If an infrastructure is going to be converted from physical servers to virtual you should consider how to handle Active Directory Domain Controllers. This posting is a reference to some articles posted on the internet.
I advise to always have at least 1 domain controller installed on a phyiscal server. This prevents the catch22 situation where the virtual infrastructure is not available and authentication is not possible because all DC’s are virtualized. For disaster recovery Microsoft DPM server needs Active Directory so that is another reason to always have at least one DC running physical.
At Microsoft TechEd 2011 North America one of the session was about virtualization of Active Directory Domain Services. See the video of the session here.
Customers are looking to further virtualize their environments: file servers, web servers, DNS servers, and even their domain controllers. It is clear that virtualization provides many benefits in areas such as deployment, disaster-recovery and lowering TCO. However, while virtualization offers many powerful capabilities and greatly simplifies repetitive tasks, it is a technology that must be handled with care when used in conjunction with Active Directory. In this session we review fundamental concepts within Active Directory and the impact of cloning and virtualization upon domain controllers, domain members and Windows in general. We also discuss how to best leverage virtualization and how to both mitigate problems and avoid occurrences in the first place.
There are several scenario’s thinkable to virtualize domain controllers:
1. install a new virtual machine. Install Active Directory Domain Controller role on it. Transfer roles of physical DC to the new DC and dc-promo the physical server to remove the DC role.. This is by far the best option as there is no risk for issues in Active Directory. Mind however that this involes a change of the DNS servers. So you might have to change the DNS server references of each servers, and adjust the DNS servers published by the DHCP servers. Also some applications running on the same server might be dependent of the local domain controller.
2. Demote the domain controller role on the physical server. Then perform a P2V. After that has finished, dcpromo the virtual server to a domain controller if needed. Ideal would be to create a server with no applications, just the domain controller role.
3. P2V the physical server to a virtual machine. Sometimes this needs to be done because of lack of time. Some organizations deciced to install applications on the domain controller. Manually reinstalling the application(s) on a newly created virtual machine can cost a lot of time because documentation, media and licenses cannot be found. An exact copy of the physical server will prevent the hassle.
However, the procedure to P2V a domain controller needs some attention.
If PlateSpin Migrate is used to perform the migration, the job will ask for administrator credentials on the source server. As the active directory services on the source server are disabled (as the server is in AD recovery mode) the password check will fail! Make sure you know the Active Directory Restore Password as the account Administrator and the Restore Password is used for authentication of the PlateSpin job.
Also you will need to have some experience and knowledge on Active Directory. There is a change the P2V -ed domain controller lost it’s connection to the domain and needs to be connected again. This could happen if the DC has been offline for too much time for example.
Read these articles for info:
How to: P2V a domain controller by Ted Steenvoorden
I performed the procedure described above several times and had no problems. Make sure all FSMO roles are moved from the server which needs to be P2V-ed to another domain controller as these roles are not available when the server is in Directory Services Restore Mode . Also check Global Catalog server role.
Virtualizing a domain controller, how hard can it be? by Gabrie van Zanten
P2V a Domain Controller? Why would you? by Christian Mohn
Converting domain controllers by Duncan Epping
Virtualizing existing domain controllers by VMware