spr1
(SPR1)
1
Hi ,
We have started to move some of our old physical servers to virtual machines.
Using VMware as hypervisor.
We currently have 2 hosts running esxi 5.5
Both hosts are running around 13 VMs.
We have a physical server -windows 2008 . It is our domain controller (AD,DHCP,DNS).
Planning to move the above physical DC to a virtual server.
-
Since we are converting DC from P2V, do we need to take care of anything special ?
-
During the conversion will it effect any of our existing network ?
-
Is it good to leave my ESXi hosts DNS suffixed as .local instead of .domain.local ?
VMware vcenter we have on a separate esxi host and its a VM instance. Both the host and vcenter VM are not part of domain. We have setup in WORKGROUP. We are fine with this. The reason we had this setup was in case we have problem with DC, our vcenter works fine.
Correct me if I’m wrong.
Thanks in advance for answering.
@VMware
24 Spice ups
Just use the VM convertor tool, it is amazing. The first thing I ever did with VMs was converting a 2003 server to a VM, took me 30 minutes. It’s our go to solution to get an ailing server off physical hardware in a hurry.
-
No
-
No
-
I’d do the full AD domain name.
-
Don’t think that’s a question.
2 Spice ups
While this can be done if done correctly, it’s way easier to spin up a new VM guest and add it to the domain. JMHO.
14 Spice ups
Don’t P2V a DC as this usually results in a bad time. There’s no reason not to spin up another VM from scratch. Even VMWare advised against it, as Bill’s link shows this.
10 Spice ups
A little contradictory to what I was saying. I could not find in that article where VMware says not to do it other than not to use snapshots with DC’s. Their KB also points to a MS KB about virtualizing DC’s . Like I said, it can be done. Do I like to do it? No. I prefer to spin up new VM’s when possible.
1 Spice up
I would also make a new VM and dcpromo, than if needed transfer fsmo roles to that machine, and demote physical DC.
I did few conversions from P2V of dc`s and if you are going that way i would consider few details.
If it is only dc , no problem, just shut it down and convert it (It is faster than live conversion while machine is running, and since it is DC it is better to do it that way)
If you have more DC`s shut down all of them, and than make conversion of machine that you are talking about. When it is done, turn them on again.
This of course applies if you can afford shutdown.
Hope that this helps 
3 Spice ups
britv8
(britv8)
8
How many domain controllers do you have?
Yes that is the question, it would be logical to have more than one but he didn`t mention it
1 Spice up
I wouldn’t be brave enough to P2V here as from your post I think you might just have this one DC and would be in a world of hurt if something went wrong with the conversion. It probably wouldn’t but I wouldn’t gamble here. Spin up a new VM DC, let replication do its thing and then you you have 2 working DCs I assume with integrated DNS on both: As this point you have another choice to make:
-
P2V the original DC as talked about
-
Create a second Virtual DC, move the FSMO foles onto one of the virtual DCs and demote the original physical DC.
I would do the second but I am risk averse as you can tell!
2 Spice ups
Never snapshot your DC.
(or, at least, never roll back a DC)
Been there … done that… paid the price!
However… the solution is simple… build a new DC on a new VM… and get rid of the broken one from your roll-back mistake.
Doug
3 Spice ups
britv8
(britv8)
12
More the fact that if you have more than one, I would be concerned about USN rollback, but if only 1 , then P2V is an (ugly) option
spr1
(SPR1)
13
We have only ONE physical DC server.
samboutros
(Sam Boutros)
14
For a DC in a large or busy environment P2V carries a number of risks. Simply create a VM fresh from media, or a sys-prepped OS image, promote it to DC, let AD do its synchronization, then demote the physical DC and finally dis-join it from the domain. This should transfer the FSMO roles if need be as well.
2 Spice ups
artb
(ArtB)
15
Also recommend having a DC on multiple VMware hosts so that there’ll be one online in the event of a host going offline. Also, when moving the PDC FSMO role, be sure that the new PDC points to a valid NTP server.
1 Spice up
"A converted domain controller does not synchronize.
The DNS services on a converter domain controller does not bind to the network interface.
The local domain database file NTDS.DIT is corrupted in the new virtual machine.
The domain controller becomes tombstoned in Active Directory and will not synchronize.
Synchronization is unreliable with other domain controllers."
Im fairly certain that’s VMware way of saying don’t do it. The above is quoted from the article you linked.
2 Spice ups
That’s a symptom and there are measures to fix that. I still cannot find anywhere where they explicitly say it cannot and should not be done.
stoddard
(DYRyet)
18
Agreed, I’ve never seen anything that flat out says don’t.
Rather, when you weigh the risks versus ease of building new the answer quickly becomes crystal clear imo.
1 Spice up
brycekatz
(Bryce Katz)
19
So is there a reason you don’t want to spin up another vm, make it a DC, and simply allow the replication to happen? Honestly, this is safest way to get your DC virtualized. If you want to get rid of the physical DC, move the FSMO roles to the vm, demote the DC, and (if desired) remove the machine from AD entirely.
3 Spice ups
spr1
(SPR1)
20
OK, will plan on setting up a new VM ( windows 2012 R2) and make it DC and then shutdown the physical DC(windows 2008).
To be on the safer side, I will spin the new VM on a different network test it and then do it on production network.
With the above setup, both the Physical DC and Virtual DC are in different network and cannot talk to each other.
- How do we have to copy FSMO roles or anything from primary Physical DC to virtual DC ? Can any of this be saved in a USB flash drive and copied over to new VM ?
Might be a dumb questions, but you are helping a rookie
Thanks in advance
1 Spice up
