Earlier this year I published an article in which I told you that it was okay to virtualize your domain controllers; however in the piece I opposed the idea of doing a P2V (physical to virtual) migration of them, or to upgrade them from one version of the OS to another.
This weekend I followed my own advice. It was time to integrate my new servers into my production infrastructure on Windows Server 2012. Once I had the two hosts running the new OS with Hyper-V 3, I decided to create a couple of new domain controllers. My policy is to have one domain controller on each virtualization host. Although I exported and then imported a few of my VMs from the older hosts onto my newer ones (the old hosts will be re-provisioned for another project) I opted to create two new VMs running Windows Server 2012 to be my new DCs.
In a secure, well-managed IT infrastructure the domain controllers should not be doing much. My DCs run Active Directory Domain Services (AD DS), Dynamic Host Configuration Protocol (DHCP), and Domain Naming Service (DNS). That’s it, nothing else. Because I keep them clean, it is easy for me to spin up a new server, join it to the domain, install these three roles (and the requisite role services and features), then promote it to be a domain controller.
Because Active Directory is a distributed, self-replicating database, your new DC will get a clean copy of the full AD automatically. After a few minutes (remember, this is still a small single-site environment) the domain and DNS have replicated onto the new server, and it is fully functional.
Don’t get me wrong. There are plenty of servers that need to be upgraded from one OS to another, or migrated (P2V). If you keep your DCs clean then they shouldn’t be in that category. As long as you keep them clean and simple you will never need to perform a migration or upgrade of a domain controller.
If you are doing a migration from Server 2008 to Server 2012 and are planning to decommission your older DCs, then the only think you will need to migrate are the Operations Master roles (formerly known as FSMO roles). Additionally because my environment is simpler than many I will upgrade the Schema to Windows Server 2012… although this may or may not be important (or possible) for you.
Migration is not the only reason for keeping your domain controllers clean, but it is certainly an added benefit… one that will save you time and troubles down the road.