Upload
shelva-shekar
View
221
Download
0
Embed Size (px)
Citation preview
8/6/2019 Best Practices for Virtualizing Active Directory
1/51
Best Practices for VirtualizingActive Directory
Breakout Session AP01
Chris Skinner
Senior Technical Instructor ,VMware, Inc.
February 25, 2009
8/6/2019 Best Practices for Virtualizing Active Directory
2/51
Disclaimer
This session may contain product features that arecurrently under development.
This session/overview of the new technology represents
no commitment from VMware to deliver these features inany generally available product.
Features are subject to change, and must not be included incontracts, purchase orders, or sales agreements of any kind.
Technical feasibility and market demand will affect final delivery.
Pricing and packaging for any new technologies or features
discussed or presented have not been determined.These features are representative of feature areas under development. Feature commitments aresubject to change, and must not be included in contracts, purchase orders, or sales agreements ofany kind. Technical feasibility and market demand will affect final delivery.
8/6/2019 Best Practices for Virtualizing Active Directory
3/51
Objectives and Goals
You can virtualize Active Directory successfully
Its not difficult, mystical or magical
Many companies have successfully deployed AD through
virtualization
8/6/2019 Best Practices for Virtualizing Active Directory
4/51
Agenda
Why should we virtualize Active Directory?
What are the challenges with virtualizing AD?
How does a company successfully migrate?
8/6/2019 Best Practices for Virtualizing Active Directory
5/51
Why Virtualize?
8/6/2019 Best Practices for Virtualizing Active Directory
6/51
Why Virtualize Active Directory?
Hardware Consolidation
Combine multiple, single use boxes
Standardization eliminating imaging issues
Reduce product activation issues
Leverage VI 3 Features HA & DRS
8/6/2019 Best Practices for Virtualizing Active Directory
7/51
Why Virtualize Active Directory?
Testing and Development
Policy testing
Schema changes
Migration/upgrade testing Domain reconfigurations
Deployment scenarios
Disaster recovery solutions
8/6/2019 Best Practices for Virtualizing Active Directory
8/51
Why Virtualize Active Directory?
Security Controls
Limiting physical access
Additional administrative controls
Separate applications from domain controllers
8/6/2019 Best Practices for Virtualizing Active Directory
9/51
8/6/2019 Best Practices for Virtualizing Active Directory
10/51
Time SynchronizationVirtualization Challenges
8/6/2019 Best Practices for Virtualizing Active Directory
11/51
Time Synchronization Why is it so important?
Active Directory operations are critically time dependent
MS Kerberos implementation allows a 5 minute tolerance
File Replication Services (FRS) synchronizes scripts, databasechanges/updates, policies based, in part, on time-stamping
8/6/2019 Best Practices for Virtualizing Active Directory
12/51
Time Server Hierarchies
Source: Microsoft Corporation
Child PDC emulators can syncwith any DC in the parent
domain
Clients sync with any DC in itsown domain
DCs can sync with PDCemulator in its own domain orany DC in parent
8/6/2019 Best Practices for Virtualizing Active Directory
13/51
8/6/2019 Best Practices for Virtualizing Active Directory
14/51
8/6/2019 Best Practices for Virtualizing Active Directory
15/51
Time SynchronizationOption B VMware Tools
Modify Windows Time Service Use VMware Tools
Implement Domain Controllers Group Policy to modify registry:
Enable ESX server NTP daemon tosync with external stratum NTP source
VMware Knowledge Base ID# 1339
Use VMware Tools time synchronizationwithin the virtual machine
NOTE: VMware Tools time sync is designedto play catch-up, not slow down!
Modify
8/6/2019 Best Practices for Virtualizing Active Directory
16/51
Time Synchronization Descheduled Time
Accounting
Custom VMware Tools component
Tightly integrated with hypervisor
Use with ESX 3.x VMs only
Currently for uniprocessor Windows and Linux VMs only
Improved accuracy for guest OSes CPU time accounting
Allows quicker catch-up of time for guest OS
Launches a VMDesched thread or process within VMs OS
8/6/2019 Best Practices for Virtualizing Active Directory
17/51
Time Synching Descheduled Time Accounting (2)
Perform a Custom installation of VMware Tools in Windows guest OS
8/6/2019 Best Practices for Virtualizing Active Directory
18/51
Time Synchronization - Summary
Use one method or the other
Do NOT use both!!!
Decisions should be based on current time managementinfrastructure or organizations policies
8/6/2019 Best Practices for Virtualizing Active Directory
19/51
Performance IssuesVirtualization Challenges
8/6/2019 Best Practices for Virtualizing Active Directory
20/51
Performance for Virtualized Domain Controllers
Virtualized AD domain controllers can run at 85-90% of nativesystems performance
Active Directory deployments in most datacenters utilize less than10% of todays computing power
Requires significantly less hardware to achieve greater number ofvirtualized domain controllers
Greater number of domain controllers provides better logon results,less points of failure
8/6/2019 Best Practices for Virtualizing Active Directory
21/51
Performance Single Processor
8/6/2019 Best Practices for Virtualizing Active Directory
22/51
Performance Dual Processors
8/6/2019 Best Practices for Virtualizing Active Directory
23/51
Performance - Scaling Processors Up
8/6/2019 Best Practices for Virtualizing Active Directory
24/51
Performance Summary
Virtualization does not necessarily increase performance
Proper planning of resource allocation is still important
Its still important to follow Microsofts best practices for thestrategic placement of FSMO role servers, catalog servers, etc.
8/6/2019 Best Practices for Virtualizing Active Directory
25/51
Virtualization ChallengesSecurity, Network and Replication
8/6/2019 Best Practices for Virtualizing Active Directory
26/51
Security - VM Access Control
8/6/2019 Best Practices for Virtualizing Active Directory
27/51
Network - Connections
Use the Maps viewto verify networkinfrastructure
Create separate VM port groupsconnected to individual NICs
8/6/2019 Best Practices for Virtualizing Active Directory
28/51
Network - Advanced Switch Settings
Vmware ESX 3.x provides some more sophisticated networksettings
8/6/2019 Best Practices for Virtualizing Active Directory
29/51
8/6/2019 Best Practices for Virtualizing Active Directory
30/51
8/6/2019 Best Practices for Virtualizing Active Directory
31/51
Virtualization ChallengesHigh Availability &Disaster Recovery/Preparedness
8/6/2019 Best Practices for Virtualizing Active Directory
32/51
High Availability VMware ESX 3.x / vCenter
Server 2.x
VMware provides solutions for automatically restarting virtualmachines
Implement VMware HA as a high availability to ensure virtualmachine domain controllers restart in the event an ESX server fails
8/6/2019 Best Practices for Virtualizing Active Directory
33/51
High Availability VMware ESX 3.x / vCenter
Server 2.x
Combined with VMware DRS Anti-affinity rules can ensure domaincontroller VMs are segregated
8/6/2019 Best Practices for Virtualizing Active Directory
34/51
Disaster Recovery Best Practices
Perform consistent system state backups
Provided by most major commercial backup software
Follow Microsoft recommendations on FSMO role placement
http://support.microsoft.com/kb/223346
All Active Directory restorations should be performed usingauthoritative and non-authoritative methods Do not recover an Active Directory database from a backup copy of
an old virtual disk!
http://support.microsoft.com/kb/223346http://support.microsoft.com/kb/2233468/6/2019 Best Practices for Virtualizing Active Directory
35/51
Disaster Recovery - ScenariosImproper Restore of VM Proper Restore of VM
Source: Microsoft Corporation
8/6/2019 Best Practices for Virtualizing Active Directory
36/51
High Availability, Disaster Recovery Summary
Utilize VMware DRS and HA to implement a successfulrecoverability solution
Always to continue to use Microsofts System State data bestpractices to backup AD database
Default useful life of System State data 60-180 days
Controlled by Tombstone lifetime attribute (depends on OS, SP, etc.)
Microsoft does not support snapshots of DCs KB888794
Continue to follow best practices around the placement of key,
critical roles
8/6/2019 Best Practices for Virtualizing Active Directory
37/51
Transitioning fromPhysical to Virtual
8/6/2019 Best Practices for Virtualizing Active Directory
38/51
How to you successfully migrate?
Virtual machine considerations
DNS configurations
Best practices
8/6/2019 Best Practices for Virtualizing Active Directory
39/51
Virtual Machine Considerations
Size the VMs memory to run entire AD database in cache to avoiddisk performance hits
Windows 2003 Server
Value 32-Bit 64-bit
RAM Cache2.75GB
(using /3GB switch)16GB
Approx. #of Users 100,000 2.5 million
8/6/2019 Best Practices for Virtualizing Active Directory
40/51
Virtual Machine Considerations
Add, modify, search, delete and update operations will benefitsignificantly from caching
Slight penalty incurred for write operations Physical or Virtual
Microsofts AD Sizer can help you plan the size
Use Microsofts best practices and separate boot, database, logvirtual disks on individual SCSI controllers to optimize writeperformance
8/6/2019 Best Practices for Virtualizing Active Directory
41/51
Transitioning from Physical to Virtual
Start with a fresh system state backup for recovery
Consider creating a dedicated virtual switch or virtual machine port group
to isolate replication traffic
Generally single processor virtual machines are adequate for domaincontrollers
Validate inbound/outbound connections between physical and virtual
machines
Allow 24-48 hours for replication to complete
Change the weight and/or priority of the DNS SRV records for virtualmachines
Monitor the logon requests to ensure virtual machines are successfullyresponding
Decommission physical domain controllers
8/6/2019 Best Practices for Virtualizing Active Directory
42/51
DNS Modifications Transitioning to VMs
Modify the weight and/or priority of the DNS SRV records
Specifically offload the authentication requests from the PDC
emulator when possible
DNS weight is the proportional distribution of requests among DNSservers
DNS priority is the likelihood a server will receive a request
PDC emulators should have one or both adjusted accordingly byadding:
Physical domain controllers should be adjusted similarly to decreasedependencies on PDC emulator
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
LdapSrvWeight DWORD decimal value of 25 or 50
HKLM\System\CurrentControlSet\Services\Netlogon\ParametersLdapSrvPriority DWORD decimal value to 100 or 200
8/6/2019 Best Practices for Virtualizing Active Directory
43/51
8/6/2019 Best Practices for Virtualizing Active Directory
44/51
Best Practices
Avoid snapshots or REDOs for domain controller virtual machines
Do not suspend domain controller virtual machines for long periods
Consistent and regular system state backups still very important
Avoid physical to virtual DC conversions
8/6/2019 Best Practices for Virtualizing Active Directory
45/51
Virtualizing Active Directory can be done!!!
System State backups regularly
Time Synchronization
High Availability/Disaster Recovery Plan
Monitor Replication Traffic
Modify DNS SRV records to redirect logon authentications to VMs
Go back and constantly re-evaluate your strategy!!!
8/6/2019 Best Practices for Virtualizing Active Directory
46/51
Features
Approved Operational
Practices Best Practices of
Industry Experts
Prescriptive Guidance
For customers bycustomers
Consistent appearance
Features
Approved Operational
Practices Best Practices of
Industry Experts
Prescriptive Guidance
For customers bycustomers
Consistent appearance
VI OPS Portal
A customizablecollaboration site for sharingrole and subject basedproven, prescriptive, and
actionable guidance.
A customizablecollaboration site for sharingrole and subject basedproven, prescriptive, and
actionable guidance.
http://viops.vmware.comhttp://viops.vmware.com
8/6/2019 Best Practices for Virtualizing Active Directory
47/51
Additional Information
VMware Time Sync and Windows Time Service
VMware Knowledge Base ID# 1318 - http://kb.vmware.com/kb/1318
Installing and Configuring NTP on VMware ESX Server
VMware Knowledge Base ID# 1339 - ttp://kb.vmware.com/kb/1339
VMware Descheduled Time Accounting
http://www.vmware.com/pdf/vi3_esx_vmdesched.pdf
How to detect and recover from a USN rollback in Windows Server 2003
http://support.microsoft.com/kb/875495
How to detect and recover from a USN rollback in Windows 2000 Server
http://support.microsoft.com/kb/885875
http://kb.vmware.com/kb/1318http://kb.vmware.com/kb/1339http://www.vmware.com/pdf/vi3_esx_vmdesched.pdfhttp://support.microsoft.com/kb/875495http://support.microsoft.com/kb/885875http://support.microsoft.com/kb/885875http://support.microsoft.com/kb/875495http://www.vmware.com/pdf/vi3_esx_vmdesched.pdfhttp://kb.vmware.com/kb/1339http://kb.vmware.com/kb/13188/6/2019 Best Practices for Virtualizing Active Directory
48/51
Additional Information (2)
Active Directory Performance for 64-bit Versions of Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=en
Microsofts Active Directory Sizer for Windows 2000
http://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exe
Active Directory Performance Testing Tool (ADTest.exe) http://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=en
Support policy for Microsoft software running in non-Microsoft hardware
virtualization software http://support.microsoft.com/kb/897615
How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042
http://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=enhttp://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exehttp://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exehttp://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=enhttp://support.microsoft.com/kb/897615http://support.microsoft.com/kb/816042http://support.microsoft.com/kb/816042http://support.microsoft.com/kb/897615http://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=enhttp://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exehttp://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exehttp://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=en8/6/2019 Best Practices for Virtualizing Active Directory
49/51
Thank you!!
8/6/2019 Best Practices for Virtualizing Active Directory
50/51
8/6/2019 Best Practices for Virtualizing Active Directory
51/51