1

I want to move one of my domain controllers off of the virtual environment and into its own physical rack server. I have physical DC’s at 4 branch offices, and both a primary and secondary DC at my Main office running in VMware vsphere 5.0. As a best practice to not have all of my DC eggs in one basket, I’d like to break off my secondary DC/WSUS on its own. It is running Windows Server 2008 R2.

Never done this before.

I presume I would make a full VM backup just in case it all blows up in my face, then make a full machine image using some imaging software like clonezilla (which I dont care much for) or macrium reflect or similar… then use a boot/rescue disc to restore that image to the new physical server. How far off am I?

Any best practices, preferred method, etc? The VMware article on this ( VMware Docs Home ) mentions having MS sysprep 1.1 installed… anything else, or is this really needed?

My destination machine is set up as a DR site ESX server to host more VMs… I’d like to strip all of that off and run this single domain controller on the entire server locally. Any tips on that too?

Thanks everyone for the help I’m sure will be coming, this community rocks for that.

@VMware

47 Spice ups
2

Consider installing a new physical DC promote it and demote the other rather than messing around with backup/restore/move/convert.

65 Spice ups
3

why not just DC promo up the physical and dc promo down the VM once you’re happy that the physical is good?

16 Spice ups
4

The best way to move a DC between virtual and physical is to bring up a new DC, move everything from the loosing DC, and then shutting down the loosing DC.

13 Spice ups
5

A few things:

Why do you feel it necessary to return to a baremetal install? Since the target box is already running ESXi, can you not simply migrate the VM over to it? Clean and simple.

When it comes to DCs, the best practice is not to backup/restore, P2V, V2P or whatever. Simply install a fresh copy of your OS and promote it to a domain controller, then decommission the old one.

29 Spice ups
6

Syspreping a TEMPLATE is good.

Syspreping a DC, especially one that has FSMO roles is saying bye-bye to your domain.

8 Spice ups
7

Easiest way to do this is to just throw another hypervisor on that physical box and just move the one DC to it.

14 Spice ups
8

I would have to ask, why move to a physical server?

You don’t indicate if you only have the one host machine; if so, rather than have a separate physical machine, why not add the new device into the cluster and you have additional protection against failure of one device. Much more sensible.

9

That also makes sense… by installing the OS and setting up as a DC on the domain, and then demoting the old one, I can avoid having to deal with issues of hardware compatibility and finding device drivers and such.

So pretty much no one does the whole disc image backup/restore to physical thing anymore for domain controllers, I take it?

3 Spice ups
10

Keep it virtual - you can easily move it to a new server that way. These days you need a good reason to install on hardware.

9 Spice ups
11

Well, all 3 of my main ESX servers are getting pushed in terms of hardware capacity, with no further room to upgrade, and our NetApp disk array is older and I’m hitting my head on the ceiling of where i’d like to be space-wise on that… the company does not have the budget at the moment to upgrade all of that (we looked, the quote was about 3.5x what we could spend and ended up giving us less actual disk space).

My thought was that since I already have a primary DC in vmware, having my secondary as a physical would safeguard against a situation where my entire vmware environment goes down (which has happened twice for differing reasons, already). If I at least then had a working physical DC, I’d still have DNS services inside the LAN, can still push group policy, domain accounts can still authenticate off of it, and I can still push Windows updates if needed (as if I’d have time to play with WSUS if the entire vmware system crashed! lol).

Perhaps I’m thinking incorrectly on this?

2 Spice ups
12

Just run the VM from the server’s local storage. Nothing that happens elsewhere will affect it.

6 Spice ups
13

That’s a good point too… I hadn’t considered that. So long then as the ESX server is up and running, I’ll be good to go in case the NetApp pukes on me again.

Hmm… now so many options on how to actually do it… some good ideas presented.

4 Spice ups
14

Promote a new DC and demote the old one. There’s no reason to mess with restoring a backup. A simple image and clone operation isn’t very likely to succeed anyway.

Don’t install WSUS on your DC.

Don’t run it on a physical server unless you have a solid reason to… in this case, I see no such reason.

15

Slightly OT, but since you brought it up, should WSUS always be ran on its own server?

Other than perhaps DNS, what other roles are acceptable to be ran on a DC?

@mahasd

1 Spice up
16

I’d strongly recommend against WSUS on a DC:

http://social.technet.microsoft.com/wiki/contents/articles/4236.guidance-about-wsus-on-a-domain-cont…

As for other roles, it really depends. I’ve heard of people using them as print servers or file servers. My own personal preference is to only put the network administrative functions (i.e. AD/DNS/DHCP) together if needed and have everything else on different servers.

as for sharing WSUS, I’ve set it up on servers with other IT support related utilities, like MDT, Spiceworks, PDQ Deploy and similar, with no issues whatsoever.

8 Spice ups
17

Yes, I do ADDS/DNS/DHCP only.

The more services you load on a DC, the larger attack surface you have for someone to break into your DC. Your DCs contain the vault with the keys to your kindgom, don’t add more doorways to that vault.

I’d do it for security alone, but there are availability concerns cohabitating services as well.

I dedicate WSUS (and most server roles) to their own VMs, but I’d be comfortable cohabitating WSUS with something else - but not on a DC.

5 Spice ups
18

So perhaps I should install and promote a new DC with my physical box (if that is what I am going to do), demote the current secondary DC and leave WSUS running on that as simply a Server 2008R2 machine…

Unfortunately at my branch offices, my DC’s have to do double duty as backup servers as well.

1 Spice up
19

Reboots will be required but this is a better approach.

1 Spice up
20

But if you have a proper backup solution, then you don’t need to have a physical DC, Server 2012R2 is all about Virtualisation and Cloud Leverage, Plus its much fast to restore a VM from veeam or Unitrend then having to deploy a Windows Image and do a state restore, and this is talking from personal experience, when I was learning had to move a VM and used the Windows backup solution and it took hours to restore the vm, and then had to mess with a load of other files to get it to boot… which I had had a backup solution like veeam at the time, would have same me load and loads wasted hours.