Search This Blog

Sunday, May 18, 2014

Best Practice on Virtualizing Domain Controller


Here is some guideline when setup a virtualize domain controller on Hyper-V platform
1. Keep 1 Host on a Physical Server. Don’t be smart to virtualize entire domain controller and put into cluster. As long you have at least 1 on physical server, then you can put virtualize DC on Hyper-V especially Hyper-V cluster.
2. Disable Time Synchronization – uncheck on the VM Properties. (on Hyper-V platform)


Active Directory domain controller has a built-in mechanism to deal with the time synchronization with the help of the Windows Time Service. Therefore it is recommended to disable it and let Active Directory manage the time synchronization between Virtual domain controllers.

3. No snapshot – unless the domain controller operating system running Windows Server 2012 or higher.

4. Apply Update – to help preserve the integrity of the Active Directory Database if a power loss. Especially virtual hard disk connected using virtual IDE controller.

When your DC is

  • Windows Server 2012 – must install update rollup 2855336 on Hyper-V Host (July 2013 Update)
  • Windows Server 2008 R2 – must install update rollup 2853952

How about turn off write caching? Well, you would not be able to turn off it from Device Manager-inside guest OS. Just apply the update and make sure on SAN / Hyper-V local disk has turn off write caching.


The best is create a virtual hard disk and connect to SCSI controller. Then move the ntds.dit and log to new location.

  • Boot to Directory Service Repair Mode or stop Active Directory Domain Services on Services.msc
  • Open an elevated command prompt and type the following command to move the ntds.dit and log to E:\NTDS

activate instance ntds
move db to e:\ntds
move logs to e:\ntds




  • Restart the VM and backup the System State.

5. Avoid pausing Active Directory beyond than tombstone depend on operating system.

  • Win 2003 – 60 day tombstone life time
  • 2003 SP1 and later – 180 days tombstone life time

6. Create multiple active directory VM and put in multiple host. Configure availability set. Availability Sets are used to keep virtual machines separate from each other so they do not run on the same physical host. This works via anti-affinity rules inside a Hyper-V host cluster, but with System Center Virtual Machine Manager allows you to do this even with standalone hosts, which makes really sense since you can move virtual machines without downtime in your whole datacenter via Shared Nothing Live Migration.

If you create an Availability Set in Virtual Machine Manager for two different virtual machines, Virtual Machine Manager will attempt to keep those virtual machines on separate hosts and avoid placing them together on the same host whenever possible. This helps to improve service update for these virtual machines especially for workload farm.

7. Backup System State. Always backup active directory system state. You may require it when disaster happen.

Hope this guideline help..


  1. This comment has been removed by the author.

  2. Hi,

    I have a Failover Cluster running Windows 2012 STD. The Cluster has two VMs: A Domain Controller, an Exchange 2010 and soon a SharePoint 2013. The first two are running Windows 2008 R2 STD, the third will run Windows 2012.

    Now I’m planning to deploy a free backup solution and I read your review about the PHD Virtual Backup for Hyper-V and I have some questions:

    Do you recommend PHD Virtual Backup to backup my DC? If so, what else do I need to consider? I already disable the Time Synchronization and deployed a physical DC.

    Do I need to install the update rollup 2853952 on my Virtual DC?

    Thanks in advanced.

  3. Yes. KB2853952 on the guest OS as well. PHD Virtual Backup is also a good backup solution. You can try it first during eval to see if it fit.