Putting a backup AD domain controller as a VM on a workstation

domain-controllerhyper-vwindows-server-2016

As a small shop (~10 PCs), we have only one physical server machine. This physical server machine runs the following two virtual machines:

  • one AD domain controller and
  • one "production server" (file server, database server, etc.).

Now, all best practice guides out there tell me that having a second AD domain controller (a "backup DC") is highly recommended.

Putting it on the same physical machine as the primary DC seems pretty pointless, so I thought of putting it as a VM on one of the stronger workstations which usually runs 24-7 anyways. Since it's just a backup DC, I'd give it very little CPU/RAM resources, so it should not affect the user too much.

Does this sound like a good plan or are there any pitfalls that I should be aware of?

Best Answer

I believe the general consensus is "no", especially when you plan to host the second DC as a VM with a workstation host.

The reasons you use two DCs is that one going down will not bring your network down to its knees, and in larger environments to provide more resources performing the tasks of the DC.

If you place one of the DCs as a VM in a dedicated hypervisor in your server closet with static IPs all around you will not substantially harm the fault-tolerance of the system. And Windows Server 2016 in particular addresses many of the issues with DCs in a virtual environment such as authoritative records, backups and restores, and the like.

But, if you place the DC as a VM on a workstation the DC VM is dependent on the connectivity of the host computer, which negates most of the benefits of redundancy.

If the primary physical DC goes down, your workstation host loses its connectivity, and therefore the backup DC does too: Worthless.

The only redundancy you'd be gaining is if the VM DC goes down, in which case the physical DC would keep running and providing the network's needs.

In other words: There is no benefit.

UPDATE: An Option

With licensing being what it is, you could for the price of a bit of hardware and a single Standard license of Windows Server, stand up a Hypervisor (might I suggest Nano?) and run 2 VM servers on it. Run one as your second DC, and the other as a standard service-providing server.

This solves most of the problems for a little amount of cash, I think.

  • You get two DCs running on discrete hardware
  • You only consume one license of Server (which I assume you have considering you were planning to install it as a VM on a workstation)
  • You're doing all this on server-class hardware (which really is better at helping you sleep at night)
  • You have an available virtual server which can be used to upgrade/migrate/expand/make people happy/etc.

The assumption is that the hypervisor and VMs running on it are all going to be static IP systems, network interruptions are less likely to effect them.

Server-class hypervisor software will also be less likely to need reboots after patching (hence my Nano recommendation), meaning the hypervisor won't be needing reboots as often as as common desktop.

It's just a better all-around solution and for not a whole lot more moneys.

Related Topic