Back in the pre-Windows Server 2012 days, the recommendation seemed to be to have at least one physical domain controller sat along-side your virtualised DCs.
One justification for this was because if your Hyper-V hosts were clustered, then they required a DC to be contactable during boot-up. This makes total sense to me.
However, I would often hear people say it is still important to have a physical DC even if you don't have a clustered set up (say for example in a simple setup with a single Hyper-V server running a couple of VMs, one of which is a DC). The justification for this seemed (and I could never quite be sure) that you would still have a problem in the sense that when the Hyper-V host first boots, there's no DC present on the network. Cached credentials mean you can still log on, but what about all those bits that happen during boot up that mean having a DC around is beneficial? Is this actually an issue? Are there actually any operations that might run only at boot up that will cause a problem? Any Group Policies for example? What I'm basically asking is, does the physical DC argument only really hold water when clustering is involved, or was (pre-2012) there a significant technical case for it without clustering? This article from Altaro (see "The “Chicken-and-Egg” Myth" section) suggests there is no need, but I'm still unsure.
Now to the second (and main) part of my question:
Windows Server 2012 introduced several features targeted at addressing the issues around virtualising domain controllers, including:
- VM-Generation ID - This addressed the USN rollback issue that meant snapshotting (or more specifically, rolling back to a snapshot) was unsupported/a really bad idea
- Cluster Bootstrapping - This addressed the "chicken and egg" issue surrounding Failover Clustering that I mentioned above. Failover Clustering no longer requires a DC to be present during boot-up.
So my second question is similar to the first, but this time for 2012+. Assuming both the vDC and the host are 2012+ and you take clustering out of the equation, are there any other issues like those mentioned above that mean I should still consider a physical DC? Should I still be considering having a physical DC along-side my single, non-clustered 2012/2012R2 Hyper-V host that has a single virtualised DC on it? I hear some people suggest putting AD on the Hyper-V host, but I don't like that idea for various reasons (WB cache being disabled for a start).
As a side-note, my question implicitly assumes that it makes sense to have your Hyper-V host joined to the domain to improve manageability. Does this assertion stand up to scrutiny?
UPDATE:
After reading some answers, it occurred to me that I could phrase things slightly differently to get to the heart of what I'm asking:
Even with the improvements in 2012 and later, the fact still remains that without any physical DCs or virtual DCs on another host, the host still boots when there's no DC available. Is this actually an issue? In a sense, I suppose it's the same (or very similar) question if you take virtualisation out of the picture completely. If you start member servers before any DCs regularly, is that a problem?
One rationale for retaining one physical DC per domain is if there is a major incident that affects the host or trashes the frame storage for the virtualized DC's, you would have at least one physical DC with local storage to perform recovery and maintain continuity. Microsoft continues to perform this check and make this recommendation during Active Directory RAPs (Risk Assessment and Planning).
https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv%28v=ws.10%29.aspx
"Maintain physical domain controllers in each of your domains. This mitigates the risk of a virtualization platform malfunction that affects all host systems that use that platform."
I too wouldn't make the Hyper-V host a DC.
As for whether or not you should have a physical DC, my opinion is that with the changes Microsoft has implemented regarding virtualized Domain Controllers in general and DC-less cluster bootstrapping specifically, I don't personally see the need for, nor do I advocate having a physical DC. Maintaining a physical DC seems counterintuitive to the nature of moving your infrastructure to a virtualization platform. Virtualize my entire infrastructure but it all hinges on a single physical DC being available? What's the point in that?
There are ways to limit your "exposure" while still virtualizing your Domain Controllers. One way would be to deploy multiple DC's on different hosts in your cluster and use anti-affinity to keep them separated in the event of a host failure (dependent upon how many hosts are in the cluster).
While Greg's answer includes a link to some MS recommendations, that article is nonetheless two years old and addresses Windows Server 2008 and 2008 R2. I wouldn't consider that article to be the current best practice in relation to Windows Server 2012 and 2012 R2. I can't find an official MS document, but this guy is considered a leading authority on Hyper-V - http://www.aidanfinn.com/?p=13171
I feel like you're looking for a one line answer, so here it is:
We could wax on about the peculiarities and exceptions with each scenario, but I think this strikes the root of the question.
Let's take clusters out the equation and focus on the one line in your question that makes me shudder.
Why, why, why, would you want a single DC? In any given environment we try to avoid having single points of failure for any given infrastructure. DCs are your bread and butter - they provide DNS, the backbone of Active Directory. Seriously, rebuild a Windows 7 Desktop PC on 2008R2 and promote it. There is always a strong case for a physical DC.
Hyper-V with AD DS? No, just no. Firstly, Microsoft doesn't support this. Secondly, as you mentioned, handling backups will become a pain dependent on your disk configuration. Not to mention - the beauty of virtualization is the ability to retire physical hosts as quickly as we can build them (and I appreciate a dcpromo isn't a huge deal (depending on the size of your environment)) and hosting AD DS just complicates matters. You also introduce another Windows Time complexity.
Personally I leave my stand-alone Hyper-V hosts off the domain, but in reality, I have no real argument for either configuration.
To answer the last question about if this is actually ever an issue: I've noticed that my Hyper-V hosts with RDP enabled, but requiring NLA, don't allow RDP until after I restart the Network Location Awareness service if there's not a DC up when it boots. I've had occasional issues with connecting to VMMS remotely at these points as well, but only when something else was also broken. When you can't RDP in, or connect to Hyper-V manager remotely it's really hard to figure out whats broken and fix things. Keeping a physical DC around has prevented this from happening to me at any point.