Back in the pre-Windows Server 2012 days, the recommendation seemed to be to have at least one physical domain controller sat along-side your virtualised DCs.
One justification for this was because if your Hyper-V hosts were clustered, then they required a DC to be contactable during boot-up. This makes total sense to me.
However, I would often hear people say it is still important to have a physical DC even if you don't have a clustered set up (say for example in a simple setup with a single Hyper-V server running a couple of VMs, one of which is a DC). The justification for this seemed (and I could never quite be sure) that you would still have a problem in the sense that when the Hyper-V host first boots, there's no DC present on the network. Cached credentials mean you can still log on, but what about all those bits that happen during boot up that mean having a DC around is beneficial? Is this actually an issue? Are there actually any operations that might run only at boot up that will cause a problem? Any Group Policies for example? What I'm basically asking is, does the physical DC argument only really hold water when clustering is involved, or was (pre-2012) there a significant technical case for it without clustering? This article from Altaro (see "The “Chicken-and-Egg” Myth" section) suggests there is no need, but I'm still unsure.
Now to the second (and main) part of my question:
Windows Server 2012 introduced several features targeted at addressing the issues around virtualising domain controllers, including:
- VM-Generation ID – This addressed the USN rollback issue that meant snapshotting (or more specifically, rolling back to a snapshot) was unsupported/a really bad idea
- Cluster Bootstrapping – This addressed the "chicken and egg" issue surrounding Failover Clustering that I mentioned above. Failover Clustering no longer requires a DC to be present during boot-up.
So my second question is similar to the first, but this time for 2012+. Assuming both the vDC and the host are 2012+ and you take clustering out of the equation, are there any other issues like those mentioned above that mean I should still consider a physical DC? Should I still be considering having a physical DC along-side my single, non-clustered 2012/2012R2 Hyper-V host that has a single virtualised DC on it? I hear some people suggest putting AD on the Hyper-V host, but I don't like that idea for various reasons (WB cache being disabled for a start).
As a side-note, my question implicitly assumes that it makes sense to have your Hyper-V host joined to the domain to improve manageability. Does this assertion stand up to scrutiny?
UPDATE:
After reading some answers, it occurred to me that I could phrase things slightly differently to get to the heart of what I'm asking:
Even with the improvements in 2012 and later, the fact still remains that without any physical DCs or virtual DCs on another host, the host still boots when there's no DC available. Is this actually an issue? In a sense, I suppose it's the same (or very similar) question if you take virtualisation out of the picture completely. If you start member servers before any DCs regularly, is that a problem?
Best Answer
I too wouldn't make the Hyper-V host a DC.
As for whether or not you should have a physical DC, my opinion is that with the changes Microsoft has implemented regarding virtualized Domain Controllers in general and DC-less cluster bootstrapping specifically, I don't personally see the need for, nor do I advocate having a physical DC. Maintaining a physical DC seems counterintuitive to the nature of moving your infrastructure to a virtualization platform. Virtualize my entire infrastructure but it all hinges on a single physical DC being available? What's the point in that?
There are ways to limit your "exposure" while still virtualizing your Domain Controllers. One way would be to deploy multiple DC's on different hosts in your cluster and use anti-affinity to keep them separated in the event of a host failure (dependent upon how many hosts are in the cluster).
While Greg's answer includes a link to some MS recommendations, that article is nonetheless two years old and addresses Windows Server 2008 and 2008 R2. I wouldn't consider that article to be the current best practice in relation to Windows Server 2012 and 2012 R2. I can't find an official MS document, but this guy is considered a leading authority on Hyper-V - http://www.aidanfinn.com/?p=13171