in itself ;-) But then again it's only for 10 users and likely ok. As such, I even doubt that SID reissue is much of a problem as this environment is likely rather static rgd. new objects in AD ;-) *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *joe *Sent:* Sonntag, 7. August 2005 00:43 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers Well since it is a single domain and a single DC I would say he really doesn't have a worry about USN rollbacks but he does have a possible concern with SID reissue. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Grillenmeier, Guido *Sent:* Saturday, August 06, 2005 5:47 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being "rolled back in time" due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore. Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Matt Brown *Sent:* Samstag, 6. August 2005 02:47 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a yea
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers Thanks, Brad. That is very good to hear. I also appreciate the tips. JJ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: Tuesday, August 09, 2005 3:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and MS will give their best endeavours on support. Most of the time they don't even ask us if the DC is virtual ;-) Also, ensure that the time sync capability is disabled in the VMWare Tools, and that the DC boots up completely before the file and print, so that the file and print can authorise itself against it. Otherwise the F&P may take up to half an hour (or thereabouts) to realise it can now contact a DC for file/print access authorisation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, August 08, 2005 12:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers hehe - single DC - must have overread that - I would have called that to be a problem in itself ;-) But then again it's only for 10 users and likely ok. As such, I even doubt that SID reissue is much of a problem as this environment is likely rather static rgd. new objects in AD ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sonntag, 7. August 2005 00:43To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Well since it is a single domain and a single DC I would say he really doesn't have a worry about USN rollbacks but he does have a possible concern with SID reissue. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Saturday, August 06, 2005 5:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers > Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being "rolled back in time" due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore. Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Samstag, 6. August 2005 02:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to cons
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and MS will give their best endeavours on support. Most of the time they don't even ask us if the DC is virtual ;-) Also, ensure that the time sync capability is disabled in the VMWare Tools, and that the DC boots up completely before the file and print, so that the file and print can authorise itself against it. Otherwise the F&P may take up to half an hour (or thereabouts) to realise it can now contact a DC for file/print access authorisation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, August 08, 2005 12:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers hehe - single DC - must have overread that - I would have called that to be a problem in itself ;-) But then again it's only for 10 users and likely ok. As such, I even doubt that SID reissue is much of a problem as this environment is likely rather static rgd. new objects in AD ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sonntag, 7. August 2005 00:43To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Well since it is a single domain and a single DC I would say he really doesn't have a worry about USN rollbacks but he does have a possible concern with SID reissue. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Saturday, August 06, 2005 5:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers > Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being "rolled back in time" due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore. Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Samstag, 6. August 2005 02:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or oth
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers I really could of got the job done without AD, this was the first server for the company and it took a while to talk them into it. I looked at SBS but didn't really see any benefits over 2003 Server Standard for their environment so decided against it. The domain is so small I can rebuild it from scratch in about 20 minutes so I'm not too worried about it. Matt From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, August 05, 2005 6:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers That sounds like you should probably be running SBS. That was designed for those types of deployments. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Friday, August 05, 2005 8:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers hehe - single DC - must have overread that - I would have called that to be a problem in itself ;-) But then again it's only for 10 users and likely ok. As such, I even doubt that SID reissue is much of a problem as this environment is likely rather static rgd. new objects in AD ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sonntag, 7. August 2005 00:43To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Well since it is a single domain and a single DC I would say he really doesn't have a worry about USN rollbacks but he does have a possible concern with SID reissue. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Saturday, August 06, 2005 5:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers > Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being "rolled back in time" due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore. Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Samstag, 6. August 2005 02:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers Well since it is a single domain and a single DC I would say he really doesn't have a worry about USN rollbacks but he does have a possible concern with SID reissue. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Saturday, August 06, 2005 5:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers > Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being "rolled back in time" due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore. Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Samstag, 6. August 2005 02:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers > Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being "rolled back in time" due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore. Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Samstag, 6. August 2005 02:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers That sounds like you should probably be running SBS. That was designed for those types of deployments. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Friday, August 05, 2005 8:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers The supported status of Windows on VMWARE, in a nutshell, is this Premier Customer You have best effort support and if they can't figure it out, you have to duplicate the issue on hardware. Non-Premier Customer You have to duplicate the issue on hardware. I, myself, would have no issue running Windows on ESX, I have seen some amazing things on it. As for GSX, I would probably run VS instead so there is no doubt about the supportability. That being said, I know of companies (like HP for instance) that have offical support for Windows on VMWARE and have a very good track record of working out the issues. In fact, last time I asked, they hadn't hit a problem they weren't able to get corrected prior to going to the point of duplicating on physical hardware and getting MS involoved. However, if worse comes to worse, they will move the image to a physical and do that interface with MS. That is just my outside look into what I heard about that group doing that though so if you went that direction, obviously sit down and discuss it at length with the salesman and techs involved with that stuff. Personally, until MS has a ESX version they need to be supporting Windows on ESX (they have a GSX look alike so I can understand them not being forced into supporting it). They have so many people doing it against their wishes anyway that they are starting to look a bit silly for it. It is a bad precedence, in my mind, to say something isn't supported that most people are willing to just go do anyway. It puts people that much closer to doing other things MS doesn't support because hey, doing this other thing that they said wasn't supported worked so well we made it the whole corporate direction. I visualize people running all sorts of software that hack into LSASS and intercept LDAP calls and anything else. There are no levels of what is and isn't supported by MS. It is supported or not depending on how big of a check you send MS every year. That is black and white. Again if you get used to doing things MS says are unsupported, you will probably be quicker to do it more and more. MS Support suffers in that case in my opinion. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 7:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Thanks, Al. Given all the rants, er, discussions, about single purpose servers (thanks, Joe), I'd like to not do that. The sites (~18 of them) range in size from 20 to 200 users. Consistency is good, so whatever solution we come up with I plan to do the same thing in each remote office. This change to VM is more about hardware reduction in outlying offices rather than specific cost savings measures (though of course, those are always appreciated up the chain). If there are reasons to not go with VMs on DCs (e.g. if memory usage in the VM environment can cause AD corruption), I need to know that. Hearing that the configuration is not 'officially' supported is not a show stopper if many people are successfully doing it and feel it should be supported by MS. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error,
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers Actually the official support statement can be found here and it is not quite as restrictive especially if you are a Premier customer: 897615 Support policy for Microsoft software running in non-Microsoft hardwarehttp://support.microsoft.com/?id=897615 As far as running Domain Controllers in Virtual environments I would recommend reading the following white paper on the subject: http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-8ed2-e261a117fc6b&displaylang=en Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 6:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Thanks, Al. Given all the rants, er, discussions, about single purpose servers (thanks, Joe), I'd like to not do that. The sites (~18 of them) range in size from 20 to 200 users. Consistency is good, so whatever solution we come up with I plan to do the same thing in each remote office. This change to VM is more about hardware reduction in outlying offices rather than specific cost savings measures (though of course, those are always appreciated up the chain). If there are reasons to not go with VMs on DCs (e.g. if memory usage in the VM environment can cause AD corruption), I need to know that. Hearing that the configuration is not 'officially' supported is not a show stopper if many people are successfully doing it and feel it should be supported by MS. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system. *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers Thanks, Al. Given all the rants, er, discussions, about single purpose servers (thanks, Joe), I'd like to not do that. The sites (~18 of them) range in size from 20 to 200 users. Consistency is good, so whatever solution we come up with I plan to do the same thing in each remote office. This change to VM is more about hardware reduction in outlying offices rather than specific cost savings measures (though of course, those are always appreciated up the chain). If there are reasons to not go with VMs on DCs (e.g. if memory usage in the VM environment can cause AD corruption), I need to know that. Hearing that the configuration is not 'officially' supported is not a show stopper if many people are successfully doing it and feel it should be supported by MS. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system. *CONFIDENTIALITY NOTICE* This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers My experience (and you’ll want to listen to others’ as well, of course) is that you’ll be in pretty good shape. Don’t even give yourself the CHANCE of using snapshots… “rolling back” is the main issue (as it will hose replication and new objects) and is the primary issue discussed related to running DCs in VMs… so set the DC with persistent disks that can’t even BE snapshotted. Dan Holme Intelliem From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seely Jonathan J Sent: Friday, August 05, 2005 12:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE* This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
[ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE* This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Virtual Domain Controllers
No MS OS is supported on VMWARE unless you have a Premier contract and then it is only best effort. See http://www.support.microsoft.com/kb/897615 Any mechanism to roll back the DCs disk in time is dangerous and would need to be strictly controlled. It could definitely cause significant forest issues. There needs to be one group under one manager that controls the domain controllers in a forest. This goes for any forest on physical or virtual so that everyone is on the same page with how things are done. Different admins reporting through different managers is a recipe for disaster. The virtualization simply makes things easier to rollback which puts you a little closer to the line of pain. Don't get me wrong, proper use of virtualization can give you some very cool benefits. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 16, 2005 8:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
you're not off-base - you should certainly handle access to the VMs as critical as a physical machine and educate your admins. I'm not sure if you can completely turn it off if your admins also have admin-access on the host (which is likely the case for the DAs). You could potentially run the host on standalone servers, but that just shifts the poblem a different direction. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 16. Juni 2005 18:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers Thanks for all of the responses. I had a chance to look at the KB article on USN rollback and found it very informative. I will get to the white paper when I have a little time. I am still concerned about the Snapshot feature. How do others handle this? Is it possible to turn it off or apply a deny permission to that feature or is it used? Am I off base in worrying about this aspect? "Harper, Gary" <[EMAIL PROTECTED] hn.org> To Sent by: [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Virtual Domain 06/16/2005 10:27 Controllers AM Please respond to [EMAIL PROTECTED] tivedir.org We have a 9 site, 25000 user active directory running on 14 Windows 2000 DCs. We recently converted our last DC to a VM (ESX 2.X) and we haven't any any problems. The only thing is that we needed to allocate 1Gb of memory to every DC. A little high for a VM (IMHO), but still better than using hardware. Other than that, it's been working great. -Original Message- From: Geary, Simon [mailto:[EMAIL PROTECTED] Behalf Of Geary, Simon Sent: Thursday, June 16, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers There is a white paper about this, it is supported under some strict limitations. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4 209-8ED2-E261A117FC6B&displaylang=en From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Thu 16/06/2005 09:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
Title: [ActiveDir] Virtual Domain Controllers I believe one of the comments was around snapshots which is how they wanted to use this technology. You should find in that document that it would not be a good idea to perform snapshots if you intend to put those DCs back into production at some point. At least, I would be very careful about recommending or allowing that idea. I do realize that it may reduce some of the value of virtualization if you don't allow the snapshots, but keep in mind the purpose of Active Directory and the distributed architecture chosen to meet those requirements. There was also a great thread about this a little while back that included Brett Shirley and somebody else from Microsoft that said he owned that portion. Take a look in the archives for that information for some background information. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harper, GarySent: Thursday, June 16, 2005 10:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers We have a 9 site, 25000 user active directory running on 14 Windows 2000 DCs. We recently converted our last DC to a VM (ESX 2.X) and we haven't any any problems. The only thing is that we needed to allocate 1Gb of memory to every DC. A little high for a VM (IMHO), but still better than using hardware. Other than that, it's been working great. -Original Message-From: Geary, Simon [mailto:[EMAIL PROTECTED]On Behalf Of Geary, SimonSent: Thursday, June 16, 2005 9:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers There is a white paper about this, it is supported under some strict limitations. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]Sent: Thu 16/06/2005 09:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of VirtualServer? Have there been any problems with this environment? There is a bigpush at my company to virtualize every environment but, I am sure DomainControllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not havefull control over the Domain Controllers and I worry that another Adminwill take a snapshot of the DC and make a few changes and if they don'twork, revert to the snapshot before the changes. Wouldn't this be the sameas using an older ghost image of the DC? I'm just looking for some feedbackto see if this is a viable solution.List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately.
RE: [ActiveDir] Virtual Domain Controllers
Thanks for all of the responses. I had a chance to look at the KB article on USN rollback and found it very informative. I will get to the white paper when I have a little time. I am still concerned about the Snapshot feature. How do others handle this? Is it possible to turn it off or apply a deny permission to that feature or is it used? Am I off base in worrying about this aspect? "Harper, Gary" <[EMAIL PROTECTED] hn.org>To Sent by: [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Virtual Domain 06/16/2005 10:27 Controllers AM Please respond to [EMAIL PROTECTED] tivedir.org We have a 9 site, 25000 user active directory running on 14 Windows 2000 DCs. We recently converted our last DC to a VM (ESX 2.X) and we haven't any any problems. The only thing is that we needed to allocate 1Gb of memory to every DC. A little high for a VM (IMHO), but still better than using hardware. Other than that, it's been working great. -Original Message- From: Geary, Simon [mailto:[EMAIL PROTECTED] Behalf Of Geary, Simon Sent: Thursday, June 16, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers There is a white paper about this, it is supported under some strict limitations. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Thu 16/06/2005 09:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
Title: [ActiveDir] Virtual Domain Controllers We have a 9 site, 25000 user active directory running on 14 Windows 2000 DCs. We recently converted our last DC to a VM (ESX 2.X) and we haven't any any problems. The only thing is that we needed to allocate 1Gb of memory to every DC. A little high for a VM (IMHO), but still better than using hardware. Other than that, it's been working great. -Original Message-From: Geary, Simon [mailto:[EMAIL PROTECTED]On Behalf Of Geary, SimonSent: Thursday, June 16, 2005 9:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers There is a white paper about this, it is supported under some strict limitations. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]Sent: Thu 16/06/2005 09:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of VirtualServer? Have there been any problems with this environment? There is a bigpush at my company to virtualize every environment but, I am sure DomainControllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not havefull control over the Domain Controllers and I worry that another Adminwill take a snapshot of the DC and make a few changes and if they don'twork, revert to the snapshot before the changes. Wouldn't this be the sameas using an older ghost image of the DC? I'm just looking for some feedbackto see if this is a viable solution.List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ CONFIDENTIALITY NOTICE: This email message and any accompanying data are confidential, and intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately.
RE: [ActiveDir] Virtual Domain Controllers
There is a white paper about this, it is supported under some strict limitations. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Thu 16/06/2005 09:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] Virtual Domain Controllers
While not VMWare, Microsoft has an interesting stance with using Domain Controllers and Virtual Server 2005 You can download the full whitepaper: Running Domain Controllers in Virtual Server 2005 On servers running Windows Server 2003 and Virtual Server 2005, you can install multiple domain controllers in separate virtual machines. This platform is well suited for test environments. With strict adherence to requirements described in this paper, domain controller virtual machines can also be used in production. http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4 209-8ED2-E261A117FC6B&displaylang=en Regards Jon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, June 16, 2005 9:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Domain Controllers Hi Chris, There was a rather lenghty (but extremely interesting) discussion about this subject a few weeks ago on this list. May I suggest that you have a look at the archive (http://www.mail-archive.com/activedir@mail.activedir.org/) for more info? Cheers! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: June 16, 2005 8:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
Hi Chris, There was a rather lenghty (but extremely interesting) discussion about this subject a few weeks ago on this list. May I suggest that you have a look at the archive (http://www.mail-archive.com/activedir@mail.activedir.org/) for more info? Cheers! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: June 16, 2005 8:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
I haven't deployed virtual DCs and always shy away from this concept, personally. 1. Management tools of virtual machines still appear to be immature (IMHO). i.e. how would you manage / patch / configure / administer all machines in a uniform, centralised fashion, regardless of physical/virtual status 2. DC performance is paramount, esp. in larger organisations I would need to be convinced that a virtual DC could "compete" with its physical counterpart. If I deploy DCs with 4Gb RAM / separate disk spindles for Db and logs etc etc then I'd be surprised if a virtual DC could equal the performance. Note: Some of the above is not DC specific, but cover my main concerns. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 16 June 2005 13:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
We're running a couple of DCs on ESX, and others on physical hardware. So far we haven't run into any problems. You'll definitely want to watch performance to make sure that the clients are getting adequate response from the DCs. Of course, that applies to any DC and not just virtuals. IIRC, Microsoft doesn't support DCs running on VMWare. That may have changed recently, but it's something to consider as well. Your point about snapshot/disk image rollbacks is very important. Ironically, the only two hits I got from support.microsoft.com on "domain controller vmware" were about USN rollback. Check them out and make sure you have adequate controls in place to prevent this from happening. The USN rollback is really a subset of a larger (potential) problem: moving disk image files around is very easy, which means that anyone with access to the VMWare console has "physical" access to your domain controllers. Huge security implications there... Hunter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 16, 2005 6:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Virtual Domain Controllers
All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
