Home / server / Questions / 822311
Accepted
Heinzi
Asked: 2016-12-23 09:18:14 +0800 CST

Putting a backup AD domain controller as a VM on a workstation

  • 772

As a small shop (~10 PCs), we have only one physical server machine. This physical server machine runs the following two virtual machines:

  • one AD domain controller and
  • one "production server" (file server, database server, etc.).

Now, all best practice guides out there tell me that having a second AD domain controller (a "backup DC") is highly recommended.

Putting it on the same physical machine as the primary DC seems pretty pointless, so I thought of putting it as a VM on one of the stronger workstations which usually runs 24-7 anyways. Since it's just a backup DC, I'd give it very little CPU/RAM resources, so it should not affect the user too much.

Does this sound like a good plan or are there any pitfalls that I should be aware of?

domain-controller hyper-v windows-server-2016

4 Answers

  1. Best Answer

    I believe the general consensus is "no", especially when you plan to host the second DC as a VM with a workstation host.

    The reasons you use two DCs is that one going down will not bring your network down to its knees, and in larger environments to provide more resources performing the tasks of the DC.

    If you place one of the DCs as a VM in a dedicated hypervisor in your server closet with static IPs all around you will not substantially harm the fault-tolerance of the system. And Windows Server 2016 in particular addresses many of the issues with DCs in a virtual environment such as authoritative records, backups and restores, and the like.

    But, if you place the DC as a VM on a workstation the DC VM is dependent on the connectivity of the host computer, which negates most of the benefits of redundancy.

    If the primary physical DC goes down, your workstation host loses its connectivity, and therefore the backup DC does too: Worthless.

    The only redundancy you'd be gaining is if the VM DC goes down, in which case the physical DC would keep running and providing the network's needs.

    In other words: There is no benefit.

    UPDATE: An Option

    With licensing being what it is, you could for the price of a bit of hardware and a single Standard license of Windows Server, stand up a Hypervisor (might I suggest Nano?) and run 2 VM servers on it. Run one as your second DC, and the other as a standard service-providing server.

    This solves most of the problems for a little amount of cash, I think.

    • You get two DCs running on discrete hardware
    • You only consume one license of Server (which I assume you have considering you were planning to install it as a VM on a workstation)
    • You're doing all this on server-class hardware (which really is better at helping you sleep at night)
    • You have an available virtual server which can be used to upgrade/migrate/expand/make people happy/etc.

    The assumption is that the hypervisor and VMs running on it are all going to be static IP systems, network interruptions are less likely to effect them.

    Server-class hypervisor software will also be less likely to need reboots after patching (hence my Nano recommendation), meaning the hypervisor won't be needing reboots as often as as common desktop.

    It's just a better all-around solution and for not a whole lot more moneys.

    • 4

  2. I don't like the idea. On the workstation, you would be running some kind of free Hypervisor with Server 20xx and the AD role.

    You must own a unique Windows Server 20xx license that you would install on that machine and if you are going that far, I'd recommend buing a dedicated machine or scavenging up something.

    In your situation AD requires very little resources, so something with 4GB of RAM and a 120GB SATA HDD would work. I'd like to see 2 cores at a minimum. Maybe look for a used server on an auction site.

    • 1

  3. Back in time, we have done something similar to this, in a small business environment. Bust instead of having a second DC in a workstation. I just installed a Hyper-V server on that computer and created a replica of our PDC VM. In those rare cases when we lost our PDC (the physical hypervisor server was somewhat unstable), we just manually started the replica server on the second machine. This can be easily adjusted with powershell scripts and scheduled tasks to automate it.

    This was far form the ideal solution, when de PDC went down, when i was outside of the office network (e.g.: at home), it was very painful (but feasible) to get myself into the secondary machine to start the replica, but it definitely worked, however i can't recommend it in production environment.

    Later this workstation PC died and i just don't bothered to revive it. Installed a second DC in a new virtual machine on an another hypervisor server. Now nobody needs to care about the PDC's issues, the second DC remains fully functional, except if we have networking issues, but then the DC is not our biggest problem.

    This is a working solution too (for us at least), but as always if you runs a DC on a VM and the hypervisor is the member of the same domain, you need to take care of few things (time sync especially).

    P.S.: we are not using DHCP on this network, just static addresses.

    • 0

  4. It is recommend to run DC on physical server not in virtual host. You can keep ADC on virtual host

    In case of any issues or required restart on vm host server. Might be get issues with domain authentication

    • -2