1 / 49

AP05 Running Windows Active Directory in Virtual Infrastructure 3

AP05 Running Windows Active Directory in Virtual Infrastructure 3. Chris Skinner Technical Instructor Education Services VMware, Inc. Housekeeping. Please turn off your mobile phones, blackberries and laptops

demetrius-porter
Download Presentation

AP05 Running Windows Active Directory in Virtual Infrastructure 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AP05Running Windows Active Directory in Virtual Infrastructure 3 Chris Skinner Technical Instructor Education Services VMware, Inc.

  2. Housekeeping • Please turn off your mobile phones, blackberries and laptops • Your feedback is valued: please fill in the session evaluation form (specific to that session) & hand it to the room monitor / the materials pickup area at registration • Each delegate to return their completed event evaluation form to the materials pickup area will be eligible for a free evaluation copy of VMware’s ESX 3i • Please leave the room between sessions, even if your next session is in the same room as you will need to be rescanned

  3. Objectives and Goals • You can virtualize Active Directory successfully • It’s not difficult, mystical or magical • Many companies have successfully deployed AD through virtualization

  4. Agenda • Why should we virtualize Active Directory? • What are the challenges with virtualizing AD? • How does a company successfully migrate?

  5. Why Virtualize?

  6. Why Virtualize Active Directory? • Hardware Consolidation • Combine multiple, single use boxes • Standardization – eliminating imaging issues • Reduce product activation issues • Leverage VI 3 Features – HA & DRS

  7. Why Virtualize Active Directory? • Testing and Development • Policy testing • Schema changes • Migration/upgrade testing • Domain reconfigurations • Deployment scenarios • Disaster recovery solutions

  8. Why Virtualize Active Directory? • Security Controls • Limiting physical access • Additional administrative controls • Separate applications from domain controllers

  9. Challenges to Virtualizing Active Directory • Time synchronization • Performance • Replicating Active Directory changes • High availability of domain controllers • Disaster recovery

  10. Time SynchronizationVirtualization Challenges

  11. Time Synchronization – Why is it so important? • Active Directory operations are critically time dependent • MS Kerberos implementation allows a 5 minute tolerance • File Replication Services (FRS) synchronizes scripts, database changes/updates, policies based, in part, on time-stamping

  12. Time Server Hierarchies • Child PDC emulators can sync with any DC in the parent domain • Clients sync with any DC in its own domain • DCs can sync with PDC emulator in its own domain or any DC in parent Source: Microsoft Corporation

  13. Time Synchronization – Virtualization Issues • No CPU cycles needed – none given! • Clock drifts can be significant in a relatively short period • Idle cycles in a virtual machine is an Active Directory domain’s worst enemy • How do you combat time synchronization issues? More than a 28 minute drift!

  14. Time Synchronization–Option A – Using W32Time • Use Windows Time Service – NOT VMware Tools • Define an alternative external time source for “master” time server • Modify registry settings on the PDC emulator for the forest root domain: • HKLM\System\CurrentControlSet\Services\W32Time\Parameters • Change TypeREG_SZ value from NT5DS to NTP • Change NtpServer value from time.windows.com,0x1 to an external stratum 1 time source, i.e. tock.usno.navy.mil,0x1 • HKLM\System\CurrentControlSet\Services\W32Time\Config • Change AnnounceFlags REG_DWORD from 10 to 5 • Stop and restart time service – net stop w32time  net start w32time • Manually force update  w32tm /resync /rediscover

  15. Modify Time Synchronization–Option B – VMware Tools • Modify Windows Time Service – Use VMware Tools • Implement Domain Controllers Group Policy to modify registry: • Enable ESX server NTP daemon to sync with external stratum NTP source • VMware Knowledge Base ID# 1339 • Use VMware Tools time synchronization within the virtual machine NOTE: VMware Tools time sync is designed to play “catch-up”, not slow down!

  16. Time Synchronization – Descheduled Time Accounting • Custom VMware Tools component • Tightly integrated with hypervisor • Use with ESX 3.x VMs only • Currently for uniprocessor Windows and Linux VMs only • Improved accuracy for guest OSes CPU time accounting • Allows quicker “catch-up” of time for guest OS • Launches a VMDesched thread or process within VM’s OS

  17. Time Synching – Descheduled Time Accounting(2) • Perform a Custom installation of VMware Tools in Windows guest OS

  18. Time Synchronization - Summary • Use one method or the other • Do NOT use both!!! • Decisions should be based on current time management infrastructure or organization’s policies

  19. Performance IssuesVirtualization Challenges

  20. Performance for Virtualized Domain Controllers • Virtualized AD domain controllers can run at 85-90% of native system’s performance • Active Directory deployments in most datacenters utilize less than 10% of today’s computing power • Requires significantly less hardware to achieve greater number of virtualized domain controllers • Greater number of domain controllers provides better logon results, less points of failure

  21. Performance – Single Processor

  22. Performance – Dual Processors

  23. Performance - Scaling Processors Up

  24. Performance Summary • Virtualization does not necessarily increase performance • Proper planning of resource allocation is still important • It’s still important to follow Microsoft’s best practices for the strategic placement of FSMO role servers, catalog servers, etc.

  25. Virtualization ChallengesSecurity, Network and Replication

  26. Security - VM Access Control

  27. Network - Connections Use the Maps view to verify network infrastructure Create separate VM port groups connected to individual NICs

  28. Network - Advanced Switch Settings • ESX Server 3.x provides some more sophisticated network settings

  29. Validating Inbound Connections Replication - Using Replication Monitor

  30. Security, Network & Replication Summary • Utilize Virtual Infrastructure 3 access policies • Configure outbound virtual switches for redundancy • Validate/Test for proper replication between virtualized domain controllers

  31. Virtualization ChallengesHigh Availability & Disaster Recovery/Preparedness

  32. High Availability – ESX 3.x/VirtualCenter 2.x • VMware provides solutions for automatically restarting virtual machines • Implement VMware HA as a high availability to ensure virtual machine domain controllers restart in the event an ESX server fails

  33. High Availability – ESX 3.x/VirtualCenter 2.x • Combined with VMware DRS Anti-affinity rules can ensure domain controller VMs are segregated

  34. Disaster Recovery – Best Practices • Perform consistent system state backups • Provided by most major commercial backup software • Follow Microsoft recommendations on FSMO role placement • http://support.microsoft.com/kb/223346 • All Active Directory restorations should be performed using authoritative and non-authoritative methods • Do not recover an Active Directory database from a backup copy of an old virtual disk!

  35. Disaster Recovery - Scenarios Improper Restore of VM Proper Restore of VM Source: Microsoft Corporation

  36. High Availability, Disaster Recovery Summary • Utilize DRS and HA to implement a successful recoverability solution • Always to continue to use Microsoft’s System State data best practices to backup AD database • Default useful life of System State data  60-180 days • Controlled by Tombstone lifetime attribute (depends on OS, SP, etc.) • Microsoft does not support snapshots of DCs  KB888794 • Continue to follow best practices around the placement of key, critical roles

  37. Transitioning from Physical to Virtual

  38. How to you successfully migrate? • Virtual machine considerations • DNS configurations • Best practices

  39. Virtual Machine Considerations • Size the VM’s memory to run entire AD database in cache to avoid disk performance hits

  40. Virtual Machine Considerations • Add, modify, search, delete and update operations will benefit significantly from caching • Slight penalty incurred for write operations – Physical or Virtual • Microsoft’s AD Sizer can help you plan the size • Use Microsoft’s best practices and separate boot, database, log virtual disks on individual SCSI controllers to optimize write performance

  41. Transitioning from Physical to Virtual • Start with a fresh system state backup for recovery • Consider creating a dedicated virtual switch or virtual machine port group to isolate replication traffic • Generally single processor virtual machines are adequate for domain controllers • Validate inbound/outbound connections between physical and virtual machines • Allow 24-48 hours for replication to complete • Change the weight and/or priority of the DNS SRV records for virtual machines • Monitor the logon requests to ensure virtual machines are successfully responding • Decommission physical domain controllers

  42. DNS Modifications – Transitioning to VMs • Modify the weight and/or priority of the DNS SRV records • Specifically offload the authentication requests from the PDC emulator when possible • DNS weight is the proportional distribution of requests among DNS servers • DNS priority is the likelihood a server will receive a request • PDC emulators should have one or both adjusted accordingly by adding: • Physical domain controllers should be adjusted similarly to decrease dependencies on PDC emulator • HKLM\System\CurrentControlSet\Services\Netlogon\Parameters • LdapSrvWeight DWORD decimal value of 25 or 50 • HKLM\System\CurrentControlSet\Services\Netlogon\Parameters • LdapSrvPriority DWORD decimal value to 100 or 200

  43. Can also be changed within DNS manager Registry changes do not require a reboot DNS Modifications

  44. Best Practices • Avoid snapshots or REDOs for domain controller virtual machines • Do not suspend domain controller virtual machines for long periods • Consistent and regular system state backups still very important • Avoid physical to virtual DC conversions

  45. Virtualizing Active Directory can be done!!! • System State backups regularly • Time Synchronization • High Availability/Disaster Recovery Plan • Monitor Replication Traffic • Modify DNS SRV records to redirect logon authentications to VMs • Go back and constantly re-evaluate your strategy!!!

  46. Additional Information • VMware Time Sync and Windows Time Service • VMware Knowledge Base ID# 1318 • Installing and Configuring NTP on VMware ESX Server • VMware Knowledge Base ID# 1339 • VMware Descheduled Time Accounting • http://www.vmware.com/pdf/vi3_esx_vmdesched.pdf • How to detect and recover from a USN rollback in Windows Server 2003 • http://support.microsoft.com/kb/875495 • How to detect and recover from a USN rollback in Windows 2000 Server • http://support.microsoft.com/kb/885875

  47. Additional Information (2) • Active Directory Performance for 64-bit Versions of Windows Server 2003 • http://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=en • Microsoft’s Active Directory Sizer for Windows 2000 • http://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exe • Active Directory Performance Testing Tool (ADTest.exe) • http://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=en • Support policy for Microsoft software running in non-Microsoft hardware virtualization software • http://support.microsoft.com/kb/897615 • How to configure an authoritative time server in Windows Server 2003 • http://support.microsoft.com/kb/816042

  48. Thank you!!

More Related