1

Hello,

Is there a best way to virtualize primary DC (ie FSMO roles).

We have VMware running with a DC already and would like to get the original DC on a VM also.

Is there a best practice for this? We also have other sites with DCs on this domain.

Was thinking build brand new DC and seize the FSMO roles then decommision old physical DC.

Cheers, LJM

@VMware

11 Spice ups
2

Use VMWare Converter. Does the job very well. And it’s free.

Personnally I wouldn’t want to have ALL my DC’s virtual but that is a personal preference.

3 Spice ups
3

Why not just create a new virtual machine and dcpromo it? I think I’d feel better just doing that. Or, if you feel like you have enough DC’s already, just transfer the roles to another and demote the physical.

5 Spice ups
4

+1 to vmware converter. As long as the 2 DC’s are on different VM Hosts, it’s all good.

5

I’m not a fan of P2V a DC in a multi DC environment. Create a new VM, dcpromo, tranfer the rolews and demote the physical.

3 Spice ups
6

Well done with VMware converter or perform a fresh VM install followed by a DC promote. After that FSMO on the new VM and everything is okay.

7

Unless you have a whole lot invested in the setup of the physical DC, I would not use VMware Converter (It is a great product but can have some problems). If you did need to use VMware Converter, you would want to do it offline (which is not as easy to do with the free VMware offerings) and immediately before shutting, you would want to make your NICs DHCP because you will be getting new “hardware” - then setup your previous static IP(s) on the new NICs (I would also have the IPs back in place BEFORE you reconnect it to the network so as not to have Domain browser services finding other DCs and such before the IPs are back to what they should be. You would also want to do this as quickly as possible - the imaging/conversion offline helps with DC replication issues because it simulates just turning off the DC for a little while but I have seen that with longer downtimes, there can be replication issues as well.

you should not have to “seize” any FSMO roles unless that Server has gone down and cannot be recovered. I’m sure you meant to transfer them gracefully.

To avoid all of the issues that can arise from converting a server with critical databases (AD, DNS, DHCP, etc.) - Bryan has the best idea. Build up a new virtual server just the way you want it. DCPromo it into the Domain. Setup and transfer any server roles that you want it to have like DHCP, printers, whatever. When you know all that is working fine, transfer your FSMO roles and then demote the physical box and remove it from the Domain.

3 Spice ups
8

Go with your original thought and build a new DC. I personally keep one DC physical in case the Hypervisor is lost.

I also make sure that the clock is sync’d from NTP as to avoid any issues with the VMWare Tools and clock drift.

Best Regards, Adam.

9

Bryan Doe wrote:

Why not just create a new virtual machine and dcpromo it? I think I’d feel better just doing that. Or, if you feel like you have enough DC’s already, just transfer the roles to another and demote the physical.

This is the recommended way.

3 Spice ups
10

Adam Leyshon wrote:

Go with your original thought and build a new DC. I personally keep one DC physical in case the Hypervisor is lost.

You have a hypervisor on each machine. If you have a physical machine then you can virtualize on that and you still have the protection that you want but still the additional protection of virtualization.

11

Remember a few things, primarily that if all your DCs are VMs and you restore one DC VM without proper preparation, or without restoring the others from same time backups, you may run into problems.

See:

Been there and done that, NOT easy to recover from!

12

Agree with building a new virtual DC and moving the roles to it. P2V of an existing DC is hit and miss. I know some who have done it okay, and others who have had issues. Mine were all freshly built. Building a DC is pretty easy, so I would go that route.

1 Spice up
13

We recently did the P2V conversion on one of our DCs for reasons not related to it being a DC, and are still cleaning it up. Due to all the “extra” stuff we have on the DC we needed to virtualize, my boss opted to go the P2V route. I think maybe if it had been healthy before we did it we might have been better off, but as it was there were memory issues causing all sorts of havoc (hence our virtualizing it) and we’re still fixing it months later. Citrix can have some high maintenance needs sometimes :slight_smile:

Oh, and so long as the DCs are hosted on different host hardware / ESX hosts, I see no reason to keep a physical box around specifically for a DC. Virtualize as much as you can - you’ll be happier in the long run (so long as the systems are healthy before you virtualize them)

14

Don’t virtualise a current physical DC, create one from scratch. We tried virtualising a DC and it was a disaster…

3 Spice ups
15

Scott Alan Miller wrote:

You have a hypervisor on each machine. If you have a physical machine then you can virtualize on that and you still have the protection that you want but still the additional protection of virtualization.

Sorry Scott, I just said that as I come from a smaller company that cannot virtualise all of it’s assets due to the cost, it’s common practice for me. :slight_smile:

16

Adam Leyshon wrote:

What Scott is saying is that if you have a physical machine to run another DC on, just put a hypervisor on it and install the DC as a guest. Virtualizing doesn’t mean you have to consolidate too.

17

LJM wrote:

Was thinking build brand new DC and seize the FSMO roles then decommision old physical DC.

This is the best way. It’s also best practice to do this on a separate hardware failure domain from your other stuff.

2 Spice ups
18

Adam Leyshon wrote:

Virtualization is always free. There is no cost associated with it. Budget doesn’t come into play. All SMB assets should be virtualized at all times outside of extremely extenuating circumstances. In reality, it shouldn’t even be a discussion for any new deployment.

Plus then you have the option to consolidate. So it protects you against financial loss while costing nothing.

19

Thank you very much for all the replies.

It is clear that building a new VM, DCpromo, and seize roles is the best way.

Especially when it is quick and easy to build.

By the way, the DCs will be on seperate VM hosts.

Cheers everyone

LJM

5 Spice ups
20

Just a small point, and possible just semantics, but after building your new virtualised DC, you should TRANSFER the FSMO roles, not seize them.

I’m fairly sure seizing them is a last resort, and for some roles means you can never return the original DC to the network.

1 Spice up