Virtualizing Domain Controllers

Virtualizing Domain Controllers

Q: I've heard that some organizations won't virtualize domain controllers even with the new hypervisors, why?

A: I don't think there's an absolute answer to this question. Here are some factors, however. Typically domain controllers (DCs) are considered one of the most secure services and need to have the highest level of security applied to them.  There can also be problems when virtualizing DCs--if snapshots are taken then applied it causes DCs huge problems both with reuse of Security IDs (SIDs) and also replication.

It should be noted that Windows Server 2012 Hyper-V and Windows Server 2012 DCs  have protection from snapshots through the new VM-GenerationID capability that allows DCs to detect if something "messes" with the virtual machine's (VM's) view of time, such as applying a snapshot.

Aside from technical issues, I do think security is the biggest factor. Consider the average virtualization administrator. Typically they are security trained to the same level as an average member server administrator, from an operational perspective, and aren't trained in the levels of security expected for DCs.

This means if the hypervisor isn't secured to the necessary levels, then the virtualized DC is also not as secure as desired. For DCs to be virtualized, it's necessary for the hypervisors to be locked down to the required levels, for example by use of BitLocker.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.