One of the questions I get asked a lot is:
Why virtualize Domain Controllers?
So, in this blogpost, I’m showing you reasons why virtualization for Domain Controllers and Active Directory is a good idea. I also know there are a lot of caveats when virtualization Domain Controllers, so this blogpost serves as a small part of a bigger series on how to do it right.
Reasons to virtualize Domain Controllers fall in three buckets:
- Virtualization is mainstream
- Active Directory is virtualization-friendly
- Physical Domain Controllers waste compute resources
Let’s look at these three areas and provide some real-world examples.
Virtualization is mainstream
You’ve probably heard of ‘cloud’. Whether it’s Private Cloud (hosted in your own datacenters or the datacenters of an organization you’ve outsourced it to) or Public Cloud (like Microsoft’s Azure and Amazon’s AWS), virtualization, coupled with self-service, is the cornerstone to making it happen. “Virtualize First” is the new normal.
Also, virtualization is no longer black magic. Virtualization platforms like VMware’s Sphere and Microsoft’s Hyper-V platforms are well-documented. People who want to be proficient at managing virtualization have a wide range of training to follow and certificates to achieve. When you run into problems with any of the virtualization platforms, there’s free support options available, like Stack Overflow and the vendor’s support forums, next to paid support options.
Since Windows Server 2012, virtualization for Active Directory is fully supported by Microsoft. VMware fully supports virtualizing Domain Controller (as long as you follow their recommended practices).
You could ask yourself if Microsoft still tests Domain Controller functionality and updates on physical hardware. If this is the case and you’re running Domain Controllers on physical hardware, aren’t you putting your organization at risk?
Active Directory is virtualization-friendly
From its inception back in 1997, Active Directory has been virtualization-friendly.
It has never had high memory or I/O requirements. You can run Domain Controllers on machines with loathsome specifications. A single CPU, just a few GBs of RAM and some GBs of disk storage is all you need to even run a Windows Server 2019-based Domain Controller. When running Domain Controllers as Server Core installations, the requirements drop even further. This makes them ideal candidates to virtualize.
The distributed nature of the Active Directory database also adds to the virtualization-friendliness of Active Directory. Scale-out is the preferred method to increase Active Directory performance, not scale-up (except perhaps for the Domain Controller holding the PDC emulator FSMO role…). Just add small-sized VMs to the virtualization platform and Active Directory is again ready to go.
All Domain Controllers are created equal (but some Domain Controllers, like the aforementioned PDC emulator) and replication offers a multi-master model. This makes Active Directory resilient; with the majority of Domain Controllers decimated during a disaster, it can still function. Also, purely based on the virtual disk of a Domain Controller, it can be restored on a compatible virtualization platform.
These system specs, its distributed nature and its sustainable level of degradation are all specifics for virtual machines that virtualization admins love to host for you.
Physical Domain Controllers waste compute
When looking for the cheapest rack server on Dell.com today, I stumbled upon the PowerEdge R240. It has a Celeron G4900 3,1GHz processor, 8GB RAM and a 1TB HDD for a mere $589. For $926 there is an Intel Xeon E2124-based, 16GB model available from HP Enterprise. These systems have one thing in common: The smallest sized disk you can buy in them measures 1TB. This disk size is overkill in any networking environment, except for Fortune 500 companies as the Active Directory files don’t take up that much space. (unless you’re storing user profile pictures in them, but even then it’s not a huge problem). Even the 8GB RAM of the cheapest Dell rack server you can get allows you to cache the Active Directory database for an organization with over 100,000 users.
Active Directory simply isn’t able to utilize the compute resources available on modern hardware. Running Domain Controllers on physical hardware equals wasting computer resources. Wasting compute resources means wasting money.
Virtualize Domain Controllers.
Does that mean you can virtualize all your Domain Controllers? Does that mean you can be as coarse with virtual Domain Controllers as you can be with physical Domain Controllers? Does that mean virtual Domain Controllers are as secure as physical Domain Controllers? Join me for the answers on these questions in the next parts of this series.