1

I am getting ready to upgrade my Active Directory Domain Controllers from Server 2012 R2 to Server 2019. I have 25 domain controllers in this environment. 5 of them reside at our national data center and serve as our ‘Core Hub’, and hold the schema roles. The other 20 are paired across our other sites. The overall upgrade will include replacing/upgrading the hardware for all 25 domain controllers. With that being said, should I look at going virtual instead of physical.

Thoughts, advantages, disadvantages… and GO!

61 Spice ups
2

Ancient Alien Astronaut Theorists say YES.

14 Spice ups
3

LOL, that is the problem.

4

Why not go to 2022 server?

5

You’re Tackling the issue backwards.

You start with the proposition a DC will be a virtual machine, and seek business or technical arguments or reasons against it.

26 Spice ups
6

What is your virtualization platform? Actually it doesn’t matter. You can virtualize all DCs on any hypervisor, even Hyper-V.

How reliable is the connectivity between the remote sites and the main data center? I ask because if connectivity is reliable (say dual ISP circuit at each site), then the remote sites may not even need a local DC.

My remote sites used to have a local DC. Now those are just member servers. We have dual ISP circuits at each location. If WAN is down, then phones are down, as is ERP. Having a local DC doesn’t buy much. We also centralized DHCP and DNS to the data centers

19 Spice ups
7

If at all possible, yes virtualize your DCs.

15 Spice ups
8

Read through Kevin’s Post. Good advice, depending on setup, you may not need all those DCs.

And yes to virtualize, if you can.

EDIT: we have about a dozen locations, 2 DC’s at our main data center. they handle the load just fine. going to be building a third here soonish at our Disaster Recovery site. the only time that DC would be used is if the main site goes down and we roll to DR.

4 Spice ups
9

I’ve seen good arguments for still keeping one physical DC around over the past 5 years or so, but for the most part I wouldn’t bother in a modern setup. I don’t have a physical DC in my homelab anymore (although my hosts aren’t members of my AD) and haven’t had any issues. If you still want to have a physical DC, I’d suggest picking up something like an Intel NUC and setting it up as a backup DC, but still virtualize all of the others.

8 Spice ups
10

Care to share those arguments? I can thing of -zero- valid reasons.

3 Spice ups
11

I have over 1K virtual DCs in my environment. No, that’s not a typo. There’s no need to have a physical DC.

8 Spice ups
12

What if Microsoft releases a bad patch that causes all of your HyperV servers to not start VMs? Oh wait, that same patch also broke domain controllers. Disregard :smiley:

(Besides, everyone should be staggering their patch rollouts so it doesn’t hit all of your Virtual hosts or Domain controllers in the same week anyway).

17 Spice ups
13

  1. I test patches before deploying them.

  2. I always wait a few days and check my usual haunts for word of issues before deploying.

4 Spice ups
14

Yes, virtualize domain controllers when and if possible.

15

What is that, a DC at every store/retail location?

1 Spice up
16

Honestly, don’t really remember any off of the top of my head, but I know I’ve seen a few arguments and thought “That actually makes sense…” but none of them applied to me, so it didn’t matter :stuck_out_tongue: Usually it was something about hyper-V or when you authenticate to your ESX hosts via domain credentials. I hate Hyper-V, and never domain-join my hosts so I didn’t much care, haha!

In either of those cases, though, assuming you have your hosts configured properly, it still shouldn’t be a problem, but I could see someone turning off auto-start accidentally, or putting all of their ESX hosts in maintenance mode and then not having local credentials to login being possible.

@da-schmoo

1 Spice up
17

You can still log into the host even if your DC(s) are down. Everything else you mentioned is just poor planning and that is not a valid reason in my book. :slight_smile:

6 Spice ups
18

Yes. Maybe one physical DC for times like last month when the patches caused hypervisors not start any VMs but testing patches and using different patching schedules seems better. Otherwise, virtual everything unless there’s a specific reason that it can’t.

I join the hypervisors to the domain, and the VM should simultaneously. You can login to the hypervisor by being authenticated by a DC on a separate box, waiting a moment for the DC VM to finish starting, using cached credentials, or the local administrator account.

1 Spice up
19

We are currently running at each Data Centre (We have 2) Physical and one Virtual DC.

With this configuration, we point all of our servers and infrastructure DNS settings to the Physical DCs and all Clients around the country point to the Virtual DCs with the closest DC being the primary DNS Server. Our Physical Servers are also our DHCP Servers

The way I look at, is that if the Hyper-Visor or even you SAN has a bad day (and I have ad that happen), you can still authenticate your clients and failover the required systems and keep things working.

1 Spice up
20

Pretty much. Ones with higher bandwidth don’t have them. They all started with 128k pipes I think. A lot of them are still T1.

I’ve always wanted to post a problem about them so someone can ask me to post a repadmin /showrepl or dcdiag /e /v :slight_smile:

15 Spice ups