Posey's Tips & Tricks
Hyper-V: Revisiting the Chicken and the Egg Paradox
It's not 2008 anymore; go ahead and virtualize all of your domain controllers.
Humans are very often creatures of habit, and that simple fact does not always mesh so well with the ever-changing world of IT. Very often we get used to doing things in a certain way, and continue the practice without really stopping to think about whether or not the practice is still the best approach.
For example, I grew up using DOS back in the '80s, and to this day I catch myself using DOS commands in PowerShell (although most of those commands still work, by the way).
Microsoft's Hyper-V hasn't been around for nearly as long as those old DOS commands, and yet it too has evolved considerably in its short life. Hence, it may be prudent to occasionally rethink the way that we administrators do things in a Hyper-V environment.
One example that comes to mind immediately is something that I have long referred to as "the chicken and the egg paradox." If you were to go back about 10 years and read some of the very first pieces that I ever wrote about Hyper-V, you will find that one of my primary recommendations was to keep at least one domain controller (preferably two) running on physical hardware.
The idea at the time was that if your Hyper-V servers are domain-joined and all of your domain controllers are virtualized, then there may be certain circumstances in which you could find yourself completely locked out of your domain. If, for example, your Hyper-V server has problems and your VMs aren't running, then you might not be able to log in to Hyper-V to fix the problem due to the absence of functional domain controllers.
But is this fear still justified?
As I said earlier, a lot has changed since 2008. The chicken and the egg paradox is no longer a serious concern, and I am going to go on record right now and say that it is OK to virtualize all of your domain controllers, as long as you do it in a smart way.
This, of course, raises two questions. First, why do we no longer have to worry about the chicken and the egg paradox? Second, what does it mean to be smart about virtualizing domain controllers?
I'll start by talking about why the chicken and the egg paradox is no longer of any significant concern. Ten years ago, in 2008, Hyper-V was brand-new. It was largely an unproven technology, and also lacked many of the features that we take for granted today (Hyper-V didn't really begin to mature until Windows Server 2012). Back then, it would have been at least somewhat risky to virtualize all of your domain controllers, because Hyper-V was not as reliable as it is today.
Another reason why it is now safe to virtualize your domain controllers is the odds of getting locked out are practically nil. Let's pretend for a moment that a nightmare scenario happens in which all of your virtual domain controllers fail at the same time, and your Hyper-V hosts are domain-joined. This should never happen, but let's pretend that it did. You would still be able to log in to fix the problem by using either cached credentials or a local user account.
So what about the second question? What does it mean to be smart about virtualizing your domain controllers? The basic idea here is that you have domain controllers for a reason, and while it is OK to virtualize your domain controllers, it is important to do so in a way that will prevent those domain controllers from suffering a catastrophe.
All this is to say that you should adhere to best practices and make sure that you maintain current backups of domain controllers. Furthermore, try not to host all of your domain controllers on a single Hyper-V host. Remember, having multiple domain controllers is often done for the sake of resiliency rather than capacity, and you effectively undermine that resiliency if the domain controllers all reside on the same virtualization host.
The exception to that is, of course, that highly available domain controllers can failover to a different host in the event of a problem. You don't necessarily have to make all of your domain controllers highly available (although there is nothing wrong with doing so), but at the very least, you should make domain controllers holding FSMO roles highly available.
The bottom line is: It's OK to virtualize your domain controllers. Just be smart about it.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.