Friday, November 18, 2011

Virtual Domain Controllers

This is still coming up so lets just recap what you need to know.

Time synchronisation

Time in Active Directory is critical to everything, Domain Controllers, servers and clients. In Active Directory, Kerberos issues a ticket during login, this ticket is default valid for 8 hours, and prevents constant authentication on Domain Controllers, every time a user accesses resources. However, the encryption and security between the client and the domain controller issuing the ticket, requires an exchange of passwords and setup of a secure channel. To prevent anyone from being able to listen on the network and reuse the packets of authentication from the client from before, all packets include a timestamp. If the timestamp coming from the client is out by more than default 5 minutes from the Domain Controllers time, it will discard the packet as fake.

The ”Maximum tolerance for computer clock synchronisation” Group Policy can change this, but don't.

In a domain, all DC’s will automatically synchronise time with the Domain Controller that has the PDCe role running. The DC with the PDCe role should then be configured to use an external or internal NTP source. The time service on Domain Controllers is the time server for all clients in the domain that logon via that DC.

Windows Servers, will by default sync every 45 minutes until 3 successful sync’s, then every 8 hours.

So you have two choices:

  1. Configure NTP on the ESX hosts
  2. Install and configure VMware tools and configure it to synchronise time with the ESX hosts


  1. Ignore the time on VMware
  2. Disable VMWare tools time sync
  3. Enable NTP on ALL DCs (or the PDCe)
  4. Only use ONE or TWO common NTP servers for all DCs in the environment.

Dont “suspend” or “pausing” a Domain Controller

If the Domain Controller has been offline for too long, it will have objects on it that were supposed to have been deleted by the tombstoning process. If this happens the Domain Controller will stop replication with it’s partners. You will see an event in the logs with:

ID 2042, Source NTDS Replication, Description: It has been too long since this machine last replicated with the named source machine. The time between replications with this source has exceeded the tombstone lifetime. Replication has been stopped with this source.

Instead of pause, shutdown any Domain Controllers. VMotion/Live Migration is OK as it is so quick.

Don't Snapshot a Domain Controller

If you revert to an old snapshot of a Domain Controller you break consistency in your Active Directory domain. Don't ever do it unless you want to cross the streams, you know, Cats and Dogs living together .

Post a Comment

Blog Archive