Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Active Directory in Hyper-V environments, Part 6

Virtualization offers huge benefits in flexibility, cost-effectiveness and eco-friendliness. It’s an easy business case to make to any IT department nowadays. After all, Gartner claims the cost of energy outweighs the initial purchase of an x86 server in its first three years. However, most virtualization projects aren’t legacy-free: To make a virtualization business case stick, often the choice is made to virtualize existing (physical) servers to virtual machines. 

Domain Controllers are no exception to the practice of virtualizing existing servers. While I still recommend to maintain at least one Domain Controller as a physical box for obvious reasons, you can run virtualized Domain Controllers.  

The smart thing to do?

Whether this is a smart thing to is a big question. When you haven’t been misusing your Active Directory Domain Controllers for anything else but DNS, it might be quicker to create additional virtual Domain Controllers for your Active Directory domains. An additional benefit might be to to transition your Active Directory to a new Windows platform in the process.

When, however, your Active Directory Domain Controllers are also Exchange Servers (not smart!) or perhaps entangled in some weird and difficult to understand authentication scheme, it might be easier to just virtualize the existing situation. A typical garbage in-garbage out-type of migration, if you’d ask me, but definitely quicker to accomplish, compared to the rabbits you have to pull out of a high hat to make things work with new or freshly-demoted Domain Controllers.

About P2V conversions

The process of virtualizing an existing (physical) server, is called P2V’ing a server, where P2V stands for “Physical 2 Virtual Conversion”. While you could clone the disk of a physical server to a virtual server running on Hyper-V through a legacy NIC or other tools, like disk2vhd, you don’t need to go through the hassle: Microsoft has a P2V wizard. It is part of System Center Virtual Machine Manager (SCVMM), where the button to click is named “Convert physical server”. It automatically creates the virtual machine and fills it.

Two types of P2V conversions exist in System Center Virtual Machine Manager:

  1. Online P2V conversions
    The P2V Wizard offers the ability to P2V a server, running a Volume Shadow Copy-capable version of Windows Server, without the need to restart the server. The conversion deploys an agent, which scans the configuration of the server. It then uses port 443 and BITS to transfer the contents of the hard disk(s). (the port can be changed though). This type of conversion offers higher availability, which might be beneficial in migration scenarios where you don’t need to bother with data integrity.
    For on online P2V conversion the physical server needs to comply with the following list:
    • The physical server should have at least 512MB RAM
    • The physical server should have an Advanced Configuration and Power Interface (ACPI) BIOS
    • The physical server should be running at least
      • Windows XP with Service Pack 1,
      • Windows Server 2003 with Service Pack 1 (both x86 and x64 installations supported),
      • Windows Server 2008 (both x86 and x64 installations supported) or
      • Windows Vista with Service Pack 1 (both x86 and x64 installations supported)
    • Drives should be formatted using NTFS.
       
  2. Offline P2V conversions
    When digging in the options you can also choose to perform an Offline P2V. When you select this option, the same VMM agent gets deployed, but this time it copies over Windows PE and makes the server boot it. After the server is rebooted into Windows PE, this installation will take care of transferring the contents of the hard disk to a virtual machine. When done, the physical server is kept shut down by default.

I’ve created a little flowchart below to illustrate the process of both conversions and their differences:

 

P2V’ing Domain Controllers

Disk2VHD

Disk2VHD is a Windows Sysinternals utility, written by Mark Russinovich and Bryce Cogswell. This tool creates point-in-time snapshots of online physical systems. These snapshots are stored inside VHD containers, that you can use to create virtual machines inside Hyper-V or Virtual PC or boot from using the ‘Boot from VHD’ feature. (when using Windows 7 or Windows Server 2008 R2)

System Center Virtual Machine Manager

Online P2V conversions in System Center Virtual Machine Manager are based on point-in-time snapshots. Therefore, it’s no wonder, you’d receive the following warning when you try to Online P2V a Domain Controller:

Warning (13249) Online physical-to-virtual conversion of a domain controller is not recommended.  Recommended Action Run the Convert Physical Server Wizard again, and choose the Offline Conversion option on the Volume Configuration page.

Results

The simple reason for the warning message in System Center Virtual Machine Manager is you may receive the following error on a virtual Domain Controller when you boot it after you previously P2V’d it online:

The Active Directory is rebuilding indices. Please wait…

The Domain Controller will display “The Active Directory is rebuilding indices. Please wait…” The integrity of the database is now at risk. I think we can safely assume the warning in the P2V Wizard in System Center Virtual Machine Manager isn’t an invitation to a game of ‘chicken’… The same error can be expected when you use the Disk2VHD utility.

The question now however is,

How to perform a successful P2V of a DC?

There are four steps to perform a good P2V conversion of a Domain Controller.
These four steps are additional steps to perform with the usual best practices when performing P2V conversions.

1. Take care of FSMO roles

The best practice is to place two Domain Controllers per Active Directory domain. When you adhere to this practice, it is safe to make one of the two Domain Controllers unavailable for P2V Conversion for a while. However, you might not want some Active Directory Flexible Single Master Operations (FSMO) roles to be unavailable for long. Furthermore, since the Domain Controller holding the PDC Emulator FSMO role is the authoritative time source for an Active Directory domain, you should be wary of any time synchronization issues. I feel it’s best to transfer any FSMO roles from Domain Controllers you’re going to P2V. After a successful P2V conversion, you can transfer the FSMO roles back. Keep the following in mind:

  • Before you transfer the PDC Emulator FSMO role, check for correct time on the target Domain Controller. It may not have synchronized its time for a longer period or it may have a awry system clock…
  • Before you transfer the Infrastructure Master FSMO role, take care of correct Global Catalog (GC) placement. Either the Domain Controller holding the Infrastructure Master FSMO role is the only non-GC Domain Controller, or all Domain Controllers need to be Global Catalogs. In environments with Microsoft Exchange, restart a Domain Controller after making it a Global Catalog.

2. Try a similar server first

Just like with using detergents you’d want to test first in an inconspicuous spot. In terms of converting physical servers to virtual machines you could test a server first, that doesn’t matter much. When you perform an offline P2V of a similar type of server hardware, you get acquainted with the quirks of the P2V Wizard inside System Center Virtual Machine pretty quickly.

In projects with P2V conversions I’ve seen people assigning only one virtual processor to Windows Server 2003 guests and disabling hardware vendor-specific services before P2V’ing.

3. Put the virtual DC on a separate network first

Every Hyper-v host has an ‘internal’ virtual network. Assigning this network to virtual machines is a perfect way to sidetrack them for a while. When converting a physical Domain Controller to a virtual machine, this is the perfect way to detect integrity errors, USN rollbacks and the like. After the server boots up well, you can attach it to your production virtual network. When connected to the production virtual network you can make it synchronize with the other Domain Controller(s) again and transfer FSMO roles.

4. Perform an Offline P2V

When converting a physical Domain Controller to a virtual machine using the P2V Wizard in System Center Virtual Machine Manager, always select to perform an Offline P2V conversion. When you click your way through the P2V Wizard, take some time to explore the “Volume Configuration” page. In the bottom there’s a little piece of text displaying “Conversion Options”. Click it to slide the Conversion Options up.

Conversion Options on the Volume Configuration page of the P2V Wizard in System Center Virtual Machine Manager 2008 (click for original screenshot)

Now you can opt to perform an “Offline conversion”.

Since the VMM Agent first task is to scan the system the P2V Wizard already knows the hardware in the physical server. When hardware is found, for which the Windows Preinstallation Environment (WinPE) has no driver, the P2V Wizard will display a screen where you can add the corresponding driver.

   

Concluding

When you want to convert a physical Domain Controller to a virtual machine using the P2V wizard in System Center Virtual Machine Manager, use the Offline P2V option on the Volume Configuration page.

Do not use the Disk2VHD Windows Sysinternals utility on Domain Controllers.

Make sure you try a P2V conversion of a Windows Server with the same Windows version and similar hardware first. Also make sure you boot the Domain Controller on a separate LAN segment to prevent Active Directory corruption.

Related posts

Active Directory in Hyper-V environments, Part 1 
Active Directory in Hyper-V environments, Part 2 
Active Directory in Hyper-V environments, Part 3  
Active Directory in Hyper-V environments, Part 4 
Active Directory in Hyper-V environments, Part 5 

Further reading

Disk2vhd 
Converting Physical Computers to Virtual Machines in VMM (P2V Conversions)  
VSS Backup and Restore of the Active Directory (Windows)  
Domain Controllers – to P2V or not to P2V
P2V one domain controller 
Physical to Virtual (P2V) conversion of a Windows 2008 SP1 AD Domain Controller Failure  
Troubleshooting and Data Collection During Offline P2V 
Offline P2V Migrations using SCVMM 2008 
VMware Converter Tips   
The Active Directory Is Rebuilding Indices  
"Active Directory is Rebuilding Indices" – Don’t panic, it may be easier than it sounds. 
LSASS.EXE - System Error / Rebuilding Active Directory Indices. When booting windows server 2003

Posted: Tuesday, October 27, 2009 3:30 PM by Sander Berkouwer

Comments

TrackBack said:

Virtualization offers huge benefits in flexibility, cost-effectiveness and eco-friendliness. It’s an easy business case to make to any IT department nowadays. After all, Gartner claims the cost of energy outweighs the initial purchase of an x86 server in its first three years. However, most virtualization projects aren’t legacy-free: To make a virtualization business case stick, often the choice is made to virtualize existing (physical) servers to virtual machines.
# October 27, 2009 3:35 PM

John Policelli's Blog » Blog Archive » Active Directory in Hyper-V Environments said:

There’s no doubt that virtualization is hot these days. The following articles, posted on the Dirteam.com Blog, will answer virtually all (no pun intended) questions that you have when it comes to Active Directory in Hyper-V environments.

  • Active Directory in Hyper-V environments, Part 1
  • Active Directory in Hyper-V environments, Part 2
  • Active Directory in Hyper-V environments, Part 3
  • Active Directory in Hyper-V environments, Part 4
  • Active Directory in Hyper-V environments, Part 5
  • Active Directory in Hyper-V environments, Part 6
# October 27, 2009 4:48 PM

TrackBack said:

Online P2V conversions in System Center Virtual Machine Manager are based on point-in-time snapshots. Therefore, it’s no wonder, you’d receive following warning when you try to Online P2V a Domain Controller:

The simple reason for warning message in SCVMM is you may receive following error on a virtual Domain Controller when you boot it after you previously P2V’d it online: “The Active Directory is rebuilding indices. Please wait…” The integrity of the database is now at risk. I think we can safely assume the warning in the P2V Wizard in System Center Virtual Machine Manager isn’t an invitation to a game of ‘chicken’… The same error can be expected when you use the Disk2VHD utility. There’re four steps to perform a good P2V conversion of a Domain Controller. These four steps’re additional steps to perform with usual best practices when performing P2V conversions.

# October 29, 2009 7:33 AM

Directory Service Comparison Tool said:

Listed as a Related Blog on Active Directory Snapshots

# December 14, 2009 3:16 PM

Directory Service Comparison Tool said:

Listed as a Related Blog on Active Directory Snapshots
# December 14, 2009 3:17 PM

Jonathan's Virtual Blog said:

We know that SCVMM can convert physical machines into virtual machines with all work necessary to make this transitioned machine still boot and function correctly. This is a great feature that customers use daily. This work is done usually while the server is still running as an Online P2V. If you have ever stopped to think about how the P2V process works (or read the TechNet article explaining) then you know that the first part of the process is simply a volume shadow service (VSS) snapshot made of disks. This is the same technology used by Windows backup and most third party storage software.

The trick is to capture a state in time while the machine is running. For most systems this is a great solution. For some, this poses questions. SQL, Exchange and Domain Controllers write to databases at a high rate. By the time the snapshot is made quite a bit may have changed in the database. Also, as good as the technology is, this is pushing the limits of functionality. SQL and Exchange systems benefit from acquiescing the SQL or Exchange service prior to P2V (or any backup). This reduces disk writes and ensures database integrity.

Domain Controllers are another matter. If there is more than one in the domain there is replication between them. If the state of one is captured while it is processing Active Directory transactions, then brought online as a VM later, the VM and physical versions of this DC may be different. Additionally, there is the concern of USN journal wrapping during the snapshot process. Then again, online P2V of DC’s works well on a daily basis for many people. The alternative is to perform the conversion offline, an Offline P2V. What is the right choice?

Do you want the new VM created from the DC to function correctly and have no issues with the rest of your Active Directory domain? Yes? Good choice. Perform the P2V Offline. Now I refer you to an article written by Sander Berkouwer. This covers the entire process better than I have seen put together before. Nice pictures too. The article describes online and offline conversions, and the implications of Online P2V of Domain Controllers. Then it walks you through the process while addressing four very solid recommendations. Enjoy the article. Keep it as reference.

Thanks to Sander for allowing me to link to his work!

# November 10, 2010 8:05 PM
Anonymous comments are disabled