| Author | Messages | |
AD000001390
Posts:0
 | | 02/21/2006 9:08 AM |
| Cheers
Max | | | |
| AD000001390
Posts:0
| | 02/21/2006 1:11 AM |
| Sorry Guido, I am just trying to follow the logic of it, thats all. If I am in a branch office and there is one physical server and I want it to be capable of being a Domain Controller, as well as other things, why does it make sense to virtualize it, meaning, how does the load of virtualization not equal the load of the physical server being set up as a domain controller and being set up to host the other services you wish to host? I am just trying to figure out the algorithm that would make virtualization more efficient than a physical server, or rather the algorithm that makes you decide that virtual server will perform better than loading up the server with all the appliations/functions you need.
Thanks,
Nate
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, February 21, 2006 7:36 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject:
RE: [ActiveDir] Vertual Active Directory in production enviroment ?
"never heard of virtualizing an production enviroment for production use"... hmm - it's a rather common thing these days. That doesn't mean you're necessarily going to run all your servers as VMs - some make sense, some don't. And it can also make sense for AD, for example for Branch-Offices, but technically it is possible for any DC.
You might want to check out this whitepaper: "Running Domain Controllers in Virtual Server 2005"
http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en
The content basically also applies to VMware.
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNASent: Dienstag, 21. Februar 2006 13:27To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Vertual Active Directory in production enviroment ?
I may be launching possibly a very nonsensical question, but are you guys using Virtual Machines to host a production Active Directory environment? What are the consequences of that? Does that introduce a greater single point of failure for your infrastructure? How would it not? How is the physical architecture configured? What kind of hardware does that require? I just recently read the article about using a firefox vm to browse the internet, which seems like a sensible idea, I have however, never heard of virtualizing an production enviroment for production use. Can you answer some/all of the above questions?
Thanks,
Nate
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Jensz, TravisSent: Tuesday, February 21, 2006 5:30 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Vertual Active Directory in production enviroment ?
Yep, we have 50-odd virtual 2003 SP1 DCs in our production environment, mixture of ESX and GSX spread across 40-odd sites, with roughly 10k users. Generally speaking it seems to be working well, but then again we haven't finished decommissioning all the physical servers yet.
I'd recommend giving the time service config a lot of thought... best to have
all VM guests sync'ing with their hosts, and the hosts sync'ing with some reliable source (but not the DCs, since they'll be VM guests). You'll probably still want all the other clients to be able to time sync with the VM DCs so you can't just disable the windows time service altogether, but you can put it into 'server only' mode which will still provide the service to the clients, but it won't try and sync its own clock (leave that to the vmware tools). We have one lingering intermittent problem which we haven't figured out yet... when the GSX host has been rebooted and the GSX guests are starting up again, sometimes they're an hour behind. This obviously causes a few problems for AD.
Another problem is the fact that Microsoft don't officially support it - they offer 'best effort' style support. Personally, I don't really consider it a major problem, because at the end of the day that's all they really offer anyway. Even if you're on a fully supported platform, there's no guarantee they'll be able to fix any problem you throw at them. Been there before...
Cheers,
Travis
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sem 3Sent: 21 February 2006 09:08To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Vertual Active Directory in production enviroment ?
Hi Guys
We are considering vertualising our production Active directory infrastructure. About 40 DC's 2003 sp1 spread across 5 sites 60k+ users.
VMware ESX server is the intended platform.
Has anyone any experience doing this? Any stories to share? Gotchas?
Ill feed back any conclusions to the list for info :)
Cheers
Max
This message has been scanned for viruses by
MailControl
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding
. | | | |
| AD000001390
Posts:0
| | 02/21/2006 1:27 AM |
| Hi Guys
We are considering vertualising our production Active directory infrastructure. About 40 DC's 2003 sp1 spread across 5 sites 60k+ users.
VMware ESX server is the intended platform.
Has anyone any experience doing this? Any stories to share? Gotchas?
Ill feed back any conclusions to the list for info :)
Cheers
Max | | | |
| CKaiser
Posts:2
| | 02/21/2006 3:17 AM |
| Hi Travis. Why would you set the DC VMs to time synch with the hosts
instead of an outside source?
Thanks...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jensz, Travis
> Sent: Tuesday, February 21, 2006 2:30 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Vertual Active Directory in
> production enviroment ?
> I'd recommend giving the time service config a lot of
> thought... best to have all VM guests sync'ing with their
> hosts, and the hosts sync'ing with some reliable source (but
> not the DCs, since they'll be VM guests). You'll probably
> still want all the other clients to be able to time sync with
> the VM DCs so you can't just disable the windows time service
> altogether, but you can put it into 'server only' mode which
> will still provide the service to the clients, but it won't
> try and sync its own clock (leave that to the vmware tools).
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| TJensz
Posts:0
| | 02/21/2006 4:05 AM |
| When you shutdown a VM DC, you don't have the hardware clock keeping the
system time more-or-less accurate. When you start the thing up I kinda
like the idea of having vmware sort its time out long before Windows
even knows what's going on, otherwise you're relying on the windows time
service which starts after the OS.
Also, I'd imagine the vmware tools would be somewhat more aware of the
fact that a VM guest will constantly lose small amounts of time, whereas
I'm guessing the windows time service would assume that it doesn't need
constant adjustments. I don't know this for sure, so I kinda get the
feeling I'm going to be corrected here :)
Cheers,
Travis
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Charlie Kaiser
Sent: 21 February 2006 15:16
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Vertual Active Directory in production
enviroment ?
Hi Travis. Why would you set the DC VMs to time synch with the hosts
instead of an outside source?
Thanks...
**********************
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**********************
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Jensz, Travis
> Sent: Tuesday, February 21, 2006 2:30 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Vertual Active Directory in
> production enviroment ?
> I'd recommend giving the time service config a lot of
> thought... best to have all VM guests sync'ing with their
> hosts, and the hosts sync'ing with some reliable source (but
> not the DCs, since they'll be VM guests). You'll probably
> still want all the other clients to be able to time sync with
> the VM DCs so you can't just disable the windows time service
> altogether, but you can put it into 'server only' mode which
> will still provide the service to the clients, but it won't
> try and sync its own clock (leave that to the vmware tools).
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
This message has been scanned for viruses by MailControl - (see
http://bluepages.wsatkins.co.uk/?4318150)
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| TJensz
Posts:0
| | 02/21/2006 10:31 AM |
| Yep, we have 50-odd virtual 2003 SP1 DCs in our production
environment, mixture of ESX and GSX spread across 40-odd sites, with roughly 10k
users. Generally speaking it seems to be working well, but then again
we haven't finished decommissioning all the physical servers
yet.
I'd recommend giving the time service config a lot of
thought... best to have all VM
guests sync'ing with their hosts, and the hosts sync'ing with some reliable
source (but not the DCs, since they'll be VM guests). You'll probably
still want all the other clients to be able to time sync with the VM DCs so you
can't just disable the windows time service altogether, but you can put it into
'server only' mode which will still provide the service to the clients, but it
won't try and sync its own clock (leave that to the vmware tools). We have
one lingering intermittent problem which we haven't figured out yet... when the
GSX host has been rebooted and the GSX guests are starting up again, sometimes
they're an hour behind. This obviously causes a few problems for
AD.
Another problem is the
fact that Microsoft don't officially support it - they offer 'best effort'
style support. Personally, I don't really consider it a major problem,
because at the end of the day that's all they really offer anyway. Even if
you're on a fully supported platform, there's no guarantee they'll be able to
fix any problem you throw at them. Been there
before...
Cheers,
Travis
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sem
3Sent: 21 February 2006 09:08To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Vertual Active
Directory in production enviroment ?
Hi Guys
We are considering vertualising our
production Active directory infrastructure. About 40 DC's 2003 sp1 spread
across 5 sites 60k+ users. VMware ESX server is
the intended platform.
Has anyone any experience doing
this? Any stories to
share? Gotchas?
Ill
feed back any conclusions to the list for info :)
Cheers
Max
This message has been
scanned for viruses by MailControl
This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. | | | |
| AD000001161
Posts:0
| | 02/21/2006 12:28 PM |
| I may be launching possibly a very nonsensical
question, but are you guys using Virtual Machines to host a production Active
Directory environment? What are the consequences of that? Does that
introduce a greater single point of failure for your infrastructure? How
would it not? How is the physical architecture configured? What kind
of hardware does that require? I just recently read the article about
using a firefox vm to browse the internet, which seems like a sensible idea, I
have however, never heard of virtualizing an production enviroment for
production use. Can you answer some/all of the above questions?
Thanks,
Nate
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Jensz, TravisSent: Tuesday, February 21, 2006
5:30 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] Vertual Active Directory in production enviroment
?
Yep, we have 50-odd virtual 2003 SP1 DCs in our production
environment, mixture of ESX and GSX spread across 40-odd sites, with roughly 10k
users. Generally speaking it seems to be working well, but then again
we haven't finished decommissioning all the physical servers
yet.
I'd recommend giving the time service config a lot of
thought... best to have all VM
guests sync'ing with their hosts, and the hosts sync'ing with some reliable
source (but not the DCs, since they'll be VM guests). You'll probably
still want all the other clients to be able to time sync with the VM DCs so you
can't just disable the windows time service altogether, but you can put it into
'server only' mode which will still provide the service to the clients, but it
won't try and sync its own clock (leave that to the vmware tools). We have
one lingering intermittent problem which we haven't figured out yet... when the
GSX host has been rebooted and the GSX guests are starting up again, sometimes
they're an hour behind. This obviously causes a few problems for
AD.
Another problem is the
fact that Microsoft don't officially support it - they offer 'best effort'
style support. Personally, I don't really consider it a major problem,
because at the end of the day that's all they really offer anyway. Even if
you're on a fully supported platform, there's no guarantee they'll be able to
fix any problem you throw at them. Been there
before...
Cheers,
Travis
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sem
3Sent: 21 February 2006 09:08To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Vertual Active
Directory in production enviroment ?
Hi Guys
We are considering vertualising our
production Active directory infrastructure. About 40 DC's 2003 sp1 spread
across 5 sites 60k+ users. VMware ESX server is
the intended platform.
Has anyone any experience doing
this? Any stories to
share? Gotchas?
Ill
feed back any conclusions to the list for info :)
Cheers
Max
This message has been
scanned for viruses by MailControl
This email and any attached files are
confidential and copyright protected. If you are not the addressee, any
dissemination of this communication is strictly prohibited. Unless otherwise
expressly agreed in writing, nothing stated in this communication shall be
legally binding. | | | |
| GuidoG
Posts:59
| | 02/21/2006 12:37 PM |
| "never heard of virtualizing an production
enviroment for production use"... hmm - it's a rather common thing
these days. That doesn't mean you're necessarily going to run all your servers
as VMs - some make sense, some don't. And it can also make sense for AD, for
example for Branch-Offices, but technically it is possible for any DC.
You might want to check out this whitepaper: Running Domain
Controllers in Virtual Server 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en
The content basically also applies to
VMware.
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bahta, Nathaniel
V Contractor NASIC/SCNASent: Dienstag, 21. Februar 2006
13:27To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] Vertual Active Directory in production enviroment
?
I may be launching possibly a very nonsensical
question, but are you guys using Virtual Machines to host a production Active
Directory environment? What are the consequences of that? Does that
introduce a greater single point of failure for your infrastructure? How
would it not? How is the physical architecture configured? What kind
of hardware does that require? I just recently read the article about
using a firefox vm to browse the internet, which seems like a sensible idea, I
have however, never heard of virtualizing an production enviroment for
production use. Can you answer some/all of the above questions?
Thanks,
Nate
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Jensz, TravisSent: Tuesday, February 21, 2006
5:30 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] Vertual Active Directory in production enviroment
?
Yep, we have 50-odd virtual 2003 SP1 DCs in our production
environment, mixture of ESX and GSX spread across 40-odd sites, with roughly 10k
users. Generally speaking it seems to be working well, but then again
we haven't finished decommissioning all the physical servers
yet.
I'd recommend giving the time service config a lot of
thought... best to have all VM
guests sync'ing with their hosts, and the hosts sync'ing with some reliable
source (but not the DCs, since they'll be VM guests). You'll probably
still want all the other clients to be able to time sync with the VM DCs so you
can't just disable the windows time service altogether, but you can put it into
'server only' mode which will still provide the service to the clients, but it
won't try and sync its own clock (leave that to the vmware tools). We have
one lingering intermittent problem which we haven't figured out yet... when the
GSX host has been rebooted and the GSX guests are starting up again, sometimes
they're an hour behind. This obviously causes a few problems for
AD.
Another problem is the
fact that Microsoft don't officially support it - they offer 'best effort'
style support. Personally, I don't really consider it a major problem,
because at the end of the day that's all they really offer anyway. Even if
you're on a fully supported platform, there's no guarantee they'll be able to
fix any problem you throw at them. Been there
before...
Cheers,
Travis
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sem
3Sent: 21 February 2006 09:08To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Vertual Active
Directory in production enviroment ?
Hi Guys
We are considering vertualising our
production Active directory infrastructure. About 40 DC's 2003 sp1 spread
across 5 sites 60k+ users. VMware ESX server is
the intended platform.
Has anyone any experience doing
this? Any stories to
share? Gotchas?
Ill
feed back any conclusions to the list for info :)
Cheers
Max
This message has been
scanned for viruses by MailControl
This email and any attached files are
confidential and copyright protected. If you are not the addressee, any
dissemination of this communication is strictly prohibited. Unless otherwise
expressly agreed in writing, nothing stated in this communication shall be
legally binding. | | | |
| AD000001161
Posts:0
| | 02/21/2006 12:58 PM |
| Sorry Guido, I am just trying to follow the logic of it,
thats all. If I am in a branch office and there is one physical server and
I want it to be capable of being a Domain Controller, as well as other things,
why does it make sense to virtualize it, meaning, how does the load of
virtualization not equal the load of the physical server being set up as a
domain controller and being set up to host the other services you wish to
host? I am just trying to figure out the algorithm that would make
virtualization more efficient than a physical server, or rather the algorithm
that makes you decide that virtual server will perform better than loading up
the server with all the appliations/functions you need.
Thanks,
Nate
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Grillenmeier, GuidoSent: Tuesday, February 21,
2006 7:36 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] Vertual Active Directory in production enviroment
?
"never heard of virtualizing an production
enviroment for production use"... hmm - it's a rather common thing
these days. That doesn't mean you're necessarily going to run all your servers
as VMs - some make sense, some don't. And it can also make sense for AD, for
example for Branch-Offices, but technically it is possible for any DC.
You might want to check out this whitepaper: Running Domain
Controllers in Virtual Server 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en
The content basically also applies to
VMware.
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Bahta, Nathaniel
V Contractor NASIC/SCNASent: Dienstag, 21. Februar 2006
13:27To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] Vertual Active Directory in production enviroment
?
I may be launching possibly a very nonsensical
question, but are you guys using Virtual Machines to host a production Active
Directory environment? What are the consequences of that? Does that
introduce a greater single point of failure for your infrastructure? How
would it not? How is the physical architecture configured? What kind
of hardware does that require? I just recently read the article about
using a firefox vm to browse the internet, which seems like a sensible idea, I
have however, never heard of virtualizing an production enviroment for
production use. Can you answer some/all of the above questions?
Thanks,
Nate
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of Jensz, TravisSent: Tuesday, February 21, 2006
5:30 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] Vertual Active Directory in production enviroment
?
Yep, we have 50-odd virtual 2003 SP1 DCs in our production
environment, mixture of ESX and GSX spread across 40-odd sites, with roughly 10k
users. Generally speaking it seems to be working well, but then again
we haven't finished decommissioning all the physical servers
yet.
I'd recommend giving the time service config a lot of
thought... best to have all VM
guests sync'ing with their hosts, and the hosts sync'ing with some reliable
source (but not the DCs, since they'll be VM guests). You'll probably
still want all the other clients to be able to time sync with the VM DCs so you
can't just disable the windows time service altogether, but you can put it into
'server only' mode which will still provide the service to the clients, but it
won't try and sync its own clock (leave that to the vmware tools). We have
one lingering intermittent problem which we haven't figured out yet... when the
GSX host has been rebooted and the GSX guests are starting up again, sometimes
they're an hour behind. This obviously causes a few problems for
AD.
Another problem is the
fact that Microsoft don't officially support it - they offer 'best effort'
style support. Personally, I don't really consider it a major problem,
because at the end of the day that's all they really offer anyway. Even if
you're on a fully supported platform, there's no guarantee they'll be able to
fix any problem you throw at them. Been there
before...
Cheers,
Travis
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sem
3Sent: 21 February 2006 09:08To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Vertual Active
Directory in production enviroment ?
Hi Guys
We are considering vertualising our
production Active directory infrastructure. About 40 DC's 2003 sp1 spread
across 5 sites 60k+ users. VMware ESX server is
the intended platform.
Has anyone any experience doing
this? Any stories to
share? Gotchas?
Ill
feed back any conclusions to the list for info :)
Cheers
Max
This message has been
scanned for viruses by MailControl
This email and any attached files are
confidential and copyright protected. If you are not the addressee, any
dissemination of this communication is strictly prohibited. Unless otherwise
expressly agreed in writing, nothing stated in this communication shall be
legally binding. | | | |
|
|