VMware vSphere

 View Only
Back to discussions
Expand all | Collapse all

HA and Domain Controllers

  • 1.  HA and Domain Controllers

    Posted Jun 18, 2012 11:37 PM

    Good day. We are currently working on moving our entire environment into a virtualized environment. I was working on our backup/disaster recovery plan and have a question. Would I need a Backup DC in our environment if we were to set the Primary DC with HA?

    I am unsure if we would need a Backup DC if we had HA because it seems to me that in case of a VM failure or worse yet hardware failure, it would simply move the VM to another piece of hardware in the cluster.

    Any input is greatly appreciated.



  • 2.  RE: HA and Domain Controllers

    Posted Jun 19, 2012 12:22 AM

    First off do not do snapshops of domain controllers... it can cause some big problems if you roll back to snapshot. Secondly be sure that ALL hosts have the correct time set that can also cause some big problems. While doing repair on a ESXi host we forgot to set the time correctly, our PDC emulator ended up doing a vmotion to that server. There were no problems initially but the server ended up gettign updates and we rebooted it. On reboot the server got the hosts time which was wrong and it resulted in a lot of pains for us. Such a simple thing caused huge problems.

    As far as backups go, I think that a system state backup should be enough in case any issues arise.



  • 3.  RE: HA and Domain Controllers
    Best Answer

    Posted Jun 19, 2012 06:28 AM

    1. HA does nothing for the situations of corrupt OS installations, failed services, or any series of Windows related difficulties that can bring a server offline

    2. When a host fails, all your guests on that host are going to restart due to HA. This means most of them will boot before the Domain Controller, and thus, fail to boot correctly. You'll also find that, during this time, all the guests on unaffected hosts are also offline, as they have no DC.

    In short, a DC is something very easy to make a second of, you'd be hard pressed to come up with an argument not to do it. A server with no other roles can run on 1GB RAM and use virtually no CPU.

    Edit: The terms "Primary DC" and "Backup DC" make no sense, as Domain Controllers are Multi-Master. Neither will ever be a "backup".



  • 4.  RE: HA and Domain Controllers

    Posted Jun 19, 2012 01:55 PM

    The terms "Primary DC" and "Backup DC" make no sense, as Domain Controllers are Multi-Master.

    The classic terms of PDC and BDC has not been around since NT4, however the "PDC emulator" is still here and has more functions than one typically is aware of: http://rickardnobel.se/archives/837

    Anyway, I totally agree that there is almost ever any reason not having multiple Domain Controllers. Even without any disaster failover in mind it is very recommended to have at least two which makes domain logon and other functions available even when one of the DCs are just rebooting.



  • 5.  RE: HA and Domain Controllers

    Posted Jun 19, 2012 08:13 AM

    Hi,

    Yes, you should always have more than one domain controller where possible - and as mentioned here already, if you have a virtual infrastructure I see no reason not to have more than one, other than windows os licensing cost - which is worth it for the resilience multiple DCs will give you.

    If nothing else, its best practice to split the Active Directory FSMO roles across domain controllers.



  • 6.  RE: HA and Domain Controllers

    Broadcom Employee
    Posted Jun 19, 2012 11:57 AM

    Always go for multiple DCs and DNS servers. There is a reason these are typically "scale out" constructs. Yes HA can help here getting the VMs up and running but you will incur downtime, you can easily prevent this by having multiple instances. Make sure to seperate these though by using affinity rules!



  • 7.  RE: HA and Domain Controllers

    Posted Jun 19, 2012 04:06 PM

    Thank you all for your insight. It looks like I will create a second DC.

    But the second part of my question I don't believe has been answered. If I were to add a secondary DC, should I still enable HA and would HA work correctly in case of VM or hardwrae failure or should I only rely on backups of the system state and the multiple DC environment for recovery of failure?

    Thank you



  • 8.  RE: HA and Domain Controllers

    Posted Jun 19, 2012 04:10 PM

    HA only protects you against hardware failure in your ESX hosts. Absolutely you should still take system state backups of your DCs and have multiple DCs etc to protect you against any problems in the OS such as, for example, viruses or issues with patches or AD corruption etc etc



  • 9.  RE: HA and Domain Controllers

    Posted Jun 19, 2012 04:21 PM

    But would it still be recommended to enable HA?



  • 10.  RE: HA and Domain Controllers

    Posted Jun 19, 2012 04:45 PM

    mig1980 wrote:

    But would it still be recommended to enable HA?

    Yes. HA does only restart your VMs on some other host if the running physical host fails.

    You could think of it as someone who lives in a traditional server room and if power goes on any server he rushes over and pushes the power button. This would be good for a physical Domain Controller and will be good for a virtualized DC too.



  • 11.  RE: HA and Domain Controllers

    Posted Jun 20, 2012 04:56 AM

    mig1980 wrote:

    But would it still be recommended to enable HA?

    What about all your VMs that are not domain controllers?

    You'll surely want them protected - which involves turning on HA.