VMware vSphere

Hi all,

First post here. I have been reading up on the communities here as well as googling to find the answer to my VMware / AD question but have not found a definitive answer to it:

Most say it is NOT recommended to enable snapshots on an AD VM as AD corruption may occur. If that is the case, does this mean AD VMs should not be VMotioned as well seeing as when you VMotion, you're taking a snapshot?

What are the recommendations/experiences with VMotion and AD that you all have?

Thanks,

Veei

From my experience, I have never seen "corruption" from utilizing a snapshot with a DC. In general the problems that I have seen are when a snapshot that has been active on a system for a logn time is reverted and not commited, security ID's or passwords have been changed which cause all sorts of problems with AD and servers connecting to AD.

Thus i always recommend keeping a snapshot on a VM for as little time as possible.

I just finished a project where we moved all the domain controllers into ESX/ESXi. We set up vmotion for all the clusters involved, and haven't had a single problem. Like mentioned before, I think the 'concern' with DCs in VMware is when you take snapshots and then put 'past' snapshots online -- that causes the domain to get out of sync. It's the same thing as if you had two domain controllers, imaged one of them, and then put that image back on one year from now -- the domain controllers are going to be really unhappy.

Like previous poster said, I do take snapshots of my entire environment (for troubleshooting purposes) once a day, but I don't keep them around more than a day or two (unless I need them), and they only go back online in a test environment.

I agree with the other posters - also vmotion does not take a snapshot of the disk -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Make the disk housing SYSVOL Independent / Persistent. Then you don't have to worry about someone inadvertantly creating a snapshot that introduces a stale Domain Controller back into the directory.

good idea hicksj..

Carl

I swore when I went to training for VMware that the instructor said that VMotion uses a snapshot. Looking over my course materials, it says "memory bitmap" that it uses. It creates a memory bitmap on the originating server, logs ongoing memory changes while VM moves from ESX A to ESX B, then writes the memory changes to B once VM is moved and does an ARP broadcast. So, is a memory bitmap not a snapshot? I mean, it's putting the VM into a state where no more changes can be made, then logging all changes to a "bitmap" then committing those changes once moved. Is that not the same as what a snapshot does?

Anyway, that's more a technicallity as everyone here is saying snapshots are not bad but reverting to a snapshot after too long will cause AD problems.

So, am I correct in that you all are saying that it is ok to take snapshots on an AD VM and commit it so long as the length of the snapshot is not beyond what the tombstone date would be for a system state backup? Most posts I've read say that you should set your drives to Independent / Persistant to make sure no one ever takes a snapshot inadvertantly.

It does not make a disk snapshot for vmotion. It does take a bitmap of ram, send that to the destination esx server, copy changes to ram during the vmotion over and run hand off processing.

I don't take snaps of my ad for any reading except for applying that snap into a test environment. You wouldn't want to put snaps of ad online, it's just not good practice in my opinion.

I wouldnt want to prohibit snaps, so I don't go to one of the disk modes.

Well it appears people do run AD within Vmware. The advantages of utilizing "HA" makes good sense until "FT" comes out this year.

I ran my first "DC" in Vmware this last week. Simple install of win2k3 R2 - > then dcpromo. I ran a netapp Snap Manager for VI and the next day the net logon service had crashed. Related? Not sure... Didn't find entries in event log saying time drift occured. The machine only had 512 MB memory so perhaps that was the issue?

From what I heard

A) all domain controllers are meant to be up and running and at all times, they are constantly talking to themselves, ensuring the AD is secure and healthy.

B) You might be better off with some agent inside the Vm that backs up AD to disk or tape, this way leaving the machine on and active. (veritas bu exec 12 has a an add-on for "AD"..

C) time sync is huge too. Windows domains I believe come with the w32 time service on all machines. You designate one DC to go outside and sync with an INTERNET time server ( microsoft ) for example. All other DC's sync accordingly and basically the whole domain remains in sync. Check event logs to see who they sync with. (pretty sure on this) ... How this applies to you. With Vmware tools don't have them sync with ESX. Let them sync with "AD" naturally. Also on the ESX server you could have esx sync with your internal time server. This is how I have it setup. Which is better esx - vm or vm - internal domain time server?

Not sure but one must make a choice?

Open to hear other people's opinion.

ps -> I've demoted that DC

Thank you for the clarification on snapshots vs VMotion memory bitmaps. So, VMotion on AD VMs = OK.

As for snapshots and AD VMs, I'm a little confused. We have two people in the thread saying that you should not utilize snapshots at all, and two that say they use them.

According to community user cs_vmware in this thread: http://communities.vmware.com/message/502256#502256

"You should NOT take snapshots or copies of virtual DC's and use these

for recovery. You need to do a proper system state restore via

NTBACKUP, Backup Exec, etc. This is because when you do a proper

restore, a flag is set by Windows 2000/2003 to alert other DC's that a

DC has been restored in the forest. Think this is called the

"invocation ID" or something similar."

So, which is it? Use snapshots but don't wait too long to commit, or don't use them at all?

I think if you are using snapshots then realize you won't be mounting them back into real-time, others mount them back to a test location.. But then ask yourself what good is the snap if nothing is really "usable" from the snap?

Really? If you have other physical "DC" servers in your domain then I'm sure you've chosen some method to backup them up, systems state + (AD) etc ... Are you saying all of your DC's are in VMware?

Then.. you defiantly need some other method then snapping.

Great question and thread!

Kyle

The problem is not with the 'snapshot' technology, but rather with how AD works. Snapshots basically pause the disk and write all changes to a temporary delta file. Thus if a snapshot is reverted we go back to the original state when the original date was. Thus if you have a snapshot that is active for an extended period of time, and during that time passwords etc. which AD use to talk to the network and eachother are changed (as they automatically are for security purposes), if the snapshot is reverted to the original state, it will not know about the new passwords and will ultimately fail to replicate etc etc. causign a multitude of problems.

Thus why you should never have a snapshot for more than is absolutely required. I have also seen this behavior with servers connecting to AD, where the computer account password changes and therefore when the snapshot is reverted it can no longer talk to the domain.

Cheers,

/Joanthan

I agree with jmcdonald. Besides from a DR perspective, if all the DC is doing is authentication and heaven forbid you loose the vm itself, how hard is it really to create a brand new vm and promote to a DC?

Not hard! So you gotta ask yourself what are you attempting to do and why.

Kyle

Too true. This is personally why I never recommend cloning a DC...just promote and demote as necessary, it is neither a hard nor time consuming task. :smileyhappy:

Cheers,

/Jon

Wow, the VMware community is really great. Thank you all for the responses. It is very much appreciated!

I think that pretty much answers all my questions. VMotion on AD = OK, Snapshots on an AD VM = NO.

This is pretty much confirmed as I have a DC set with drives as Independent / Persistant and it did not give any warnings when going through the migration wizard.

I hadn't planned on using snapshots with AD in the first place due to other posts I had read but was wrongly under the impression that VMotion pretty much did that, hence the post hehe. We use Backup Exec and I do System State backups once a day of all DCs. I wanted to be sure of the VMotion as the most recent DC I virtualized is one of the DCs for the root of the tree and I'm being overly careful due to it!! For the remaining physical DC for the root, I moved all FMSO roles to it and am in the process of confirming that the virtual DC is time syncing correctly.

As a side note, since some were talking about cloning/converting a DC, when P2V'ing the DC in question, I demoted it before the conversion. After getting it up and running in VMware, I promoted it again. Had a few DNS problems which I'm still ironing out but, elsewise, AD seems happy so far. If that DC is the only one for a domain, I'd probably create a temporary second server, promote it, then demote the original and clone.

In case you're interested, as a final and further derailing side note on P2V'ing a DC, I had to open a ticket with VMware to get around a bug with the converter that wouldn't allow for the creation of a vmdk larger than 999GB. There was a 2TB drive on the physical and I had to set the disk size in the converter wizard to minimum. Once it finished, it had errors so I had to reconfigure the VM. After that, I had to use vmkfstools to resize the vmdk and, luckily since it's a Win 2k8 server, I just expanded the partition from the guest OS.

Thanks again to everyone for their help and advice!

I would like to know more about your DNS issues if you have time post them please!.

Kyle