Common mistakes to avoid when virtualizing domain controllers

Learn best practices when virtualizing domain controllers!

Server virtualization platforms (like Microsoft Hyper-V) have simplified the creation of new virtual machines. It is important to remember the best practices to follow when creating new virtual machines. This is especially true during virtualization domain controllers.

You can create a domain controller the same way as any other virtual server. That said, Microsoft recommends creating virtual domain controllers in a way that provides higher levels of security and reliability.

In this article, I will share 4 common mistakes to avoid when virtualizing domain controllers.

4 Common Mistakes to Avoid When Virtualizing Domain Controllers

Domain controller virtualization requires configuration for greater security and reliability. That said, you may encounter obstacles in the process. Here is 4 Common Mistakes to Avoid When Virtualizing Domain Controllers.

1. Depend too much on virtualization

Although somewhat ironic, one of the most common mistakes with virtualized domain controllers relies too much on virtualization. This increases the risk of malfunction of the virtualization platform. In return, a malfunction will be affect all host systems using the platform.

Microsoft recommends having at least one physical domain controller for each domain. This way, a domain controller will still be functional even if the entire virtualization platform fails. You will also have avoid unnecessary risks and reduce the impact of a major failure.

2. Oversight aabout confidence limits

In a large company, it is extremely rare for a single administrator to oversee everything. In place, administrators are usually responsible for a particular aspect of the company’s infrastructure. For example, virtualization administrators and storage administrators will oversee their areas of responsibility.

This model breaks down after virtualizing domain controllers. According to Microsoft, “The administrator on the host computer has the same access as a domain administrator on the guest of the writable domain controller and should be treated as such.”

This problem and other similar trust issues have led some companies to deploy dedicated Hyper-V clusters. Such clusters only run domain controllers and other Tier 1 assets. The Active Directory team also manages them instead of the virtualization team.

3. Using the wrong disc type

When configuring a virtualized domain controller, it is essential to consider the configuration of the virtual hard disk. One of Microsoft’s best practices is to avoid using differentiation discs.

Differencing disks, such as dynamically expanding virtual hard disks, can sometimes experience performance issues. More importantly, the differentiation discs also facilitate the restore the virtual machine to a previous state accidentally.

When virtualizing domain controllers, you must create fixed-size virtual hard disks. Although these disks initially consume more space than dynamically expanding disks, they provide better overall performance.

Microsoft also recommends using virtual SCSI disks rather than IDE disks. This means that you must create domain controllers as generation 2 virtual machines.

A screenshot of the "Choose disc type" in the New Virtual Hard Disk wizard.
Virtual domain controllers should use fixed-size virtual hard disks.

4. Avoid Cloning and restores

Virtualization platforms like Hyper-V facilitate the cloning of a virtual machine. They also facilitate the use of snapshots and other mechanisms to restore a virtual machine to a previous state without restoring a backup. That said, it can cause serious problems for virtualized domain controllers.

As a general rule, you should never take a checkpoint from a virtualized domain controller. You should also not export a domain controller or attempt to clone or copy the virtual machine. Similarly, you should never suspend a virtual domain controller for longer than its disable TTL value.

These actions can potentially lead to a situation that would result in a rollback. A backtrack causes domain controllers to get out of syncpossibly causing Active Directory replication to fail.

A screenshot of the Checkpoints Production tab in Windows 10 Security Settings.
Disable checkpoints for virtual domain controllers to prevent them from being created by accident.

The essential

When it comes to virtualizing domain controllers, it is essential to configure them for security and reliability. You must also take steps to prevent rollback because such an event could interrupt AD replication. This will ensure a successful virtualization process.

In this article, I’ve explained four of the most common errors you might encounter when virtualizing domain controllers. I’ve also provided tips on how to avoid each of these mistakes.

Have more questions about domain controller virtualization? Check FAQs and Resources headings below.


What is a USN Rollback?

A USN rollback is a condition that can occur when you revert a domain controller to an earlier state by a method other than a supported backup restore. In turn, this will also stop replication or cause lots of errors. Lily here to learn more about detecting USN Rollback.

What Active Directory infrastructure components require special consideration when virtualized?

You should configure domain controllers to give them more security and reliability than most other virtual servers. That said, domain controllers can’t work without DNS, so you need to pay special attention to DNS servers. Similarly, Azure AD Connect servers should also receive the same care as domain controllers.

What are the best practices for virtual domain controller clocks?

Virtual servers primarily synchronize their clocks with the Hyper-V host. That said, hosts may have their clocks set differently from each other. The Active Directory depends on exact time, so you need to disable the Time Synchronization integration service. You should too synchronize domain controllers with an NTP server In place.

Can I repair a domain controller’s USN rollback if it occurs?

Yes you can. The process involves transfer of FSMO roles (if necessary), demote domain controllerand re-promote it. This is also one of the many reasons why having multiple domain controllers for each domain is so important.

Can the Hyper-V Shield VM feature help domain controller security?

The Hyper-V shielded virtual machine feature makes virtual machines allowed to run on certain hosts only. If you move a virtual hard disk elsewhere, it will be encrypted and cannot be read or mounted. This feature can also domain controller security help. That said, you should implement it in a way that avoids single points of failure.


TechGenix: article on virtual domain controllers

Find out here how to prevent a virtual domain controller from synchronizing its time with a host.

TechGenix: article on updating your domain controllers

Learn more about keeping your domain controllers up to date here.

TechGenix: Article on Virtualized Domain Controllers in a Hyper-V Replication Environment

Learn about virtualized domain controllers in a Hyper-V replica environment here.

Microsoft: article on virtualizing domain controllers on Hyper-V

Read Microsoft’s best practices for virtualizing domain controllers on Hyper-V here.

Microsoft: Article on troubleshooting techniques for virtualized domain controllers

Learn techniques for troubleshooting virtualized domain controllers here.