Active Directory in Hyper-V environments, Part 6

Reading Time: 6 minutes

Virtualization offers huge benefits in flexibility, cost-effectiveness and eco-friendliness. It’s an easy business case to make to any IT department nowadays. After all, Gartner claims the cost of energy outweighs the initial purchase of an x86 server in its first three years. However, most virtualization projects aren’t legacy-free: To make a virtualization business case stick, often the choice is made to virtualize existing (physical) servers to virtual machines.

Domain Controllers are no exception to the practice of virtualizing existing servers. While I still recommend to maintain at least one Domain Controller as a physical box for obvious reasons, you can run virtualized Domain Controllers.

The smart thing to do?

Whether this is a smart thing to is a big question. When you haven’t been misusing your Active Directory Domain Controllers for anything else but DNS, it might be quicker to create additional virtual Domain Controllers for your Active Directory domains. An additional benefit might be to to transition your Active Directory to a new Windows platform in the process.

When, however, your Active Directory Domain Controllers are also Exchange Servers (not smart!) or perhaps entangled in some weird and difficult to understand authentication scheme, it might be easier to just virtualize the existing situation. A typical garbage in-garbage out-type of migration, if you’d ask me, but definitely quicker to accomplish, compared to the rabbits you have to pull out of a high hat to make things work with new or freshly-demoted Domain Controllers.

About P2V conversions

The process of virtualizing an existing (physical) server, is called P2V’ing a server, where P2V stands for “Physical 2 Virtual Conversion”. While you could clone the disk of a physical server to a virtual server running on Hyper-V through a legacy NIC or other tools, like disk2vhd, you don’t need to go through the hassle: Microsoft has a P2V wizard. It is part of System Center Virtual Machine Manager (SCVMM), where the button to click is named “Convert physical server”. It automatically creates the virtual machine and fills it.

Two types of P2V conversions exist in System Center Virtual Machine Manager:

  1. Online P2V conversions
    The P2V Wizard offers the ability to P2V a server, running a Volume Shadow Copy-capable version of Windows Server, without the need to restart the server. The conversion deploys an agent, which scans the configuration of the server. It then uses port 443 and BITS to transfer the contents of the hard disk(s). (the port can be changed though). This type of conversion offers higher availability, which might be beneficial in migration scenarios where you don’t need to bother with data integrity.
    For on online P2V conversion the physical server needs to comply with the following list:

    • The physical server should have at least 512MB RAM
    • The physical server should have an Advanced Configuration and Power Interface (ACPI) BIOS
    • The physical server should be running at least
      • Windows XP with Service Pack 1,
      • Windows Server 2003 with Service Pack 1 (both x86 and x64 installations supported),
      • Windows Server 2008 (both x86 and x64 installations supported) or
      • Windows Vista with Service Pack 1 (both x86 and x64 installations supported)
    • Drives should be formatted using NTFS.
  2. Offline P2V conversions
    When digging in the options you can also choose to perform an Offline P2V. When you select this option, the same VMM agent gets deployed, but this time it copies over Windows PE and makes the server boot it. After the server is rebooted into Windows PE, this installation will take care of transferring the contents of the hard disk to a virtual machine. When done, the physical server is kept shut down by default.

I’ve created a little flowchart below to illustrate the process of both conversions and their differences:

 

P2V’ing Domain Controllers

Disk2VHD

Disk2VHD is a Windows Sysinternals utility, written by Mark Russinovich and Bryce Cogswell. This tool creates point-in-time snapshots of online physical systems. These snapshots are stored inside VHD containers, that you can use to create virtual machines inside Hyper-V or Virtual PC or boot from using the ‘Boot from VHD’ feature. (when using Windows 7 or Windows Server 2008 R2)

System Center Virtual Machine Manager

Online P2V conversions in System Center Virtual Machine Manager are based on point-in-time snapshots. Therefore, it’s no wonder, you’d receive the following warning when you try to Online P2V a Domain Controller:

Warning (13249) Online physical-to-virtual conversion of a domain controller is not recommended.  Recommended Action Run the Convert Physical Server Wizard again, and choose the Offline Conversion option on the Volume Configuration page.

Results

The simple reason for the warning message in System Center Virtual Machine Manager is you may receive the following error on a virtual Domain Controller when you boot it after you previously P2V’d it online:

The Active Directory is rebuilding indices. Please wait…

The Domain Controller will display “The Active Directory is rebuilding indices. Please wait…” The integrity of the database is now at risk. I think we can safely assume the warning in the P2V Wizard in System Center Virtual Machine Manager isn’t an invitation to a game of ‘chicken’… The same error can be expected when you use the Disk2VHD utility.

The question now however is,

 

How to perform a successful P2V of a DC?

There are four steps to perform a good P2V conversion of a Domain Controller.
These four steps are additional steps to perform with the usual best practices when performing P2V conversions.

1. Take care of FSMO roles

The best practice is to place two Domain Controllers per Active Directory domain. When you adhere to this practice, it is safe to make one of the two Domain Controllers unavailable for P2V Conversion for a while. However, you might not want some Active Directory Flexible Single Master Operations (FSMO) roles to be unavailable for long. Furthermore, since the Domain Controller holding the PDC Emulator FSMO role is the authoritative time source for an Active Directory domain, you should be wary of any time synchronization issues. I feel it’s best to transfer any FSMO roles from Domain Controllers you’re going to P2V. After a successful P2V conversion, you can transfer the FSMO roles back. Keep the following in mind:

  • Before you transfer the PDC Emulator FSMO role, check for correct time on the target Domain Controller. It may not have synchronized its time for a longer period or it may have a awry system clock…
  • Before you transfer the Infrastructure Master FSMO role, take care of correct Global Catalog (GC) placement. Either the Domain Controller holding the Infrastructure Master FSMO role is the only non-GC Domain Controller, or all Domain Controllers need to be Global Catalogs. In environments with Microsoft Exchange, restart a Domain Controller after making it a Global Catalog.

2. Try a similar server first

Just like with using detergents you’d want to test first in an inconspicuous spot. In terms of converting physical servers to virtual machines you could test a server first, that doesn’t matter much. When you perform an offline P2V of a similar type of server hardware, you get acquainted with the quirks of the P2V Wizard inside System Center Virtual Machine pretty quickly.

In projects with P2V conversions I’ve seen people assigning only one virtual processor to Windows Server 2003 guests and disabling hardware vendor-specific services before P2V’ing.

3. Put the virtual DC on a separate network first

Every Hyper-v host has an ‘internal’ virtual network. Assigning this network to virtual machines is a perfect way to sidetrack them for a while. When converting a physical Domain Controller to a virtual machine, this is the perfect way to detect integrity errors, USN rollbacks and the like. After the server boots up well, you can attach it to your production virtual network. When connected to the production virtual network you can make it synchronize with the other Domain Controller(s) again and transfer FSMO roles.

4. Perform an Offline P2V

When converting a physical Domain Controller to a virtual machine using the P2V Wizard in System Center Virtual Machine Manager, always select to perform an Offline P2V conversion. When you click your way through the P2V Wizard, take some time to explore the “Volume Configuration” page. In the bottom there’s a little piece of text displaying “Conversion Options”. Click it to slide the Conversion Options up.

Conversion Options on the Volume Configuration page of the P2V Wizard in System Center Virtual Machine Manager 2008 (click for original screenshot)

Now you can opt to perform an “Offline conversion”.

Since the VMM Agent first task is to scan the system the P2V Wizard already knows the hardware in the physical server. When hardware is found, for which the Windows Preinstallation Environment (WinPE) has no driver, the P2V Wizard will display a screen where you can add the corresponding driver.

 

Concluding

When you want to convert a physical Domain Controller to a virtual machine using the P2V wizard in System Center Virtual Machine Manager, use the Offline P2V option on the Volume Configuration page.

Do not use the Disk2VHD Windows Sysinternals utility on Domain Controllers.

Make sure you try a P2V conversion of a Windows Server with the same Windows version and similar hardware first. Also make sure you boot the Domain Controller on a separate LAN segment to prevent Active Directory corruption.

Further reading

Disk2vhd
Converting Physical Computers to Virtual Machines in VMM (P2V Conversions)
VSS Backup and Restore of the Active Directory (Windows)
Domain Controllers – to P2V or not to P2V
P2V one domain controller
Physical to Virtual (P2V) conversion of a Windows 2008 SP1 AD Domain Controller Failure
Troubleshooting and Data Collection During Offline P2V
Offline P2V Migrations using SCVMM 2008
VMware Converter Tips
The Active Directory Is Rebuilding Indices
"Active Directory is Rebuilding Indices" – Don’t panic, it may be easier than it sounds.
LSASS.EXE – System Error / Rebuilding Active Directory Indices. When booting windows server 2003

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.