AP05

Running Windows Active Directory in Virtual Infrastructure 3

Chris Skinner

Technical Instructor Education Services

VMware, Inc.

Housekeeping

Please turn off your mobile phones, blackberries and laptops

Your feedback is valued: please fill in the session evaluation form (specific to that session) & hand it to the room monitor / the materials pickup area at registration

Each delegate to return their completed event evaluation form to the materials pickup area will be eligible for a free evaluation copy of VMware’s ESX 3i

Please leave the room between sessions, even if your next session is in the same room as you will need to be rescanned

Objectives and Goals

You can virtualize Active Directory successfully

It’s not difficult, mystical or magical

Many companies have successfully deployed AD through virtualization

Agenda

Why should we virtualize Active Directory?

What are the challenges with virtualizing AD?

How does a company successfully migrate?

Why Virtualize?

Why Virtualize Active Directory?

Hardware Consolidation

Combine multiple, single use boxes

Standardization – eliminating imaging issues

Reduce product activation issues

Leverage VI 3 Features – HA & DRS

Why Virtualize Active Directory?

Testing and Development

Policy testing

Schema changes

Migration/upgrade testing

Domain reconfigurations

Deployment scenarios

Disaster recovery solutions

Why Virtualize Active Directory?

Security Controls

Limiting physical access

Additional administrative controls

Separate applications from domain controllers

Challenges to Virtualizing Active Directory

Time synchronization

Performance

Replicating Active Directory changes

High availability of domain controllers

Disaster recovery

Time SynchronizationVirtualization Challenges

Time Synchronization – Why is it so important?

Active Directory operations are critically time dependent

MS Kerberos implementation allows a 5 minute tolerance

File Replication Services (FRS) synchronizes scripts, database changes/updates, policies based, in part, on time-stamping

Time Server Hierarchies

Child PDC emulators can sync with any DC in the parent domain

Clients sync with any DC in its own domain

DCs can sync with PDC emulator in its own domain or any DC in parent

Source: Microsoft Corporation

Time Synchronization – Virtualization Issues

No CPU cycles needed – none given!

Clock drifts can be significant in a relatively short period

Idle cycles in a virtual machine is an Active Directory domain’s worst enemy

How do you combat time synchronization issues?

More than a 28 minute drift!

Time Synchronization–Option A – Using W32Time

Use Windows Time Service – NOT VMware Tools

Define an alternative external time source for “master” time server

1. Modify registry settings on the PDC emulator for the forest root domain:

HKLM\System\CurrentControlSet\Services\W32Time\ParametersChange Type REG_SZ value from NT5DS to NTP

Change NtpServer value from time.windows.com,0x1 to an external stratum 1 time source, i.e. tock.usno.navy.mil,0x1

HKLM\System\CurrentControlSet\Services\W32Time\ConfigChange AnnounceFlags REG_DWORD from 10 to 5

2. Stop and restart time service – net stop w32time net start w32time

3. Manually force update w32tm /resync /rediscover

Time Synchronization–Option B – VMware Tools

Modify Windows Time Service – Use VMware ToolsImplement Domain Controllers Group Policy to modify registry:

Enable ESX server NTP daemon to sync with external stratum NTP source

VMware Knowledge Base ID# 1339

Use VMware Tools time synchronization within the virtual machine

NOTE: VMware Tools time sync is designed to play “catch-up”, not slow down!

Modify

Time Synchronization – Descheduled Time Accounting

Custom VMware Tools component

Tightly integrated with hypervisor

Use with ESX 3.x VMs only

Currently for uniprocessor Windows and Linux VMs only

Improved accuracy for guest OSes CPU time accounting

Allows quicker “catch-up” of time for guest OS

Launches a VMDesched thread or process within VM’s OS

Time Synching – Descheduled Time Accounting(2)

Perform a Custom installation of VMware Tools in Windows guest OS

Time Synchronization - Summary

Use one method or the other

Do NOT use both!!!

Decisions should be based on current time management infrastructure or organization’s policies

Performance IssuesVirtualization Challenges

Performance for Virtualized Domain Controllers

Virtualized AD domain controllers can run at 85-90% of native system’s performance

Active Directory deployments in most datacenters utilize less than 10% of today’s computing power

Requires significantly less hardware to achieve greater number of virtualized domain controllers

Greater number of domain controllers provides better logon results, less points of failure

Performance – Single Processor

0

1000

2000

3000

4000

5000

6000

Op

erat

ion

s/S

eco

nd

Add Users Search AD Modify Users User Logons GPO Search

Physical Virtual

Performance – Dual Processors

0

2,000

4,000

6,000

8,000

10,000

12,000

Op

erat

ion

s/S

eco

nd

Add Users Search AD Modify Users User Logons GPO Search

Physical Virtual

Performance - Scaling Processors Up

0.0

0.2

0.4

0.6

0.8

1.0

1.2

1.4

1.6

1.8

2.0

Sca

ling

Fac

tor

Add Users Search AD Modify Users User Logons GPO Search

Physical Virtual

Performance Summary

Virtualization does not necessarily increase performance

Proper planning of resource allocation is still important

It’s still important to follow Microsoft’s best practices for the strategic placement of FSMO role servers, catalog servers, etc.

Virtualization ChallengesSecurity, Network and Replication

Security - VM Access Control

Network - Connections

Use the Maps view to verify network infrastructure

Create separate VM port groups connected to individual NICs

Network - Advanced Switch Settings

ESX Server 3.x provides some more sophisticated network settings

Replication - Using Replication MonitorValidating Inbound Connections

Security, Network & Replication Summary

Utilize Virtual Infrastructure 3 access policies

Configure outbound virtual switches for redundancy

Validate/Test for proper replication between virtualized domain controllers

Virtualization ChallengesHigh Availability & Disaster Recovery/Preparedness

High Availability – ESX 3.x/VirtualCenter 2.x

VMware provides solutions for automatically restarting virtual machines

Implement VMware HA as a high availability to ensure virtual machine domain controllers restart in the event an ESX server fails

High Availability – ESX 3.x/VirtualCenter 2.x

Combined with VMware DRS Anti-affinity rules can ensure domain controller VMs are segregated

Disaster Recovery – Best Practices

Perform consistent system state backups

Provided by most major commercial backup software

Follow Microsoft recommendations on FSMO role placement

http://support.microsoft.com/kb/223346

All Active Directory restorations should be performed using authoritative and non-authoritative methods

Do not recover an Active Directory database from a backup copy of an old virtual disk!

Disaster Recovery - ScenariosImproper Restore of VM Proper Restore of VM

Source: Microsoft Corporation

High Availability, Disaster Recovery Summary

Utilize DRS and HA to implement a successful recoverability solution

Always to continue to use Microsoft’s System State data best practices to backup AD database

Default useful life of System State data 60-180 days

Controlled by Tombstone lifetime attribute (depends on OS, SP, etc.)

Microsoft does not support snapshots of DCs KB888794

Continue to follow best practices around the placement of key, critical roles

Transitioning from Physical to Virtual

How to you successfully migrate?

Virtual machine considerations

DNS configurations

Best practices

Virtual Machine Considerations

Size the VM’s memory to run entire AD database in cache to avoid disk performance hits

Windows 2003 Server

Value 32-Bit 64-bit

RAM Cache2.75GB

(using /3GB switch)16GB

Approx. # of Users

100,000 2.5 million

Virtual Machine Considerations

Add, modify, search, delete and update operations will benefit significantly from caching

Slight penalty incurred for write operations – Physical or Virtual

Microsoft’s AD Sizer can help you plan the size

Use Microsoft’s best practices and separate boot, database, log virtual disks on individual SCSI controllers to optimize write performance

Transitioning from Physical to Virtual

Start with a fresh system state backup for recovery

Consider creating a dedicated virtual switch or virtual machine port group to isolate replication traffic

Generally single processor virtual machines are adequate for domain controllers

Validate inbound/outbound connections between physical and virtual machines

Allow 24-48 hours for replication to complete

Change the weight and/or priority of the DNS SRV records for virtual machines

Monitor the logon requests to ensure virtual machines are successfully responding

Decommission physical domain controllers

DNS Modifications – Transitioning to VMs

Modify the weight and/or priority of the DNS SRV recordsSpecifically offload the authentication requests from the PDC emulator when possibleDNS weight is the proportional distribution of requests among DNS serversDNS priority is the likelihood a server will receive a requestPDC emulators should have one or both adjusted accordingly by adding:

Physical domain controllers should be adjusted similarly to decrease dependencies on PDC emulator

HKLM\System\CurrentControlSet\Services\Netlogon\ParametersLdapSrvWeight DWORD decimal value of 25 or 50

HKLM\System\CurrentControlSet\Services\Netlogon\ParametersLdapSrvPriority DWORD decimal value to 100 or 200

DNS Modifications

Can also be changed within DNS manager

Registry changes do not require a reboot

Best Practices

Avoid snapshots or REDOs for domain controller virtual machines

Do not suspend domain controller virtual machines for long periods

Consistent and regular system state backups still very important

Avoid physical to virtual DC conversions

Virtualizing Active Directory can be done!!!

System State backups regularly

Time Synchronization

High Availability/Disaster Recovery Plan

Monitor Replication Traffic

Modify DNS SRV records to redirect logon authentications to VMs

Go back and constantly re-evaluate your strategy!!!

Additional Information

VMware Time Sync and Windows Time Service

VMware Knowledge Base ID# 1318

Installing and Configuring NTP on VMware ESX Server

VMware Knowledge Base ID# 1339

VMware Descheduled Time Accounting

http://www.vmware.com/pdf/vi3_esx_vmdesched.pdf

How to detect and recover from a USN rollback in Windows Server 2003

http://support.microsoft.com/kb/875495

How to detect and recover from a USN rollback in Windows 2000 Server

http://support.microsoft.com/kb/885875

Additional Information (2)

Active Directory Performance for 64-bit Versions of Windows Server 2003

http://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=en

Microsoft’s Active Directory Sizer for Windows 2000http://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exe

Active Directory Performance Testing Tool (ADTest.exe)http://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=en

Support policy for Microsoft software running in non-Microsoft hardware virtualization software

http://support.microsoft.com/kb/897615

How to configure an authoritative time server in Windows Server 2003

http://support.microsoft.com/kb/816042

Thank you!!