What should be considered when virtualizing domain controllers?
Often the question arises as to whether or not virtualization technologies can be used to run Active Directory domain controllers on guest operating systems. The answer and recommendations from Microsoft are contained here: http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv ( WS.10 ).aspx
In this case, despite the fact that the recommendations are described for virtualization technology from Microsoft, and for other virtualization technologies, you should follow these recommendations.
What points would you like to pay attention to:
In this case, despite the fact that the recommendations are described for virtualization technology from Microsoft, and for other virtualization technologies, you should follow these recommendations.
What points would you like to pay attention to:
- For each domain, it is highly desirable to have at least two domain controllers that run on different virtualization hosts. This will avoid the inaccessibility of Active Directory if the physical server fails.
- In each domain, it is desirable to use at least one domain controller on a physical machine. This will protect against the global failure of the entire virtualization platform.
- You must disable time synchronization through the integration components between the virtual machine with the domain controller role and the parent partition. This is a recommendation of the Active Directory product group and is related to the fact that domain controllers use their own time synchronization mechanisms.
- It is necessary to ensure the security of virtual disks of domain controllers. Thus, we must limit the circle of administrators of the virtualization platform itself, since an administrator who has write access to a virtual disk file of a writable domain controller can very easily get domain administrator rights and a little more complicated forest administrator rights.
- Recovery of domain controllers should be carried out only by specialized backup / recovery tools that support Active Directory recovery. Restoring state using differential disks, virtual machine snapshots, copying virtual disk files can cause problems with Active Directory replication.
')
Source: https://habr.com/ru/post/104599/
All Articles