Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer


AD Manager Plus

Blog roll



Active Directory in Hyper-V environments, Part 3

Designing and implementing a virtual environment on top of Hyper-V can be challenging. Placement of Active Directory Domain Controllers require additional consideration, especially in some Hyper-V scenario's where Active Directory membership is strictly needed.

In the scenarios below the Hyper-V parent partitions ("Virtual Hosts") need to have Active Directory membership:

  • Clustering
    When you want to build a Hyper-V Failover cluster you will need to make your Hyper-V parent partitions (the "Virtual Hosts") members of an Active Directory domain. It isn't a good idea to make the parent partitions Active Directory Domain Controllers. The Domain Controller role isn't designed to be clustered. 

  • System Center Virtual Machine Manager
    When you want to use System Center Virtual Machine Manager 2008 (SCVMM 2008) with Hyper-V you need to make your parent partitions member of an Active Directory domain. The System Center Virtual Machine Manager 2008 FAQ is pretty clear about that.

  • Delegation in large Hyper-V environments
    Hyper-V uses an authorization model which is based on Windows Authorization Manager (AzMan). AzMan provides a flexible framework for integrating role-based access control into applications. It enables administrators who use those applications to provide access through assigned user roles that relate to job functions.

    Authorization Manager applications store authorization policy in the form of authorization stores that are stored in Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), XML files, or SQL databases. In large Hyper-V environments Active Directory is the store to hang out with.


While in other scenarios Active Directory membership is not strictly needed you might find Active Directory membership for the Hyper-V parent partitions useful. Through Active Directory Group Policy Objects (GPOs) you will be able to manage loads of Hyper-V servers more easily than you would in a workgroup environment.

Further reading

Windows 2000 and Windows Server 2003 cluster nodes as domain controllers
Active Directory domain controllers are not supported as Exchange Server cluster nodes
Support policy for Microsoft software running in non-Microsoft virtualization software
[DOC] Hyper-V Planning and Deployment Guide 
System Center Virtual Machine Manager 2008 FAQ 
Dung's space: Delegation Model in Hyper-V – Part 1 
Microsoft TechNet: Authorization Manager
Increased functionality and virtual machine control in the Windows Server 2008 Failover Cluster Management console for the Hyper-V role 
Windows Server 2008 Hyper-V Failover Clustering Options 
Hyper-V Clustering Step-by-Step Guide 
Review: System Center Virtual Machine Manager 2008 (VMM 2008) - first impression

Posted: Saturday, August 16, 2008 12:13 AM by Sander Berkouwer


Adam Fazio said:

My current project involves being the only dedicated technical resource on the Virtualization RDP Team. While this is fun, it's also pushes the limits of my organizational skills (if you can call them that). Maybe the most time consuming daily activity is researching and dispensing information both internally to MS folks and to RDP customers and partners. I thought it would be useful to organize and maintain this list of resources online.


This resource is on the list.

# August 26, 2008 1:30 PM

SW-IT Internal Procedures » Blog Archive » Why Configure an External NTP Server on an Active Directory Domain? said:

Having all machines on a same domain with the time synchronized by a unique server is crucial for several reasons. Just to mention a few:

  • Security matters: Ensure security of Kerberos authentication within Active Directory environment. To prevent replay attacks, Kerberos tickets presented to domain controllers by clients are time-stamped. The authenticating domain controller checks to make sure the timestamp is unique and falls within an allowable skew before accepting the ticket and authenticating the client. To ensure this system works properly, both the client and the domain controller clocks must be loosely synchronized within the allowable skew, and W32Time ensures this is the case.
  • Several services that can be used within a domain depend that the time service on all participants is synchronized, otherwise several issues or malfunctions may appear.
  • Logging options within a domain service (for example source control) will have inconsistent and incorrect data on their records if the time is not properly synchronized.

The server that provides the Time Synchronization for the whole domain is the Domain Controller that holds the PDC FSMO role.

With all that been said, there are common best practices about using domain controllers on a virtualized environment. One of them is that the virtual machine must never enable the feature of host time synchronization (option that sets the virtual machine clock that automatically syncs with the physical host where is located). See sources below.

The best practice regarding about using virtual domain controllers (as well as physical domain controllers) is that the server must be configured with an external time service provider, to prevent that any related issue (regarding to virtualization platform, physical host or hardware issues) gets involved on the time synchronization of a whole domain or forest.

There are several external servers that can be configured on a domain controller to guarantee that proper time synchronization is offered always. Example: tock.usno.navy.mil.

# September 30, 2009 10:52 AM

Active Directory in Hyper-V environments said:

Encontrei por aí, fica a dica de leitura para os interessados no tema.

  • Active Directory in Hyper-V environments, Part 1
  • Active Directory in Hyper-V environments, Part 2
  • Active Directory in Hyper-V environments, Part 3
# July 15, 2010 8:00 PM

Active Directory in Hyper-V Environments. | Alex Silva said:

Encontrei essas dicas em blog muito interessante, fica a dica de leitura aos interessados no tema.

  • Active Directory in Hyper-V environments, Part 1
  • Active Directory in Hyper-V environments, Part 2
  • Active Directory in Hyper-V environments, Part 3

Alex Silva

# October 19, 2010 12:46 AM
Anonymous comments are disabled