AP05 Running Windows Active Directory in Virtual Infrastructure 3
-
Upload
demetrius-porter -
Category
Documents
-
view
36 -
download
0
description
Transcript of AP05 Running Windows Active Directory in Virtual Infrastructure 3
AP05
Running Windows Active Directory in Virtual Infrastructure 3
Chris Skinner
Technical Instructor Education Services
VMware, Inc.
Housekeeping
Please turn off your mobile phones, blackberries and laptops
Your feedback is valued: please fill in the session evaluation form (specific to that session) & hand it to the room monitor / the materials pickup area at registration
Each delegate to return their completed event evaluation form to the materials pickup area will be eligible for a free evaluation copy of VMware’s ESX 3i
Please leave the room between sessions, even if your next session is in the same room as you will need to be rescanned
Objectives and Goals
You can virtualize Active Directory successfully
It’s not difficult, mystical or magical
Many companies have successfully deployed AD through virtualization
Agenda
Why should we virtualize Active Directory?
What are the challenges with virtualizing AD?
How does a company successfully migrate?
Why Virtualize?
Why Virtualize Active Directory?
Hardware Consolidation
Combine multiple, single use boxes
Standardization – eliminating imaging issues
Reduce product activation issues
Leverage VI 3 Features – HA & DRS
Why Virtualize Active Directory?
Testing and Development
Policy testing
Schema changes
Migration/upgrade testing
Domain reconfigurations
Deployment scenarios
Disaster recovery solutions
Why Virtualize Active Directory?
Security Controls
Limiting physical access
Additional administrative controls
Separate applications from domain controllers
Challenges to Virtualizing Active Directory
Time synchronization
Performance
Replicating Active Directory changes
High availability of domain controllers
Disaster recovery
Time SynchronizationVirtualization Challenges
Time Synchronization – Why is it so important?
Active Directory operations are critically time dependent
MS Kerberos implementation allows a 5 minute tolerance
File Replication Services (FRS) synchronizes scripts, database changes/updates, policies based, in part, on time-stamping
Time Server Hierarchies
Child PDC emulators can sync with any DC in the parent domain
Clients sync with any DC in its own domain
DCs can sync with PDC emulator in its own domain or any DC in parent
Source: Microsoft Corporation
Time Synchronization – Virtualization Issues
No CPU cycles needed – none given!
Clock drifts can be significant in a relatively short period
Idle cycles in a virtual machine is an Active Directory domain’s worst enemy
How do you combat time synchronization issues?
More than a 28 minute drift!
Time Synchronization–Option A – Using W32Time
Use Windows Time Service – NOT VMware Tools
Define an alternative external time source for “master” time server
1. Modify registry settings on the PDC emulator for the forest root domain:
HKLM\System\CurrentControlSet\Services\W32Time\ParametersChange Type REG_SZ value from NT5DS to NTP
Change NtpServer value from time.windows.com,0x1 to an external stratum 1 time source, i.e. tock.usno.navy.mil,0x1
HKLM\System\CurrentControlSet\Services\W32Time\ConfigChange AnnounceFlags REG_DWORD from 10 to 5
2. Stop and restart time service – net stop w32time net start w32time
3. Manually force update w32tm /resync /rediscover
Time Synchronization–Option B – VMware Tools
Modify Windows Time Service – Use VMware ToolsImplement Domain Controllers Group Policy to modify registry:
Enable ESX server NTP daemon to sync with external stratum NTP source
VMware Knowledge Base ID# 1339
Use VMware Tools time synchronization within the virtual machine
NOTE: VMware Tools time sync is designed to play “catch-up”, not slow down!
Modify
Time Synchronization – Descheduled Time Accounting
Custom VMware Tools component
Tightly integrated with hypervisor
Use with ESX 3.x VMs only
Currently for uniprocessor Windows and Linux VMs only
Improved accuracy for guest OSes CPU time accounting
Allows quicker “catch-up” of time for guest OS
Launches a VMDesched thread or process within VM’s OS
Time Synching – Descheduled Time Accounting(2)
Perform a Custom installation of VMware Tools in Windows guest OS
Time Synchronization - Summary
Use one method or the other
Do NOT use both!!!
Decisions should be based on current time management infrastructure or organization’s policies
Performance IssuesVirtualization Challenges
Performance for Virtualized Domain Controllers
Virtualized AD domain controllers can run at 85-90% of native system’s performance
Active Directory deployments in most datacenters utilize less than 10% of today’s computing power
Requires significantly less hardware to achieve greater number of virtualized domain controllers
Greater number of domain controllers provides better logon results, less points of failure
Performance – Single Processor
0
1000
2000
3000
4000
5000
6000
Op
erat
ion
s/S
eco
nd
Add Users Search AD Modify Users User Logons GPO Search
Physical Virtual
Performance – Dual Processors
0
2,000
4,000
6,000
8,000
10,000
12,000
Op
erat
ion
s/S
eco
nd
Add Users Search AD Modify Users User Logons GPO Search
Physical Virtual
Performance - Scaling Processors Up
0.0
0.2
0.4
0.6
0.8
1.0
1.2
1.4
1.6
1.8
2.0
Sca
ling
Fac
tor
Add Users Search AD Modify Users User Logons GPO Search
Physical Virtual
Performance Summary
Virtualization does not necessarily increase performance
Proper planning of resource allocation is still important
It’s still important to follow Microsoft’s best practices for the strategic placement of FSMO role servers, catalog servers, etc.
Virtualization ChallengesSecurity, Network and Replication
Security - VM Access Control
Network - Connections
Use the Maps view to verify network infrastructure
Create separate VM port groups connected to individual NICs
Network - Advanced Switch Settings
ESX Server 3.x provides some more sophisticated network settings
Replication - Using Replication MonitorValidating Inbound Connections
Security, Network & Replication Summary
Utilize Virtual Infrastructure 3 access policies
Configure outbound virtual switches for redundancy
Validate/Test for proper replication between virtualized domain controllers
Virtualization ChallengesHigh Availability & Disaster Recovery/Preparedness
High Availability – ESX 3.x/VirtualCenter 2.x
VMware provides solutions for automatically restarting virtual machines
Implement VMware HA as a high availability to ensure virtual machine domain controllers restart in the event an ESX server fails
High Availability – ESX 3.x/VirtualCenter 2.x
Combined with VMware DRS Anti-affinity rules can ensure domain controller VMs are segregated
Disaster Recovery – Best Practices
Perform consistent system state backups
Provided by most major commercial backup software
Follow Microsoft recommendations on FSMO role placement
http://support.microsoft.com/kb/223346
All Active Directory restorations should be performed using authoritative and non-authoritative methods
Do not recover an Active Directory database from a backup copy of an old virtual disk!
Disaster Recovery - ScenariosImproper Restore of VM Proper Restore of VM
Source: Microsoft Corporation
High Availability, Disaster Recovery Summary
Utilize DRS and HA to implement a successful recoverability solution
Always to continue to use Microsoft’s System State data best practices to backup AD database
Default useful life of System State data 60-180 days
Controlled by Tombstone lifetime attribute (depends on OS, SP, etc.)
Microsoft does not support snapshots of DCs KB888794
Continue to follow best practices around the placement of key, critical roles
Transitioning from Physical to Virtual
How to you successfully migrate?
Virtual machine considerations
DNS configurations
Best practices
Virtual Machine Considerations
Size the VM’s memory to run entire AD database in cache to avoid disk performance hits
Windows 2003 Server
Value 32-Bit 64-bit
RAM Cache2.75GB
(using /3GB switch)16GB
Approx. # of Users
100,000 2.5 million
Virtual Machine Considerations
Add, modify, search, delete and update operations will benefit significantly from caching
Slight penalty incurred for write operations – Physical or Virtual
Microsoft’s AD Sizer can help you plan the size
Use Microsoft’s best practices and separate boot, database, log virtual disks on individual SCSI controllers to optimize write performance
Transitioning from Physical to Virtual
Start with a fresh system state backup for recovery
Consider creating a dedicated virtual switch or virtual machine port group to isolate replication traffic
Generally single processor virtual machines are adequate for domain controllers
Validate inbound/outbound connections between physical and virtual machines
Allow 24-48 hours for replication to complete
Change the weight and/or priority of the DNS SRV records for virtual machines
Monitor the logon requests to ensure virtual machines are successfully responding
Decommission physical domain controllers
DNS Modifications – Transitioning to VMs
Modify the weight and/or priority of the DNS SRV recordsSpecifically offload the authentication requests from the PDC emulator when possibleDNS weight is the proportional distribution of requests among DNS serversDNS priority is the likelihood a server will receive a requestPDC emulators should have one or both adjusted accordingly by adding:
Physical domain controllers should be adjusted similarly to decrease dependencies on PDC emulator
HKLM\System\CurrentControlSet\Services\Netlogon\ParametersLdapSrvWeight DWORD decimal value of 25 or 50
HKLM\System\CurrentControlSet\Services\Netlogon\ParametersLdapSrvPriority DWORD decimal value to 100 or 200
DNS Modifications
Can also be changed within DNS manager
Registry changes do not require a reboot
Best Practices
Avoid snapshots or REDOs for domain controller virtual machines
Do not suspend domain controller virtual machines for long periods
Consistent and regular system state backups still very important
Avoid physical to virtual DC conversions
Virtualizing Active Directory can be done!!!
System State backups regularly
Time Synchronization
High Availability/Disaster Recovery Plan
Monitor Replication Traffic
Modify DNS SRV records to redirect logon authentications to VMs
Go back and constantly re-evaluate your strategy!!!
Additional Information
VMware Time Sync and Windows Time Service
VMware Knowledge Base ID# 1318
Installing and Configuring NTP on VMware ESX Server
VMware Knowledge Base ID# 1339
VMware Descheduled Time Accounting
http://www.vmware.com/pdf/vi3_esx_vmdesched.pdf
How to detect and recover from a USN rollback in Windows Server 2003
http://support.microsoft.com/kb/875495
How to detect and recover from a USN rollback in Windows 2000 Server
http://support.microsoft.com/kb/885875
Additional Information (2)
Active Directory Performance for 64-bit Versions of Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyID=52E7C3BD-570A-475C-96E0-316DC821E3E7&displaylang=en
Microsoft’s Active Directory Sizer for Windows 2000http://download.microsoft.com/download/win2000platform/ASsizer/1.0/NT5/EN-US/setup.exe
Active Directory Performance Testing Tool (ADTest.exe)http://www.microsoft.com/downloads/details.aspx?familyid=4814FE3F-92CE-4871-B8A4-99F98B3F4338&displaylang=en
Support policy for Microsoft software running in non-Microsoft hardware virtualization software
http://support.microsoft.com/kb/897615
How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042
Thank you!!