We had to migrate two root domain controllers the other day at work. I knew that domain controllers in particular can give you trouble when being converted / migrated, so I researched it a bit and found a useful article on yellow-bricks.com which linked to a very good VMware KB article . This KB recommends that in stead of migrating, then deploy a fresh VM and do a 'dcpromo' and then shut down the physical server after. I like this way as it moves the responsibility away from the VMware team and over to the application responsible.
However, we did not have enough time to do the recommended solution, so we whent for P2V. We did cold clone because hot migration is likely to go wrong and it is not supported by Microsoft.
There were FSMO roles on the DC's, so before we began, we had the AD guy move all the roles over to one of the servers. Then we took the other one down and P2V'ed it. We resized the disks to save SAN space which was not a problem. When it came back up, the AD guy tested and then moved FSMO roles over to the migrated DC. And then we migrated the other one. After both had been migrated, the AD guy tested again.
If your responisbility area does not cover the application layer, which it does not for me in this case, then arrange for an application responisble to test the app before it is released into production. It may sound banal, but it is sometimes overlooked when the pace is fast and only basic OS testing is done.
Time synchronization
There are several ways of setting up time synchronization. One important point is that there should be only one source for synchronization for all the DC's. There's a feature in VMware tools, where you can synchronize the VM against the ESX - this we did not use. We let Windows take care of the synchronisation. If you have a mixed environment of DCs (bare metal and virtual), then you can let a bare metal DC sync to an external source, and then let all the other DC's sync to the bare metal DC.
We had the PDC emulator sync with a dedicated physical NTP server, and then let the second DC sync with the PDC emulator. The ESX servers sync with the physical NTP server - but no synchronization between VM and ESX server. Read this article for further info on time sync.
-----Original Message-----
From: VMware Technical Support [mailto:webform@vmware.com]
Sent: 24. februar 2010 11:25
To: (Jakob Fabritius Nørregaard)
Subject: Re: VMware Support Request SR# 1490632591
** Please do not change the subject line of this email if you wish to
respond. **
Hello Jakob,
Forced Unit Access is supported by VMware. A large number of customer's have virtualized Domain Controllers which is evident in the community forums.
Thanks & Best Regards
Derek Collins
Technical Support Engineer
VMware Global Support Services
1-877-486-9273
VMware Technical Support Knowledge Base
http://kb.vmware.com/kb"
Hi I would not recommend changing the disks when cloning a DC, also demoting and promoting the server back after the clone, takes just under an hour in most large domains. Time synchronization should be done by VMware Tools on the virtualized DC's, with the ESX servers sync'ing with NTP. The reason being that the time between sync's on the DC, the time can shift due to being virtual and they would give the wrong time to other machines, wich in turn could be fatal for authentication.
ReplyDeleteI wrote some more info and links here http://www.sole.dk/post/virtualizing-your-domain-controllers-without-getting-fired/?p=195
Demoting and promoting is the preferred way. However, this article discusses an alternative - supported - way when, for one reason or the other, the preferred way is not an option.
ReplyDeleteTime syncing can be done in several ways. One way is to use VMware tools, another is to sync one DC to external source and let the rest sync to the first one. But don't do both at the same time.
Few hours ago, I just virtualized and virtually launched (using VMWARE) two DCs of one domain and everything worked fine. I used just next-next-finish config in VMWARE software. I hope this helps someone :)
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete